Norway’s Telenor will transfer the call data records of its 18 million Myanmar subscribers to a military-linked Lebanese company when it exits the country, raising alarm among activists who fear the junta will get its hands on the data and use it to make arrests.
The company announced on July 8 that it will sell its Myanmar operations to M1 Group, which has been criticised for running mobile networks under dictatorships in Syria, Sudan, and other authoritarian regimes where state surveillance is routine.
A UN Fact-Finding Mission identified M1 Group as a shareholder of Irrawaddy Green Towers, a company that leases phone towers to Mytel, which is part-owned by the military.
A Telenor spokesperson confirmed that the sale would include call data records.
“Telenor Group is selling the entire operations of Telenor Myanmar to M1 Group, which means that M1 will continue running the business and offer services to the customers,” the spokesperson told Myanmar Now. “The handover will include all assets, equipment, contracts and will also include call data records in accordance with the licence obligations.”
Call data records include the time and date of a call, the phone numbers of the parties, the call duration, the type of call (such as voice or SMS) and the place of a call. The location data relates to which tower or site a call is made from and to where. It does not include the content of calls, messages or emails.
Experts and activists say the data could be highly dangerous in the hands of the junta.
“Who you have called and where you have been is very revealing information,” Lucy Purdon, Policy Director at the campaign group Privacy International, told Myanmar Now.
She noted that phone subscribers in Myanmar were obliged to provide ID cards and addresses when they registered SIM cards. “This makes people extremely vulnerable if shared with authorities,” she said.
Huge numbers of protesters and activists have been forced into hiding amid a campaign of mass killings, detention and torture aimed at crushing widespread resistance to the junta’s rule since February. Many now fear Telenor’s sale puts them at even greater risk.
“The junta can use location data to arrest people,” one activist and Telenor customer currently in hiding told Myanmar Now. “All my personal and organisational data will be exposed in this sale. It puts me and my contacts in danger.”
The military junta has barred telecommunications executives from leaving Myanmar without “special authorisation” and pressured them to install intercept technology that would enable the junta to conduct electronic surveillance, Reuters reported earlier this month.
Telenor’s sale, announced on July 8, will see M1 Group pay Telenor $105 million, of which $55 million is deferred over five years.
In response to the announcement, 464 civil society organisations sent an open letter to Telenor CEO Sigve Brekke and Norwegian Prime Minister Erna Solberg demanding the sale be cancelled.
Do Telenor Myanmar subscribers have the right to privacy?
The transfer of personal data to M1 Group may get “caught” in European privacy protections, according to an expert in Norwegian privacy law.
Telenor Myanmar is a subsidiary of Telenor Group, with ownership channelled through a Singapore holding company. Myanmar’s company registry lists Telenor ASA in Norway as the ultimate holding company.
The European Union’s General Data Protection Regulation (GDPR) covers the European Economic Area and so is incorporated into Norwegian law.
The GDPR regulates “processors” and “controllers” of personal data and establishes the rights of “data subjects”. These include the right to be informed about what personal data is collected and how it is used; the right to access one’s personal data; the right to erase one’s personal data and the right to object to how one’s personal data is used.
According to guidance issued by the European Data Protection Board, the GDPR applies to data processors and controllers in the EU, regardless of whether the data subjects are in the EU.
They give an example of a French company that developed an app exclusively for customers in North Africa. In this case, the GDPR applies to individuals in North Africa since their data is processed by a company in France.
For the GDPR to apply, processing must be carried out “in the context of the activities” of a company under Article 3(1) of the law, meaning there must be a connection between the company in Europe and the processing of the personal data.
For those reasons, the GDPR may apply to Telenor Myanmar, an expert in Norwegian privacy law told Myanmar Now.
“I do see that, “on paper”, Telenor seems to be caught by Article 3(1) of the GDPR, or at the very least, that Telenor will face difficulties arguing successfully that it is not so caught.”
The privacy expert noted that there is tension between the literal wording of Article 3(1) of the GDPR and the underlying rationale for the Regulation as a legal instrument for securing fundamental rights in Europe. “To the extent that the GDPR has extra-European scope, this is due essentially to a concern from EU law-makers to avoid circumvention of the fundamental rights of people in Europe.”
Asked if the sale to M1 Group breached the GDPR, the Telenor spokesperson said: “Telenor Group does not process personal data of Telenor Myanmar subscribers nor does Telenor Group process call data records of Telenor Myanmar subscribers.”
A description of Telenor’s privacy position, published online, says: “The Telenor entity that provides you with the service(s) that you normally use determines the purposes for and means by which your personal information is processed. Therefore this entity acts as the ‘data controller,’ as defined under EU laws.”
But the Norwegian privacy law expert raised doubts that Telenor would succeed in a claim that its Myanmar subsidiary was the sole controller or processor of personal data.
“Controllership can be shared between several legal entities, and it may well be that Telenor’s head company in Norway has exercised some influence on the data-processing decisions of its subsidiary in Myanmar, thus making the head company a joint controller. In terms of GDPR applicability, what matters is actual influence, regardless of the legal formalities,” the privacy law expert said.
A former Telenor Myanmar staff member told Myanmar Now that Telenor Group does have influence over Telenor Myanmar’s decision making with regards to handling personal data.
“The Group has a set of policies for all of its business units, such as the obligation to observe human rights, adherence to zero tolerance on corruption, and looking to the UN Guiding Principles for Business and Human Rights,” they said. “If your question is whether Telenor group has influence on Telenor Myanmar’s decision making on privacy, the answer is yes.”
Telenor’s former group privacy officer, Nicholai Kramer Pfeiffer, wrote on his LinkedIn page that he “introduced recurring assessment of all business units in Telenor… to monitor compliance and possible risks.”
Telenor did not immediately respond to a request for comment regarding the Group’s role in handling Myanmar users’ data.
The Norwegian Data Protection Authority, an independent public body that upholds privacy law, said it was unable to comment on whether Norwegian privacy law applies to Telenor’s sale to M1 without conducting a formal investigation.
“We believe that data protection is a fundamental human right that needs to be respected globally in all jurisdictions,” Tobias Judin, the authority’s Head of International, told Myanmar Now.
Telenor has built a reputation as an industry leader in responsible business. In Myanmar, this included publishing regular sustainability reports and transparency over censorship and internet shutdown orders.
“Telenor has undertaken continuous human rights due diligence on the situation in Myanmar and done its utmost to minimise adverse human rights impacts related to its operations in the country,” the Telenor spokesperson told Myanmar Now.
Telenor did not comment when asked about data retention periods, which relates to the right to be informed.
“Telenor stores this data in accordance with the licence obligations in Myanmar,” the Telenor spokesperson said.
Telenor did not immediately comment on whether they will seek user consent for the transfer of data to M1, which relates to the right to object and the right to erase.
However, Telenor CEO Sigve Brekke told NRK on Wednesday that the company cannot delete Myanmar user data and declined to comment on what the Mikati family (the owners of the M1 Group) will do with the historical call logs.
Advocates argue that Telenor should abide by the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises as part of their exit from Myanmar. The right to privacy is enshrined in Article 12 of the Universal Declaration of Human Rights, a document incorporated into the UN Guiding Principles as a minimum responsibility that businesses should meet. The OECD Guidelines lists the right to privacy as a consumer interest that should be respected, advising companies to protect personal data.
“Under its commitment to human rights, Telenor does have the responsibility to both acknowledge these risks and take steps to minimise negative impact on human rights, including privacy and freedom of expression,” Lucy Purdon of Privacy International told Myanmar Now. “It would be expected that Telenor continues its human rights due diligence throughout the sale of the company and exiting the country.”
Matthew Bugher, Head of Asia Programme at Article 19, the freedom of information advocacy group, noted that Telenor has repeatedly affirmed its commitment to the UN Guiding Principles and said that the company should take steps to mitigate adverse impacts related to the sale. “We don’t have many details about Telenor’s sale to the M1 Group and hope that Telenor insists on building human rights protections into the sales contract,” he told Myanmar Now.
“However, the fact that Telenor cannot elaborate on M1 Group’s plans for user metadata is worrying. The very factors that led Telenor to conclude that it could not protect the human rights of its customers while operating in Myanmar are going to exert pressure on M1 Group,” Bugher said.
Myanmar Now put questions to M1 Group regarding their human rights due diligence, how they process and control personal data, the circumstances in which they would share data with the junta and their reported business links to the military and authoritarian regimes in Syria and Sudan. M1 did not immediately respond to requests for comment.
Telenor argues that their commitment to responsible business conduct is the reason they must sell their Myanmar subsidiary. A Telenor spokesperson described the decision as the “best possible solution in this situation.”
“The exit of Myanmar has been a very difficult decision but proves that we are not willing to compromise on our ethical standards and policies, as well as international laws,” a Telenor spokesperson told Myanmar Now. “Human rights impacts including data privacy have been a key part of our considerations leading up to the decision to sell.”
Chris Sidoti, a former member of the UN Fact-Finding Mission and a co-founder of the Special Advisory Council for Myanmar, said he believes that Telenor should not sell to M1.
“It’s a fix Telenor got themselves into and they are responsible for getting out of it in a way that does the least damage,” he told Myanmar Now. “In the short term, that means staying in Myanmar and operating with as much integrity as possible, under the appalling circumstances, until they can find a way to extract themselves without placing large numbers of people at risk.”
Left in the lurch
Activists, protesters and journalists in Myanmar feel exposed.
Since the February 1 coup, the junta has revoked the protections that previously existed under the Law Protecting the Privacy and Security of Citizens (2017).
According to a joint statement published in March by the International Commission of Jurists and Human Rights Watch, the junta has “removed basic protections including… the right to be free of warrantless surveillance and search and seizure.”
It is unclear what historical metadata the junta may already have access to. Myanmar Now asked Telenor if the junta has requested location data since February 1.
“We want to be as open as possible about our operations in Myanmar, but due to the current situation we are unable to comment on directives from authorities due to concerns about the safety of our employees,” a Telenor spokesperson told Myanmar Now.
Ko Ye, an activist and Telenor subscriber who is campaigning against the sale to M1 Group, told Myanmar Now he was afraid the junta would have easier access to his personal data after it is transferred to M1.
“Telenor has data on part of my life, through services I paid to use as their customer. I don’t give consent for them to transfer my data to M1 Group, who I do not trust,” Ko Ye said.