Telenor caught in GDPR conundrum over Myanmar subsidiary sale

Norwegian telecommunications firm Telenor has been trying to exit Myanmar since the military junta seized power in a coup on Feb. 1, 2021, but the sale of its operations can only take place with the consent of the Myanmar government. The telecom is currently awaiting final approval on a sale of its Myanmar-based subsidiary to Lebanese investment firm M1 Group, with an 80 percent controlling stake reportedly set to go to Myanmar conglomerate Shwe Byain Phyu.

In the past year, the Telenor subsidiary has been under pressure from the military to install intercept technologies, such as spyware, that would give authorities access to users’ information. All telecom operators in the country are required to do so.

Pro-democracy activists inside the country are worried that if the military has access to phone records, their safety is put at immediate risk. Telenor has so far refused to install the intercept technology, which would violate Norwegian and European Union sanctions.

It has also refused to ask its Myanmar-based employees to delete the data, as this would not only be a breach of local law but could put them at considerable risk.

‘No solutions without negative consequences’

An anonymous Myanmar citizen and Norwegian law firm SANDS, supported by the Netherlands-based Centre for Research on Multinational Corporations, have filed a complaint with the Norwegian Data Protection Authority alleging Telenor’s sale violates the EU’s General Data Protection Regulation (GDPR).

The complaint asks Norway’s privacy regulator to investigate and intervene to ensure the sale does not violate the right to privacy of its customers and put them at risk of exposure to military surveillance.

“Sudden and unexpected changes do take place throughout the world, as we are seeing in Ukraine today, and sadly this means sometimes even the best, most well-intentioned organizations can get caught out.”

Peter Galdies, Senior Consultant, DQM GRC

According to the complaint, under Article 3 of the GDPR—which determines the regulation’s territorial scope—customer data would still be covered by the law even if the processing is happening outside the European Union because Telenor, as a data controller, is based inside the region and directly oversees its Myanmar-based subsidiary. Further, when Telenor sells its subsidiary—including the data of its customers—it must accordingly ensure current data privacy rights remain in place after the sale, the complaint contends.

If successful, the complaint would require Telenor to delete or anonymize the data belonging to its more than 18 million Myanmar customers before selling the subsidiary—in direct conflict with local law.

In a Feb. 18 statement, Jørgen C. Arentz Rostrup, executive vice president and head of Telenor Asia, said given Myanmar’s descent into civil war, “No telecom company in the country, regardless of its owner, can over time maintain international standards.” He added, “Not responding to direct orders or complying with local law can have unacceptable consequences.”

“There are no solutions without negative consequences,” Rostrup said, and “no good alternatives to a sale.”

Expert commentary

Telenor’s troubles in Myanmar have wider ramifications for companies that operate under authoritarian regimes while needing to comply with the GDPR.

Peter Galdies, senior consultant at data compliance consultancy DQM GRC, said organizations operating in countries with authoritarian regimes need to conduct regular and systematic data protection impact assessments (DPIAs), as well as associated business risk assessments, to determine whether the level of data protection in the country they are operating in is equivalent to that within the European Economic Area.

“The DPIAs should consider all risks to the data subject’s (or customer’s) personal data rights and explain how any such risks are mitigated to an acceptable level,” he said. “It’s normally true that if the organization cannot mitigate the risks, then it must not undertake the processing without either seeking advice from its local data protection regulator or gaining specific consent from the data subjects having specifically explained the risks.”

Galdies added, “Sudden and unexpected changes do take place throughout the world, as we are seeing in Ukraine today, and sadly this means sometimes even the best, most well-intentioned organizations can get caught out.”

With specific reference to Telenor’s case, Galdies said Article 82 of the GDPR regarding a data subject’s right to compensation and corporate liability might exempt it from any liabilities if the company can prove “that it is not in any way responsible for the event giving rise to the damage” caused by processing that infringes the regulation.

If Telenor “can clearly show it was not aware of the risk of such a change to the processing locations regime, then it might have a suitable argument to bring to bear, though proving such a case is bound to be hard,” he said.