International corporations from liberal democracies face a choice when operating in authoritarian countries. Comply with government surveillance and censorship, or leave the country.
This decision has become urgent in Myanmar, where the Norwegian telecommunications company Telenor has been trying to untangle itself from the country since the junta seized power in a coup on February 1, 2021. In doing so, Telenor is torn between selling its Myanmar subsidiary quickly or protecting the millions of users whose data could end up in the hands of the military.
Now the company faces a new hurdle, one that could have broader implications for how European companies do business in illiberal countries.
On February 8, an anonymous Myanmar citizen and a Norwegian law firm filed a complaint with the Norwegian Data Protection Authority alleging that Telenor’s sale violates Europe’s General Data Protection Regulation, or GDPR, which applies to countries in the European Economic Area, which includes Norway. The complaint asks Norway’s state privacy agency to investigate and intervene to ensure that the sale does not violate the right to privacy of its customers and put them at risk of exposure to military surveillance.
If successful, the GDPR complaint would require Telenor to delete or anonymize the data belonging to its 18 million Myanmar customers before selling its Myanmar subsidiary. In doing so, it is poised to set a precedent for how European companies operate inside authoritarian regimes.
The tussle over Telenor’s exit from Myanmar is a microcosm of the struggle facing many executives at Western corporations interested in acting at least with a minimum of responsibility inside countries which challenge that impulse at every turn.
“What we are hoping to bring across to Telenor is indeed that it’s not not a question of wanting them to stay and continue to serve in that environment, but to act responsibly and act legally,” said Ketil Sellæg Ramberg, a privacy and data security law specialist at SANDS, the Norwegian law firm that filed the GDPR complaint.
WHAT IS TELENOR AND WHY ARE THEY SELLING?
The Norwegian government is a majority shareholder in Telenor Group. It’s subsidiary, Telenor Myanmar, is the second largest telecoms firm in the country with a population of over 54 million people.
Telenor has been trying to exit Myanmar because of military pressure to install intercept spyware that would give authorities a straight line of access to users’ information, which would violate Norwegian and EU sanctions.
Installing the intercept tech is “unacceptable” and “would constitute a breach of our values and standards as a company,” said Telenor Group in a press release in September 2021.
The likely buyers for control of Telenor Myanmar’s data are M1 Group, a Lebanese company with a history of doing business in authoritarian countries like Syria and Sudan, and Shwe Byain Phyu Group, a group of Myanmar companies with ties to the military involved in gem mining and petrol stations, The sale is expected to be finalized on February 15.
Human rights groups in Myanmar are strongly opposed to the new buyers. The lives of civil society activists and journalists are “endangered by this secretive sale to a military-linked conglomerate,” said Yadanar Maung, the spokesperson for the human rights group Justice For Myanmar.
“We are also concerned that Shwe Byain Phyu is a front for the junta, who want control of Telenor as a source of revenue, at a time when they are desperate for funds to finance their campaign of terror,” Maung added.
WHAT’S AT STAKE?
The junta has extensive control over telecoms companies in Myanmar. By law, the government can request user data without a warrant, intercept communications or take control of telecoms services in “emergency situations.”
This data is valuable to the military, which has been carrying out a brutal crackdown since it staged a coup that has killed over 1,500 people, according to the human rights group Assistance Association for Political Prisoners.
Authorities can use phone records and mobile payment receipts to map out pro-democracy networks, identify who is providing financial support to opposition groups and ultimately, target activists and squash dissent.
“They want it to crush the opposition,” said Oliver Spencer at the human rights group Free Expression Myanmar. “They want information about who’s criticizing the military and who’s organizing the military. And the Norwegian company owned by the Norwegian people is about to hand that information over.”
According to reporting by Myanmar Now, Telenor has complied with at least 200 requests for information by the junta-controlled Ministry of Transport and Communications since the coup. Some of these requests were for sensitive data, like the last recorded location of a phone number.
Despite this, Telenor does stand out as the most sensitive to data privacy concerns in a country where the junta has significant sway over the other two leading telecom options, said Spencer.
Telenor is “far better than their competitors in regards to the protection of data and therefore their users’ privacy. Without a doubt, they were far better,” Spencer said.
It’s not a high bar. The Myanmar government runs 50% of MPT, the largest telecoms provider. Another firm, Mytel, is owned half by the Myanmar military and half by the Vietnamese military. Mytel or MPT SIM cards are likely being monitored.
If Telenor leaves the market, people “will all be forced to use companies that are directly or indirectly controlled by the military. Then, of course, the military has access to everything that flows through those telecoms pipes,” Spencer told me.
WHAT’S THIS GDPR COMPLAINT ALL ABOUT?
A GDPR complaint is a consumer’s tool to hold European companies accountable for how their data is used and protected.
The major concern behind the complaint against Telenor is that, without proper privacy safeguards, the data of millions of users will be subject to surveillance by the junta in Myanmar, exposing activists, journalists and citizens and putting their safety at risk.
The use of GDPR in this context is unconventional. The privacy law is designed to protect EU residents and citizens, and it is rarely applied to international subsidiaries. But Ramberg, the law specialist at the firm that filed the complaint, argues that Telenor Myanmar is bound by GDPR because Telenor Group, based in Norway, has sufficient control over the company. “This actually has real life consequences for real life people,” said Ramberg, “This endangers people’s right to speak freely about issues that might not necessarily be in line with the dictatorship.”
The company disagrees, stating that Telenor Group “does not exert any control on the handling of customer data by Telenor Myanmar, and therefore GDPR does not apply to customer data in Myanmar,” wrote director of communications Cathrine Stang Lund.