Myanmar citizen files data protection complaint against Telenor for dangerous breach of privacy
Background
A Myanmar citizen has filed a complaint at the Norwegian Data Protection Authority against telecom multinational Telenor Group, seeking to halt the dangerous transfer of control over sensitive user data in the sale of its activities in Myanmar.
The complaint, filed by SANDS law firm on behalf of the Myanmar Telenor customer and supported by SOMO, contends the Norwegian company’s sale of its Myanmar subsidiary will violate the privacy of the over 18 million Telenor customers in Myanmar, in breach of the EU’s General Data Protection Regulation (GDPR), to which Norway adheres.
Telenor is selling its Myanmar business to the Lebanese company M1 Group, which has concerned activists. Reportedly, the sale will also involve a consortium led by Shwe Byain Phyu, a gems and petroleum trader with close ties to the military regime and no apparent experience running a telecommunications company. The sale is due to be completed by 15 February, according to media reports.
Ketil Sellæg Ramberg, privacy and data security law specialist at SANDS: “The complaint argues that the GDPR applies to the sale of Telenor’s Myanmar subsidiary. We ask the Norwegian Data Protection Authority to investigate the case urgently and use its powers to ensure that the rights of Telenor’s customers in Myanmar are not violated, as this could have very serious consequences.”
...
High stakes
The sale of Telenor Myanmar will bring Telenor Group 105 million USD, and the value includes the transfer of personal data. The complaint alleges that the sale would amount to a serious infringement of the GDPR, and Telenor could be fined up to 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Based on Telenor’s 2020 revenue of 13 billion USD, this would be over 500 million USD.
How does the GDPR apply to the Telenor Myanmar sale?
GDPR article 3 provides the terms of when the GDPR is applicable, even if the processing is happening outside the EU-area:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
It is the complainant’s view that Telenor Group is responsible for the data processing happening in Myanmar based on the following:
- Telenor Group is a controller within the EU, and thus subject to the GDPR.
- Telenor Group exercise real and effective influence on how its subsidiary, Telenor Myanmar, process the data of its customers.
Furthermore, Telenor Group is the one deciding to sell Telenor Myanmar, and will also receive the revenue of the sale. When Telenor Group sells its subsidiary including the data of its customers, Telenor must accordingly ensure the right to privacy of the data.
OECD complaint
The GDPR complaint follows an OECD Guidelines complaint filed in July 2021 by SOMO on behalf of 474 Myanmar civil society organisations. It contends that Telenor’s sale breaches the OECD Guidelines, because the company failed to adequately mitigate the severe human rights risks to its customers in the context of its disengagement from Myanmar. Mediation offered by the Norwegian Contact Point for the OECD Guidelines to resolve the dispute about acute security risks to users has not been possible.