In Myanmar, the phone records of pro-democracy activists connect them together like suspects on a cork board. When many of those activists fled the military crackdown and went into hiding after the coup in February 2021, they believed the trails of phone calls, mapping out their association with family members and colleagues were safe on networks outside the military’s control. Now, they claim that data is in peril.
Like all telecoms companies, Myanmar’s four major operators keep a record of phone call metadata—information about who calls who, when and for how long. Pro-democracy campaigner Kyaw (not his real name), did not worry much about his metadata even when the coup shocked the country. The activist, who asked for his real name not to be published because he is afraid of being arrested by the military, believed his personal data was safe because he was using a sim card made by Telenor, a multinational headquartered in Norway—a country he associated with democracy and human rights.
But in July that sense of security was shattered when Telenor—the country’s second-largest telecoms business—announced it would leave Myanmar, selling 100 percent of the company to M1, a Lebanese investment group. For the following seven months, the company has been trying to escape Myanmar’s deteriorating security situation and military pressure to install surveillance equipment in its networks. But as Telenor joins other international companies rushing for the exit, the news of its departure prompted panic among human rights activists like Kyaw, who are worried their data could end up in the hands of the military as a result of the sale.
Activists have been scrambling to stop this from happening. More than 470 civil society groups from Myanmar filed a complaint against Telenor’s sale in July. That same month, Kyaw wrote a letter asking the company to delete his personal data—a request he believed Telenor would have to comply with because Norway complies with Europe’s GDPR privacy law. But Telenor’s reply, seen by WIRED, said the GDPR “does not in general apply to Telenor Myanmar,” frustrating Kyaw. “We are paying them, just like the people in the EU are paying but the treatment is very different,” he says. “The worry is that if the regime gets control of this data, they will be able to root out the networks,” says Joseph Wilde-Ramsing, senior researcher at SOMO, a Dutch group that investigates the ethics of multinationals and is helping Kyaw with his case. “If they get one person and they find out the number then they can see who that number has been in contact with and they can track down the family members and the network contacts and the other activists and use that information to target people.”
This week, Kyaw is trying a new approach. On February 8, he filed a legal complaint—in which his real name is redacted—arguing that Telenor’s Myanmar business is subject to GDPR as a subsidiary of a Norwegian company. The complaint, filed to the Norwegian data protection authority, highlights how the telecoms giant has become trapped between wanting to leave Myanmar as quickly as possible and its responsibility to the users who believe the military could use its data to track them down.
“We understand Telenor wants to leave,” says Ketil Sellæg Ramberg, a partner at SANDS law firm in Oslo who is working on the case. “Our concern is they are leaving the country without safeguarding the data of the 18 to 19 million customers,” Ramberg says the complaint is an attempt to inspire the Norwegian data authority to intervene and to prove the Norwegian-headquartered group has control over the data processing in Myanmar—a claim Telenor denies. “None of the data is handled in Norway or the EU and GDPR does not apply to Telenor Myanmar’s customer data handling,” says Telenor spokesperson David Fidjeland.