Telenor sold its Myanmar subsidiary a year after the 2021 military coup that saw the civilian government, voted into power in 2010, deposed. For months after the coup, the company—which first entered the country in 2014 during a period of democratization—faced pressure from civil society to honor its commitments to human rights by protecting users from the junta’s orders to spy on citizens and shut down the internet.

Telenor provided thorough documentationof the human rights challenges it faced in Myanmar since 2014, including a list of shutdown orders. In addition to the pressures it faced from the authorities, Telenor's decision to leave triggered a backlash from human rights activists, who have emphasized the risks of transferring the data of millions of users to Lebanon’s M1 Group, the company to which it sold its subsidiary. M1 has since transferred control of 80% of the operation to a local military-linked company, the Shwe Byain Phyu conglomerate. To mitigate the crisis, the company has reached an agreement with civil society organizations from Myanmar to provide training and support to former clients and employees there.

With Telenor operating in several higher-risk markets with regard to human rights, it was transparent about why it shuts down its network, how it responds to government demands to do so, and the number of government shutdown orders it received and complied with. Telenor also shared detailed information about how it managed government demands for content or account restrictions and for user information. Yet it released only some data about the nature and volume of the government demands it received.

The Norwegian telecom giant’s setback in Myanmar did not impede the company’s Asian expansion. In November of 2021, Telenor agreed to merge its Thai telecom unit with that of Thailand-based conglomerate Charoen Pokphand Group, creating the largest mobile carrier in the kingdom, with 51 million users. In October, the merger was approved by the Thai telecom regulator, almost one year after the initial announcement. In June, Malaysia’s telco regulator approved a merger between Digi and Celcom, the Malaysian mobile operators of Telenor and Axiata, respectively. The new entity will form the country’s biggest player in the sector.

By 2021, Telenor’s Asian operations already accounted for around half of the company’s annual revenue. This year, the company announced the formation of Singapore-based Telenor Asia, an independent regional hub that will lead the company’s operations in Bangladesh, Malaysia, Pakistan, and Thailand.

In 2021, Telenor received a reprimand from the Norwegian Data Protection Authority, as the company failed to report a vulnerability in the protection of personal data for its voicemail service, leading to data breaches affecting about 1.3 million subscribers. Meanwhile, the company revealed nothing about what measures it has in place to handle data breaches.

Key takeaways

Through its annual “Authority Requests Disclosure Report,” Telenor shared how it manages government demands for user information and certain kinds of account restrictions. The report also revealed more detailed information about how the company responds to government shutdown orders than the majority of companies we rank. However, the company did not state whether or not it responds to private requests for user information or for content or account restrictions.
Telenor disclosed little about how it enforces its policies governing advertising content and targeted advertising. The company also failed to publish any operational-level policy to guide the development and deployment of its algorithmic systems.
The company was less transparent about how it protects user information than its European and U.S. peers, with the exception of Orange. It was notably opaque about its security measures and practices. The company also kept silent about what information it infers from users and what measures it will take in the event of a data breach.

Key recommendations

Improve human rights due diligence. Telenor should conduct regular, comprehensive, and credible due diligence to identify the human rights risks of its various operations, particularly as it enters and exits markets in Asia.

Publish data on content rule enforcement. Telenor should publish data about the volume of content and accounts it restricts for violating company policies.
Clarify company policies for the handling of user data. Telenor should clearly disclose what options users have to control the user data it collects and processes—including for targeted advertising.

Services evaluated:

Telenor Norway (Prepaid mobile)
Telenor Norway (Postpaid mobile)
Telenor Norway (Fixed-line broadband)

Operating company evaluated: Telenor NorwayFor telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
Market cap: $23.51 billion (as of November 4, 2022)
OSE, based in Oslo: TEL
Read more about how stock structures can be a barrier to shareholder participation
Website: https://www.telenor.com

The 2022 Telco Giants Scorecard covers policies that were active on June 1, 2022. Policies that came into effect after June 1, 2022, were not evaluated for this scorecard.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

Lead researchers: Jie Zhang, Farah Rasmi

Download data and sources

Changes since 2020

The company’s updated privacy policy clarified what types of information it collects directly from users and for what purposes.
Telenor’s annual “Authority Request Disclosure Report” did not list the names of the government authorities who ordered shutdowns, as it had in previous years. The report was also vague about the types of information the governments sought in their demands. Finally, the data shared in the report was no longer available as a structured file.

Scores since 2017

Most companies’ scores dropped between 2019 and 2020 with the inclusion of our new indicators on targeted advertising and algorithmic systems. To learn more, please visit our Methodology development archive.

Governance

Freedom of expression

Privacy

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 64%

Telenor was significantly more transparent about its governance than about its practices and policies regarding freedom of expression and privacy. The company had policies in place for oversight and internal implementation of its human rights commitments (G2, G3). Although Telenor revealed that it conducts a thorough human rights risk assessment of the regulatory and policy landscapes in which it operates (G4a), these assessments did not tackle the risks associated with targeted advertising, algorithmic systems, and zero-rating services, or with its own processes for policy enforcement (G4b, G4c, G4d, G4e).

Indicators

G1. Policy commitment

83%

G2. Governance and management oversight

100%

G3. Internal implementation

100%

16%

G5. Stakeholder engagement and accountability

50%

33%

Freedom of expression 26%

Telenor shared detailed information about the network shutdown orders it received (F10), but it lacked transparency on its processes for policy enforcement affecting freedom of expression more broadly. The company failed to publish adequate rules outlining its use of targeted advertising or advertising content (F1b, F1c, F2b, F2c, F3b, F3c). Although Telenor released some data about the accounts it restricted to comply with government demands (F5a), it did not provide any data about content, advertisements, or accounts restricted to enforce its own policies (F4a, F4b, F4c).

Indicators

46%

13%

23%

39%

F6. Data about government demands to restrict for content and accounts

40%

F7. Data about private requests for content or account restriction

F8. User notification about content and account restriction

33%

F9. Network management (telecommunications companies)

25%

F10. Network shutdown (telecommunications companies)

63%

F11. Identity policy

F12. Algorithmic content curation, recommendation, and/or ranking systems

F13. Automated software agents (“bots”)

Privacy 30%

Despite some improvement in its privacy policy, Telenor still provided only partial information about how it collects, shares, or retains user information (P3a, P4, P6, P9) and offered only limited options for users to manage and control their own data (P7). Meanwhile, Telenor disclosed the least amount of information about data security policies among European and U.S. telecommunication companies. The company was silent about how it responds to data breaches (P15).