Handling access requests from authorities

In each country where Telenor operates, law enforcement agencies (LEAs) and other authorities have the legal power to access the personal data we possess or information from our networks.

Authority Request Access Report 2016

Authority Request Access Report 2015

Authority requests for access to electronic communication 2017 – Legal overview, PDF

Authority requests for access to electronic communication 2015 – Legal overview, PDF

Authority requests for access to electronic communication 2015 – Country data, PDF

This information is typically used to solve criminal cases, prevent serious security threats or help find missing people.  While the duty to protect human rights, such as privacy and freedom of expression, rests with the authorities, we must also acknowledge the challenges that may arise if authorities excessively use their power to access data. Therefore we work to maintain and develop our internal routines and discuss the challenges we face with relevant stakeholders. This section provides further detail on how we work to respect privacy and freedom of expression when we get requests from authorities.

The importance of privacy and freedom of expression 

Respect for human rights is important to how we operate. Our long standing commitment and systematic work is guided by international frameworks such as the UN Guiding Principles on Business and Human Rights (UNGPs). In Telenor, we understand the significant opportunities that access to mobile and internet brings to people in our 13 markets. At the same time, it is important for us to understand and address the risks we face that may impact people’s rights negatively. Privacy and freedom of express are two rights that are key to our core business of communications, and it is important to us that our customers and stakeholders know that we do our best to respect these rights. We are dedicated to the professional, secure and respectful handling of personal data in our day-to-day business operations. Our responsibility naturally extends to situations where law enforcement agencies (LEAs) and other authorities request access to personal data or information from our networks.

What this means 

In all our markets law enforcement agencies (LEAs) and other authorities have legal powers to access personal data or information we hold in our networks. This means that as a provider of telecommunications, Telenor may have to assist law enforcement and other government agencies in ways that can impact people’s privacy and freedom of expression. These legal obligations include disclosing customer information to government authorities and allowing law enforcement officials to hear phone calls or read electronic messages. This is often referred to as access to historical data and lawful interception, respectively.This is typically used to solve criminal cases, prevent serious security threats or help find missing people. We recognize that this serves vital societal needs, and that our networks and data can provide information that is important for the authorities. At the same time, we recognize that there may be circumstances in which otherwise legitimate rights to access may be misused by authorities.

This means that there are some instances in which it might be challenging to maintain a balance between privacy and the interests of authorities. When a conflict regarding access to information arises, Telenor does its best to apply the higher standard, as outlined in the U.N. Guiding Principles for Business and Human Rights. In the section below you’ll find more information on how this is done.

Another type of request we may get is to shut down the network. Telenor does not advocate the shutdown of its networks and believes that it is in the best interest of its customers to minimize disruption of its services. However, in extraordinary circumstances a government may require a network shutdown to protect its citizens from terrorism or other serious safety or security threats.

Telenor may also receive censorship requests to block access to a website, for example. While we believe that blocking child sexual abuse material may help address a serious criminal activity, requests to block political content, for example, present challenges. Finally, we may be asked to send out information on behalf of the authorities, for example a flood warning via SMS. These types of messages can save lives during natural disasters for instance, and we believe it is important to support spreading this type of information. However it is problematic if messages from authorities amount to political propaganda, something that we do not support. For a more detailed description of the types of legal powers authorities’ have please see Authority requests for access to electronic communication – legal overview. In order to respect human rights, including privacy and freedom of expression, authorities’ access to our data and networks should be clearly stipulated in law and regulations. In addition to the principle of legitimacy, requests should be based on an assessment of necessity. The means chosen should be proportionate to the issue at hand. Finally, we find great value in independent oversight mechanisms to monitor that requests are in accordance with the spirit and purpose of relevant laws and regulations. We also encourage the public reporting of the findings from such oversight mechanisms.

How we respond 

In order to address requests from authorities for customer data or access to our networks professionally and systematically we have applied Group-wide requirements to all the mobile operators in which we have operational control. These mandatory requirements are part of our governance framework and are included in our Policies and Manuals. While such requirements have been in place for a long time, we continuously work to improve them. For example, we have aligned our requirements with the Industry Dialogue Guiding Principles after they were published in 2013. We also engage with our companies on a regular basis to understand local laws, processes and how our requirements can best address potential challenges.

The purpose of our Manual on Handling Authority Requests is to ensure proper handling of such authority requests in order to limit the risk that our companies’ networks are being used to impose illegitimate restrictions to privacy or freedom of expression. It covers all four types of authority requests set out above.  It includes requirements relating to:

  • Organisation – including dedicated function (s), reporting to top management, staffed with qualified personnel
  • Handling – including checking legal basis and risk of serious human rights impact, challenge and escalation criteria
  • Consultation with Group – including process for notification in cases posing significant risk
  • Information – including regular updates to company CEO
  • Record keeping – including legal basis and process steps taken
  • Risk assessment & mitigation – including regular reviews of legal frameworks, update of processes, and long-term strategies to minimise negative impact

To the extent legally possible and information available (no direct access), companies also report on an aggregated level the number of requests received annually in the Group non-financial reporting system.

Our routines 

At Telenor Group we find that implementation is the key to ensuring that we properly handle requests from authorities. This requires continuous improvement. We do so through a system of clear top management ownership, dedicated personnel both at Group and company levels, and systems for checking compliance.

As set out in our internal requirements, ownership for these issues is to be at CxO-level, and regular updates are to be provided to our CEOs. Updates are also given at Board of Directors-level, for example in the Ethics and Sustainability Committee. When such updates are made, the administration reviews how routines are working and the challenges we face.

Through our Group Privacy Officer and the local Privacy Officers in all our markets, we follow up the implementation of our requirements in detail. For example, we run workshops to discuss key challenges and facilitate learning across markets. We also have guidelines and other tools to aid implementation. In addition to the Privacy Officers, we have dedicated personnel both at Group and company level, and we initiate projects on specific issues as needed.

We also believe that training is crucial, so we conduct regular training for key personnel, as well as awareness sessions for various parts of the organization. In terms of awareness and information for our customers, we share information on this website as well as local company websites.

Risk assessments are also important to help us identify challenges and implement mitigating actions. These can take place at many levels, and range from overall human rights due diligence activities to project- or issue-specific risk assessments.

Finally, we run annual compliance checks. For example, we have developed a scorecard for all business units to ensure that requirements are implemented. This may be complemented by internal audits. Our internal audit function can run audits on any policy area, including authority requests, and report the findings to the Group management and Board of Directors.

Input from all of the processes described above are typically reported during our annual review of relevant policies and manuals.

Working with stakeholders 

In Telenor Group, we believe that it is important to address challenges related to authority requests with external stakeholders.

As stipulated in the UN Guiding Principles on Business and Human Rights, governments have a duty to protect human rights. In Telenor we believe this duty extends to authorities and their requests for personal data or access to our networks. We recognize the legitimate needs on which these requests are based and see that good processes for releasing information are important to minimize risks to people’s rights. That’s why we place importance on the positive dialogue with relevant authorities in our markets, and we encourage authorities to join the international discussions on these issues.

We also believe that it is important to engage with a range of stakeholders. For example, intergovernmental organisations (IGOs) can play an important role in facilitating discussions on what good practice looks like in this space. Non-governmental organization (NGOs), academics and others can, for example, bring important insight as to how current practice of laws actually impacts people on the ground. Telenor believes that in cases where laws are being drafted or revised, it is important to draw on these insights and views through public hearings.

Also, we find great value in working with peers, sharing experiences and learning about how other companies handle particular dilemmas. As a founding member of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy (ID), we have experienced firsthand the importance of discussing challenges in this space and recognize that there is great value in discussing with and learning from other stakeholders. Learn more about how we work with the ID Guiding Principles in our annual report.

What we report 

In Telenor Group, we place importance on being open about how we address authority requests, the challenges we face, the requirements we have in place and the dialogue in which we engage. We are continually working to improve our disclosure of information and hope that you will find relevant information on this page.

You can find our annual reporting on human rights, including privacy and freedom of expression, in the sustainability section of our Annual Report.

More detailed reporting on how we work with privacy and freedom of expression (in the context of authority requests) can be found in our annual report. This information is aligned with the Guiding Principles of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy (ID).

We also believe that information on the legal frameworks that apply in our markets is valuable. To complement existing overviews by other operators and the ID, we have provided such an overview for ten of our markets. The research is conducted by international law firm Hogan Lovells.

For the first time, we also provide a summary per country of the core legal and regulatory requirements and, in the countries where we are able to so, we disclose the number of requests received for communications data and lawful interception.

Finally, we seek to be open about major events to the extent we are able. Typically we communicate about interruptions to our companies’ services, due to authority requests. Our policy is to be open, but there are times when we are legally prohibited from sharing information about requests or in which the risk is found to be too great. We truly regret any inconvenience any such interruption may cause for our customers and society at large, and always work hard to restore services as soon as we can.