A study by the Dutch Data
Protection Authority (CBP) has uncovered a series of data violations at KPN, Tele2 Netherlands,
T-Mobile Netherlands and Vodafone Netherlands. The study was launched
in 2011 following reports about deep packet inspection (DPI) on mobile
networks. According to the study, companies often kept data too long or did not
anonymise fast enough. Tele2 Netherlands used data for marketing purposes, contrary
to the law. KPN is the only company which addressed and resolved all the issues
The CBP found companies stored customer data such as visited websites or used apps, in violation
to the Personal Data Protection Act (Wbp) and the Telecommunications Act (Tw). According
to legislation, such data must be either deleted or irreversibly anonymised as
quickly as possible. The study also said that
customers were not or were incorrectly informed about the data operators were
collecting, showing a lack of transparency. The data can say much about
consumer behaviour and choices.
Part of the
infringements found in the study have been addressed and resolved as a result
of the investigation. The CBP now wants to check which violations still
persist and what enforcement measures it should take.
KPN violated the law by not
irreversibly anonimising data fast enough. The company halted the equipment used to collect data on website
visits and apps used during the investigation and saud ut was now using equipment that
anonimises data as quickly as possible after collection.
The CBP found multiple
violations at Tele2 Netherlands, with one still ongoing. Tele2 NL does encrypt
customer data concerning website visits or apps used, but not quickly enough. The operator was found to keep customer data for one year and to use it for market research purposes
without informing customers.
As a result of the study, Tele2 NL
introduced a general privacy statement to inform subscribers. Nevertheless,
during maintenance and/or malfunction work, the personal data can be accessed
by a third party outside the European Union where there are no similar data
protection laws. Tele2 NL said it is taking steps to end this violation.
T-Mobile Netherlands has
resolved a number of violations as a result of the investigation. The company
still not does not destroy email addresses as quickly as it should. And, although it has altered its privacy statement, it is still not
clear about data retention periods.
Vodafone Netherlands also resolved a number of violations following the investigation. And yet, the
company still keeps data longer than it
needs to detect and solve network problems (network monitoring), and is therefore still in
violation of the law. During the investigation, the CBP found that Vodafone NL kept
detailed personal data regarding site visits and apps used. Vodafone NL has since then said it no longer does this. It has also improved its privacy statement and mandatory reporting process to the CBP over
In May 2011, KPN
introduced a controversial presentation about the increasing use of WhatsApp among
its customers. The analysis looked at network traffic and raised many eyebrows.
Both the Office of the Prosecutor (OM) and
Opta quickly launched an investigation, without considering KPN as a a suspect.
KPN cooperated with all these investigations.
According to the OM, KPN carried out DPI in a way that was not against the
law. Opta also found no violation but referred the matter to the CBP to confirm
there were no violations against privacy. The CBP broadened the
investigation to four operators, looking less for penalties and
fines but more at how companies were improving their practices and complying
KPN said earlier that it did
not look into the content of any customer communication. The CBP confirmed the company did not violate any rules.
The CBP did find a few other
violations, namely, that KPN did not adapt its privacy statement and CBP reports to data analysis techniques in a timely fashion. The CBP also noted that in
2011, KPN misused network traffic data when putting together the WhatsApp report,
which set the whole investigative ball rolling. CBP also believed that KPN retained
some personal data longer than necessary for network planning and management. KPN
resolved all of these points during the study.
KPN NL MD Joost Farwerck
said the company was pleased with the report which confirmed that the company
did not unlawfully view customer content. KPN emphasised the
importance of network management to guide how the growing amount of data should
be handled, and how customer services could be kept at an optimal level. KPN noted
that the CBP was the first regulator in Europe to look at the issue in so
thorough a manner, bringing clarity on how data analysis should be conducted.
Tele2 NL said it was taking the report
and its conclusions very seriously and that it would study the findings very carefully. Tele2 NL
uses data analysis for its network management. It collects data such as device type, apps used, visited web domains, and data usage at any given time.
The data is stored in encrypted form for analysis.
Tele2 NL said that
legally, it fully agrees on the need to make data anonymous and that the
discussion with CBP now focused mainly on the technique used to encrypt data. The
company denies it used any of the data for marketing purposes or for launching
promotions, stating the data was used solely for network management.
Concerning data access by a third party outside of the EU, a spokesperson for Tele2 NL responded by saying
that the platform used for encrypting the data was provided by an US company. The US company did acess to the
platform for maintenance and updates, but not for "batches of data going back and forth."
Tele2 NL does not plan to change
data retention periods but will clarify its privacy statement.
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. If you see a comment that you believe is inappropriate to the discussion, you can bring it to our attention by using the report abuse links. As the comments are written and submitted by visitors of the Telecompaper website, they in no way represent the opinion of Telecompaper.
We have been keeping professionals in the telecoms industry up-to-date since 2000. Telecompaper is a well respected, independent research and publishing company focussed on the telecommunications industry.
3995 AA Houten
Phone: +31 30 6349600
Fax: +31 30 6349699
P.O. Box 356
3990 GD Houten
© 2000 - 2014 Telecom.paper BV. All rights reserved.
Telecompaper is a trademark of Telecom.paper BV. No part of this site can be reproduced without
the expressed permission of Telecom.paper BV. Our General Terms and Conditions can be found here.
Terms and Conditions