0
Mobile & Wireless

Dutch mobile operators violated privacy laws - CBP

Thursday 4 July 2013 | 12:16 CET | News

 A study by the Dutch Data Protection Authority (CBP) has uncovered a series of data violations at KPN, Tele2 Netherlands, T-Mobile Netherlands and Vodafone Netherlands. The study was launched in 2011 following reports about deep packet inspection (DPI) on mobile networks. According to the study, companies often kept data too long or did not anonymise fast enough. Tele2 Netherlands used data for marketing purposes, contrary to the law. KPN is the only company which addressed and resolved all the issues raised.

The CBP found companies stored customer data such as visited websites or used apps, in violation to the Personal Data Protection Act (Wbp) and the Telecommunications Act (Tw). According to legislation, such data must be either deleted or irreversibly anonymised as quickly as possible. The study also said that customers were not or were incorrectly informed about the data operators were collecting, showing a lack of transparency. The data can say much about consumer behaviour and choices.

Part of the infringements found in the study have been addressed and resolved as a result of the investigation. The CBP now wants to check which violations still persist and what enforcement measures it should take.

KPN

KPN violated the law by not irreversibly anonimising data fast enough. The company halted the equipment used to collect data on website visits and apps used during the investigation and saud ut was now using equipment that anonimises data as quickly as possible after collection.

Tele2 Netherlands

The CBP found multiple violations at Tele2 Netherlands, with one still ongoing. Tele2 NL does encrypt customer data concerning website visits or apps used, but not quickly enough. The operator was found to keep customer data for one year and to use it for market research purposes without informing customers.

As a result of the study, Tele2 NL introduced a general privacy statement to inform subscribers. Nevertheless, during maintenance and/or malfunction work, the personal data can be accessed by a third party outside the European Union where there are no similar data protection laws. Tele2 NL said it is taking steps to end this violation. 

T-Mobile Netherlands 

T-Mobile Netherlands has resolved a number of violations as a result of the investigation. The company still not does not destroy email addresses as quickly as it should. And, although it has altered its privacy statement, it is still not clear about data retention periods.

Vodafone Netherlands

Vodafone Netherlands also resolved a number of violations following the investigation. And yet, the company still  keeps data longer than it needs to detect and solve network problems (network monitoring), and is therefore still in violation of the law. During the investigation, the CBP found that Vodafone NL kept detailed personal data regarding site visits and apps used. Vodafone NL has since then said it no longer does this.  It has also improved its privacy statement and mandatory reporting process to the CBP over data.

Investigation conducted by the Dutch Public Prosecutor, Opta and CBP

In May 2011, KPN introduced a controversial presentation about the increasing use of WhatsApp among its customers. The analysis looked at network traffic and raised many eyebrows. Both the Office of the Prosecutor (OM) and Opta quickly launched an investigation, without considering KPN as a a suspect. KPN cooperated with all these investigations.

According to the OM, KPN carried out DPI in a way that was not against the law. Opta also found no violation but referred the matter to the CBP to confirm there were no violations against privacy. The CBP broadened the investigation to four operators, looking less for penalties and fines but more at how companies were improving their practices and complying with legislation. 

Responses from market parties 

KPN said earlier that it did not look into the content of any customer communication. The CBP confirmed the company did not violate any rules.

The CBP did find a few other violations, namely, that KPN did not adapt its privacy statement and CBP reports to data analysis techniques in a timely fashion. The CBP also noted that in 2011, KPN misused network traffic data when putting together the WhatsApp report, which set the whole investigative ball rolling. CBP also believed that KPN retained some personal data longer than necessary for network planning and management. KPN resolved all of these points during the study.

KPN NL MD Joost Farwerck said the company was pleased with the report which confirmed that the company did not unlawfully view customer content. KPN emphasised the importance of network management to guide how the growing amount of data should be handled, and how customer services could be kept at an optimal level. KPN noted that the CBP was the first regulator in Europe to look at the issue in so thorough a manner, bringing clarity on how data analysis should be conducted. 

Tele2 NL: no marketing goals

Tele2 NL said it was taking the report and its conclusions very seriously and that it would study the findings very carefully. Tele2 NL uses data analysis for its network management. It collects data such as device type, apps used, visited web domains, and data usage at any given time. The data is stored in encrypted form for analysis.

Tele2 NL said that legally, it fully agrees on the need to make data anonymous and that the discussion with CBP now focused mainly on the technique used to encrypt data. The company denies it used any of the data for marketing purposes or for launching promotions, stating the data was used solely for network management.

Concerning data access by a third party outside of the EU, a spokesperson for Tele2 NL responded by saying that the platform used for encrypting the data was provided by an US company. The US company did acess to the platform for maintenance and updates, but not for "batches of data going back and forth."

Tele2 NL does not plan to change data retention periods but will clarify its privacy statement. 

Vodafone NL: IMEI numbers

A Vodafone NL spokesperson said the company is in talks with its supplier about one last issue, that of the IMEI number. According to the CBP, the last two digits of the IMEI number can be traceable to a device, and therefore to a person. Vodafone NL said it will anonimise this information but did not provide a time frame.

Categories: Mobile & Wireless
Companies: KPN / OPTA / Tele2 / T-Mobile / Vodafone
Countries: Netherlands
::: add a comment

Add comment

We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. If you see a comment that you believe is inappropriate to the discussion, you can bring it to our attention by using the report abuse links. As the comments are written and submitted by visitors of the Telecompaper website, they in no way represent the opinion of Telecompaper.






EUR 8
median monthly costs SIM-only (360 min)
Netherlands  |  2014 Q1

Calendar   /   Industry Events

28 Jul EE Q2 2014
28 Jul Ceragon Networks Q2 2014
28 Jul Gigoptix Q2 2014
28 Jul Meru Networks Q2 2014
28 Jul Sohu.com Q2 2014
29 Jul Internap Q2 2014
29 Jul Level 3 Q2 2014
29 Jul Calix Q2 2014
29 Jul Digital Realty Q2 2014
29 Jul Orange Q2 2014
29 Jul AudioCodes Q2 2014
30 Jul Hrvatski Telekom Q2 2014
30 Jul MobileIron Q2 2014
30 Jul Rovi Q2 2014
30 Jul KPN Q2 2014
30 Jul Telefonica Deutschland Q2 2014
30 Jul Sonus Networks Q2 2014
30 Jul Sprint fiscal Q1
30 Jul Akamai Q2 2014
30 Jul Ruckus Wireless Q2 2014
30 Jul Equinix Q2 2014
30 Jul Entropic Q2 2014
31 Jul Vonage Q2 2014
31 Jul BT fiscal Q1
31 Jul Charter Q2 2014
31 Jul Samsung Electronics Q2 2014
31 Jul HTC Q2 2014
31 Jul Sierra Wireless Q2 2014
31 Jul MediaTek Q2 2014
31 Jul PMC Q2 2014
::: More Calendar Items