With a few exceptions, the one device that we all have a relatively close and lasting relationship with is the smartphone. This device can collect a large quantity and variety of data about us, which can then be used to generate further value in various ways.

The collected data can reveal a vast range of personal information: location data, internet browsing data, biometric data, behavioural data, etc. From this data some of the most sensitive information can be inferred, such as sexual orientation, political persuasion, membership of a vulnerable minority, or health status. This information can then be used to reach the user with targeted messages. The most frequently cited example is Cambridge Analytica, the British agency that received the personal data of more than 50 million users from Facebook in 2016 and attempted to influence the US presidential election from which Donald Trump emerged victorious.

In recent years, there has been some progress in data protection, thanks to innovations introduced by the European Union (above all, the introduction of the GDPR in 2018) as well as initiatives taken by large tech companies. In 2019, for example, Apple decided to make it more difficult to geolocate users through the apps in its App Store. While this does indeed protect user privacy, it has also been seen as a strategy to cause trouble for companies that provide similar services.

Why companies collect our data

Just like when phones weren’t so “smart”, phone owners need to subscribe to an operator to use their device. Each country has a range of providers to choose from, each with their own corporate affiliations of varying size, and their own policy for handling personal data.

The latter is a particularly sensitive subject for phone companies; they can use private data for profiling purposes, in order to create ‘tailor-made’ services or targeted advertising, or they can give or sell such data to other companies. The latter can then use this data to generate further value, for instance by providing names to call centres which will then contact the phone user with often undesired commercial proposals.

Legal, illegal and problematic practices

This market’s importance for phone companies (and others too) is clear enough from all the scandals involving unscrupulous policies that have emerged over the years. One example is Telefónica, a Spanish company that developed an app for the German market encouraging users to share their personal data.

The EU’s introduction of the General Data Protection Regulation (GDPR) has made such practices riskier, making companies liable to fines from national privacy authorities. Despite this, problematic cases periodically still emerge in every sector. Sticking with phone companies, a Netzpolitik investigation in 2021 revealed that in Germany the company O2 tended to present customers with a series of pre-checked options allowing all possible uses of their personal data.

In another sense, the importance of personal data emerged during the pandemic when phone companies shared aggregated location data with the authorities, without really explaining how this data would be used and for how long. This was obviously anonymised data, but several recent studies seem to confirm experts’ concerns about the possibility of re-identifying people even within these large datasets. While this does not mean data is actually being de-anonymised, the mere possibility presents a clear threat, especially at a time when cyber-attacks are increasingly common .

What privacy policies can tell us

How many of us actually read and understand all the authorisations and clauses we consent to when we buy a sim card or switch to a new operator? With this question in mind, we decided to analyse the privacy policies of telecommunications companies that concern the services and apps that nearly all operators encourage you to install to manage your profile, assessing the amount and type of data collected, and the completeness of information.

Problems arise when during the subscription process users tick a box authorising, for instance, the processing of their data for commercial purposes. In such cases, telephone companies may use personal data, as well as navigation and location data, to identify buying habits or preferences and show targeted advertisements. The data may also be transferred to third parties (often difficult to identify or described in a generic way) who in turn may use the data for commercial purposes. In some cases, data is used for these purposes even several years after the contract has been terminated.

Phone companies often invite users to download smartphone apps to monitor their remaining credit, the status of active deals and much more. These apps have their own privacy policies, sometimes specific, sometimes similar or identical to the service policy. However, they also often contain a tool that allows them to track activities by the users: trackers. Trackers are softwares that collect information about the person using the app, and there are various types of them. The most controversial ones in terms of data protection collect information for the purpose of identifying the user and create a profile for targeted advertising, and locate the mobile device. A tool developed by εxodus allows us anyone to analyse the apps concerned and discover which and how many trackers they contain.

Penalties for unlawful practices

To date, several large fines have been issued against telephone companies by national authorities for GDPR violations. In 2020, the Italian Data Protection Authority fined TIM just under 28 million euro after repeated complaints from users about receiving unwanted commercial phone calls as a result of violations in the management of user data. In 2021, a fine of 4.5 million euro was imposed on Fastweb for similar reasons. In 2020, the Polish authority imposed a fine of 443,000 euro on Virgin Mobile for failing to ensure the security of subscribers’ personal data. In 2021 the French national authority punished Free Mobile with a 300,000 euro fine for failing to guarantee the right to view and opt out of data processing. Finally, the most recent case concerns the affiliated Greek companies Cosmote and Ote, fined 6 million euro and 3.25 million euro respectively for a series of irregularities that emerged following a cyber attack causing the loss of 30 gigabytes of personal data.

Methodology

We consulted the privacy policies of the major French, Italian, German and Spanish mobile companies’ services on each operator’s website. The objective was to answer ten previously formulated questions (which can be found in the infographics above) relating to the type of data collected, the way in which this data is used, and the completeness of certain information. The information obtained was collected in a datasets, which was then processed to create the infographics above.

This article is the result of an investigation coordinated by the European Data Journalism Network in which OBC Transeuropa, Voxeurop and El Confidencial have participated.