Mobile operators and personal data in Europe

Readability

As stipulated numerous times in the GDPR (recitals 39, 42, 58; Articles 7 and 12), information on any potential personal data processing must be provided in an easily accessible and understandable way. With this in mind, there is not much noticeable effort on the part of the companies under consideration to go beyond the so-called “wall of text” with, for example, layouts, language or graphical aids aimed at improving readability. Of course, this problem is hardly exclusive to telecommunications companies, as large-scale research and everyday user experience shows. Academic research has long hypothesised that icon-based graphical systems an optimal method for presenting information intuitively. None of the companies analysed adopt such methods. Nevertheless, approaches vary between those who simply publish a legal document in pdf format, without any particular attention to layout and readability, and those who go a step further in communicating their policies, for example with Q&A sections or pages that are almost like mini-websites . More can certainly be done, and perhaps greater homogeneity in the structure of policies across different companies would make comparison easier, to the benefit of transparency.

Completeness

Information about how to access, rectify, cancel, restrict, refuse or revoke personal data use, as well as the right to lodge a complaint, should be clearly stated in the privacy policy. As noyb points out in its report on videoconferencing software , citing the Article 29 Working Party guidelines , it is not enough to simply inform users about the existence of these rights: the operator should also include “a summary of what each right involves and how the data subject can take steps to exercise it and any limitations on the right”. There are different approaches on this point. Often the information is presented in a partial way, with a very brief description of the user’s rights, and sometimes lacking contact information for requests. A notable example is the Vodafone Germany app, where no information is provided in the privacy policy. Meanwhile several Italian companies adopt rather vague formulas such as “you have the right to lodge a complaint with the Representative for the protection of personal data“ (TIM and the affiliated Kena Mobile), without including any information on how this might be done, or the legal basis for doing so.

Categories of collected data and data processing

When it comes to the types of data considered in this study, the picture is fairly homogeneous from country to country. The overall trend is to collect location, navigation and behavioural data. Generally, the legal basis for collection is the user’s consent, while some collect data regardless of consent, by invoking the legitimate interest clause. The situation with biometric data is more varied. In many cases, it is not specified whether biometric data is collected or not, but this could be due to the fact that they are merged into the other categories mentioned. Indeed, things like typing or scrolling styles can be defined as both biometric and behavioural data. However, biometric data also includes things like fingerprints or facial recognition, which are possible to record with any smartphone produced in recent years. For this reason, such data would be better specified separately.

As for profiling activities, i.e. analysing user data in order to improve the service, but also to create “tailor-made” commercial offers, asking for explicit consent seems to be the general approach. However, in some cases (e.g. Orange and Vodafone in Spain) it is said that profiling will take place anyway. The situation for Vodafone and Congstar GmbH customers in Germany (and to some extent Digi and the Yoigo app in Spain) is unclear, since, as far as we could verify, none of these companies explicitly mention the categories of data collected, nor whether or not they are used for profiling activities.

Transfer and deletion of data

All companies state that they will, under certain conditions, transfer personal data to third parties. In most cases this is for activities related to contract execution or assessment of customer solvency. In some cases explicit reference is made to commercial partners (sometimes affiliated with the operator) to whom, with the user’s consent, data may be transferred for a wide range of purposes, including commercial proposals for goods or services completely unrelated to phones. The formulas used are sometimes very general, especially in the case of French (Orange, Bouygues Telecom) and German (Vodafone, O2, Congstar GmbH) companies. The same goes for the apps of these companies, as well as those of the Spanish Yoigo and the German Telekom, Aldi Talk and 1&1 Telecom GmbH.

For data retention, several companies adopt concise formulas to explain in a few lines that data will be retained “for a period of time not exceeding the achievement of the purposes for which they were collected or subsequently processed” (TIM Italia) and indicating a maximum time limit after which they will be deleted. Others take a more transparent approach and publish a table detailing retention periods for the various categories of data (Coop Voce, Ho., Vodafone and Wind Tre in Italy; Bouygues Telecom in France). In Germany, data is generally deleted within 12-14 months.

GDPR

The two most relevant GDPR articles in the present context are 13 and 15 . As Stefano Rossetti, a lawyer with the noyb.eu team, explained to us, these articles regulate the two “moments” when personal data processing becomes an issue in the relationship between user and company.

Article 13 lists the information that the company must provide in the first of these two moments, i.e. when the user subscribes to a service. This information, as explained in the aforementioned noyb report, is usually listed in a document known as a “privacy policy”, the main subject of our analysis. Three elements must always be present in the description of privacy policies: the categories of data collected, the purpose for which the data is requested, and the legal basis on which the data is processed. The information that the company is required to provide also includes the identity of the data controller, possible recipients of the personal data collected (public authorities, other companies, etc.), the storage period, and information on the possibility of requesting access to the data or its deletion, as well as the possibility of filing a complaint in case of misconduct.

As for the completeness of information provided, the new guidelines on the right to access data currently being drafted by the EDPB (European Data Protection Board) seem to leave a certain margin of “generality” to the data processor: “information [about the processing and on data subjects’ rights] can be based on what is already compiled in the controller’s record of processing activities (Art. 30) and the privacy notice (Art. 13 and 14). However, this general information may have to be updated to the time of the request or tailored to reflect the processing operations that are carried out in relation to the specific person making the request”.

This brings us to the second “moment”, namely Article 15, which states that “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”. Thus, while Article 13 specifies that the company is obliged to inform the user (and how it must do so), Article 15 specifies the former’s duty to respond to any request for access so that it is possible to verify that the data collected and its processing comply with what is stated in the privacy policy, as well as with the law. For the purposes of this study, we limited our analysis to the first part.