Mobile operators and personal data in Europe

Readability

As stipulated numerous times in the GDPR (recitals 39, 42, 58; Articles 7 and 12), information on any potential personal data processing must be provided in an easily accessible and understandable way. With this in mind, there is not much noticeable effort on the part of the companies under consideration to go beyond the so-called “wall of text” with, for example, layouts, language or graphical aids aimed at improving readability. Of course, this problem is hardly exclusive to telecommunications companies, as large-scale research and everyday user experience shows. Academic research has long hypothesised that icon-based graphical systems an optimal method for presenting information intuitively. None of the companies analysed adopt such methods. Nevertheless, approaches vary between those who simply publish a legal document in pdf format, without any particular attention to layout and readability, and those who go a step further in communicating their policies, for example with Q&A sections or pages that are almost like mini-websites . More can certainly be done, and perhaps greater homogeneity in the structure of policies across different companies would make comparison easier, to the benefit of transparency.

Completeness

Information about how to access, rectify, cancel, restrict, refuse or revoke personal data use, as well as the right to lodge a complaint, should be clearly stated in the privacy policy. As noyb points out in its report on videoconferencing software , citing the Article 29 Working Party guidelines , it is not enough to simply inform users about the existence of these rights: the operator should also include “a summary of what each right involves and how the data subject can take steps to exercise it and any limitations on the right”. There are different approaches on this point. Often the information is presented in a partial way, with a very brief description of the user’s rights, and sometimes lacking contact information for requests. A notable example is the Vodafone Germany app, where no information is provided in the privacy policy. Meanwhile several Italian companies adopt rather vague formulas such as “you have the right to lodge a complaint with the Representative for the protection of personal data“ (TIM and the affiliated Kena Mobile), without including any information on how this might be done, or the legal basis for doing so.

Categories of collected data and data processing

When it comes to the types of data considered in this study, the picture is fairly homogeneous from country to country. The overall trend is to collect location, navigation and behavioural data. Generally, the legal basis for collection is the user’s consent, while some collect data regardless of consent, by invoking the legitimate interest clause. The situation with biometric data is more varied. In many cases, it is not specified whether biometric data is collected or not, but this could be due to the fact that they are merged into the other categories mentioned. Indeed, things like typing or scrolling styles can be defined as both biometric and behavioural data. However, biometric data also includes things like fingerprints or facial recognition, which are possible to record with any smartphone produced in recent years. For this reason, such data would be better specified separately.

As for profiling activities, i.e. analysing user data in order to improve the service, but also to create “tailor-made” commercial offers, asking for explicit consent seems to be the general approach. However, in some cases (e.g. Orange and Vodafone in Spain) it is said that profiling will take place anyway. The situation for Vodafone and Congstar GmbH customers in Germany (and to some extent Digi and the Yoigo app in Spain) is unclear, since, as far as we could verify, none of these companies explicitly mention the categories of data collected, nor whether or not they are used for profiling activities.

Transfer and deletion of data

All companies state that they will, under certain conditions, transfer personal data to third parties. In most cases this is for activities related to contract execution or assessment of customer solvency. In some cases explicit reference is made to commercial partners (sometimes affiliated with the operator) to whom, with the user’s consent, data may be transferred for a wide range of purposes, including commercial proposals for goods or services completely unrelated to phones. The formulas used are sometimes very general, especially in the case of French (Orange, Bouygues Telecom) and German (Vodafone, O2, Congstar GmbH) companies. The same goes for the apps of these companies, as well as those of the Spanish Yoigo and the German Telekom, Aldi Talk and 1&1 Telecom GmbH.

For data retention, several companies adopt concise formulas to explain in a few lines that data will be retained “for a period of time not exc