How mobile operators use our personal data


© UnderhilStudio/Shutterstock

Who reads mobile operators’ privacy policies carefully when activating a new SIM card or changing operator? It is quite common to give consent to data processing without delving into or even reading what one agrees to. The data that are constantly collected from our smartphones – from location and navigation information, to more sensitive ones such as biometric data – are collected and used to offer ‘tailor-made’ services, or sold by operators to other companies. Their collection makes it possible to obtain sensitive information about users, such as religious affiliation, sexual orientation or other interests.

In recent years, important legal steps have been taken in the field of data protection by the European Union, especially with the enactment of the GDPR (the General Data Protection Regulation) in 2018. Still, just a few European telephone companies are making an effort to make information on the processing of personal data more readable, even though the legislation stipulates that it must be easily accessible and understandable. As part of the PANELFIT project, OBC Transeuropa and two other EDJNet partners conducted an investigation that seeks to shed light on the real use that European phone companies make of our data, with a focus on the cases of Italy, Spain, France and Germany.

Main findings:

  • The GDPR specifies that telephone operators must clearly indicate three things to users: what categories of data are collected, for what purposes and on what legal basis. In practice, this is not always the case.
  • The most commonly collected data concern the user’s location, navigation or habits, but sometimes also biometric data. With regard to the latter, operators often do not specify or state clearly in their privacy policy whether they are collected or not, and for what purposes.
  • Telephone companies use different legal bases to collect personal data: the general tendency is to use the user’s consent, for instance for profiling activities. However, there are cases where data collection also takes place without consent, invoking legitimate interest.
  • Data can be used for ‘profiling’ activities in order to propose ‘tailor-made’ commercial offers to the user. Profiling allows companies to justify the collection of data, but, when the data is passed on to third parties, it can be used for different purposes, of which users are not always aware.
  • Since the GDPR came into force, several fines have been imposed on European telephone companies. A few years ago, for instance, Polish authorities fined Virgin Mobile €443,000 for failing to guarantee the security of its users’ personal data.


The data unit

Federico Caruso (OBC Transeuropa, coordinator) is an Italian journalist working for OBC Transeuropa. His work mainly focuses on the impact of digitalisation and new technologies on society.

Gianluca De Feo (OBC Transeuropa, coordinator) is an Italian journalist. A former staffer of YouTrend, he now works for OBC Transeuropa.

EDJNet members which took part in this investigation: