GDPR FAIL: US Firm ‘Profiles Half the World’ — it’s Max Schrems Again

Woman talking on the phoneNYOB accuses TeleSign, Proximus and BICS of misusing phone users’ private data.

A web of U.S. and Belgian companies secretly track millions of cellphone users, without permission. Discovering the alleged crime is our old friend Max Schrems and his NYOB organization.

Once again, Schrems is complaining about “illegally” sending EU citizens’ data to the U.S. for processing. In today’s SB Blogwatch, we feel a touch of déjà vu.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mysterious time travelers.

Reputation Scoring = Privacy Violation

What’s the craic? Breaking the story, Philippe Laloux is lost in translation—“Proximus accused of profiling half of the planet’s smartphones”:

TeleSign did receive user data
Under the GDPR, Proximus risks a fine of up to $258 million. … At issue: Massive data processing, “without legal basis,” by its American subsidiary … TeleSign.

The complaint … is not trivial. It comes from the NGO Noyb, founded by Max Schrems. … This Austrian activist lawyer has given his name to several major judgments … under which data transfers between Europe and the United States are now prohibited. This has earned a few billion in fines for players like Facebook.

It appears … that TeleSign did receive user data to profile … users of communications services. … After being asked by users curious about what was done with their data, it turns out that none of the mobile operators … knew that the users’ data had been sent to TeleSign.

None of them? Dev Kundaliya adds—“Company has allegedly gathered data on more than half of global mobile phone users”:

In violation of GDPR
US-based fraud prevention company TeleSign is facing allegations of mass unlawful data gathering and processing. … TeleSign is said to obtain the data from BICS, a Belgian company that offers interconnection services to mobile phone companies. These services facilitate activities such as phone calls, roaming, and data transfer across different networks and services on a global scale.

BICS operates across more than 200 countries and has access to significant information about mobile phone users, including their call completion frequency, call duration, periods of prolonged inactivity and successful incoming traffic. BICS acquired TeleSign in 2017. … Proximus became the sole owner of BICS, as well as TeleSign, in 2021.

NOYB … alleges that TeleSign is in violation of GDPR regulations due to its use of automated profiling tools and the processing of EU citizens’ personal data – in the USA – without obtaining their informed consent. [And] that TeleSign and Proximus have violated the GDPR … by conducting subsequent data transfers that do not comply with their contractual obligations.

And Brandon Vigliarolo ties up the loose ends—“TeleSign and Belgian parent did almost everything wrong, alleges Max Schrems”:

Evolving regulatory landscape
TeleSign … is in hot water over allegations it not only … secretly collected data on … millions of EU citizens and processed it using automated tools without their knowledge, but that it did so in the United States, all in violation of the EU’s data protection rules. … That data, noyb alleges, was fed into an automated system that generates “reputation scores” that TeleSign sells to its customers, which includes TikTok, Salesforce, Microsoft and AWS, among others.

Noyb also asserts that BICS violated the GDPR by transferring data without appropriate safeguards to protect it. Schrems and other EU privacy advocates have long argued against the transfer of data to the US on the grounds that [it] lacks a federal data protection regulation—and as such, federal authorities have free rein to access data protected in the EU.

TeleSign [said]: “Telesign has in place a data privacy program, which encompasses global law and regulations including the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The company constantly reviews internal policies and practices to maintain compliance with the evolving regulatory landscape.”

Horse’s mouth? Max Schrems, natch.—“TeleSign secretly profiles half of the world’s mobile phone users”:

We have therefore filed a complaint
Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like … TikTok — without anyone being informed or giving consent. … TeleSign claims it is using artificial intelligence models to analyse the enormous amount of data received from BICS and to generate a “trust score” on each phone number. All of this happens in the United States, where US authorities also can access personal data from TeleSign.

The responses received by BICS and TeleSign suggest that this business model is not complying with EU privacy laws. We have therefore filed a complaint with the Belgian Data Protection Authority, who is competent for Proximus, BICS and TeleSign.

Reputation scoring? What is this—China? LightBug1 makes light of a serious subject:

-10 for mentioning China and/or reputation-scoring in a relatively negative fashion.
Your credit score has decreased accordingly. Have a lovey day, citizen, and do better tomorrow!

[In] China, … the social credit system is already well advanced. … People who ignore it are just comfortable in our situation and are not yet feeling the consequences. Some, at the margin, already are. … Citizens should rightly be very cautious of anything resembling, or amounting to … a social credit system.

Who cares about silly Belgian laws? TeleSign is ’Mercan! Savage-Rabbit eyerolls, furiously:

An amazing number of Americans think that if they operate in foreign countries or commit crimes there, they’ll be subject to and prosecuted under US law, not local laws.

Amazing? In a similar vein, here’s ecofeco:

Another day, another U.S. corp … finding out the rest of world will not put up with their bull****. … It always makes my day.

However, cm2012 argues the ends justify the means:

You realize, if you ban this kind of service, fraud rates are going to multiply 10x in the EU, and new, very inconvenient barriers to fraud will be put in place. I’d like to see one (1) person harmed by any of the data sharing that TeleSign has done here.

This “reputation score” means: Are you a bot or a human? It’s not a credit score.

But what if Schrems is wrong? Displacement Activity suspects so:

I unfortunately had to spend several hours wading through the … GDPR yesterday (Sunday), and there seems to be a bit of a hole here. BICS appears to have collected call data. … However, this is not necessarily in violation of GDPR, because the collected data, on the face of it, can not be associated with a real person.

So the mobile operator is the data controller (it possessed the private data … the caller identity). … BICS is simply a data processor. … I can’t see any reason that the operators would give BICS the data unless they expected BICS to use that data, so the smoking gun appears to be at the operators.

Meanwhile, WheatMillington bags plain flour:

Americans: Ha ha, look at those dystopian Chinese and their social credit score.
Also Americans: Credit score, reputation score, every other ranking imaginable performed by unaccountable corporations.

And Finally:

I’m not saying it’s aliens

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: yang miao (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi