Why it matters: Finland’s Data Protection Authority is investigating Nokia for possible violations of the EU’s General Data Protection Regulation (GDPR) after allegations that some of its phones have been sending unencrypted data to servers in China. According to Nokia, it is an "error" they fixed in January.
Norwegian Broadcasting Corporation (NRK) notes that in February it received a tip from a Nokia 7 Plus user that his phone frequently sent data packets to an unknown server. When he inspected the contents, he was surprised to find that not only was the data unencrypted but was also being sent to a domain in China. The server in question is reportedly run by China Telecom, which is owned by the government.
A packet was sent any time the phone was turned on or unlocked. The uploaded data contained information including the phone’s geographical location, the SIM card number, and serial number.
"Based on our preliminary analysis, one can assume that personal data has been transferred."
When the Finnish data protectorate got wind of the claim, it opened an investigation into Finland’s HMD Global, Nokia’s parent company. According to Finnish newspaper Helsingin Sanomat, its initial probe into the matter revealed that there was enough evidence to warrant a full investigation.
"Based on our preliminary analysis, one can assume that personal data has been transferred," said Ombudsman Reijo Aarnio with the watchdog group. "This can at least be a violation of the GDPR legislation."
An HMD spokesperson admitted to NRK that several phones sold outside of China had sent data to the server as part of the Chinese registration process by mistake. The company claims that it issued a patch in January and that most users have installed the update. The spokesperson also stressed that no personally identifiable information was sent, so it has not violated any GDPR rules.