Facepalm: Austrian non-profit organization NOYB is accusing a US company of generating and selling user profiles to a bunch of tech corporations. The practice is a blatant violation of Europe's General Data Protection Regulation and the privacy of European citizens, the organization stated.
Telesign is a US company that specializes in "reputation scores" for mobile users, which are sold to corporate clients such as Microsoft, IBM, TikTok, Salesforce, Amazon AWS, and many more. Telesign customers can then use previously generated reputation scores to verify mobile end users and minimize fraud.
Telesign gets most of its data from a "secret" agreement with BICS, which is a Belgian company that provides interconnection services for many mobile phone companies. Thanks to BICS, "hundreds" of mobile carriers around the world can connect their networks with no need for direct agreements. Because of its "intermediary" position, BICS can get very detailed information on phone calls including duration, inactivity, successful incoming traffic, and more.
According to NOYB's complaint, BICS processes calls for about half of all worldwide mobile phone users, and Telesign abused that data to profile millions of people. User verification provided by Telesign amounts to over five billion unique phone numbers per month, NOYB said, which is half of the world's mobile population.
Data about European citizens was transferred and processed in the United States, NOYB said, where US authorities could theoretically access personal data collected by Telesign. The activity was unlawful, though, and likely in violation of the European regulation on privacy and data protection (GDPR). Secretly using telecommunication data to profile users is not in line with the GDRP, NOYB said, as data processing companies are required to get an explicit permission from users.
Lawyer, privacy activist, and NOYB founder Max Schrems said the responses received by BICS and TeleSign suggest their business model is "not complying with EU privacy laws." The activist has therefore filed a complaint with the Belgian Data Protection Authority (DPA), which is competent for Proximus, BICS and TeleSign. Proximus group is the current owner of both BICS and TeleSign.
NOYB is asking for the data processing to stop, of course, while the Belgian DPA could further punish the three offending companies with a fine up to € 236 million – or four percent of the global turnover of the Proximus group. For users interested in knowing if they have been profiled, packed and sold by Telesign's secret data processing program, NOYB said the GDPR forces companies to provide all this information and then some. You just have to ask, and noyb provides a template for that.