Following the investigation by the CBP, KPN has taken measures that have ended the established violations. The telecom operator acted in breach of the law by not irreversibly anonymising or deleting the data about website visits and apps usage that were collected for the operation of the network. The company has stopped using the equipment for data analysis during the investigation, and has deleted the collected data. KPN has indicated it has taken into use equipment that anonymises the data as soon as possible after the collection.
The CBP found multiple violations at Tele2 that are all on-going, but for one. Tele2 contravenes the law by not irreversibly anonymising the data about website visits and apps usage as soon as possible after the collection, even though Tele2 encrypts those data. It keeps those (hashed) data for a period of one year. Tele2 uses the collected data for market research purposes without the consent of its customers. That is also in breach of the law.
T-Mobile Netherlands has resolved a number of violations as a result of the investigation. The company still acts in breach of the law, because it does not destroy email addresses as soon as possible. And, although T-Mobile has modified its privacy statement, it is still not clear about data retention periods.
Vodafone Netherlands also resolved a number of violations following the investigation. In spite of changes, Vodafone still keeps data longer than necessary to detect and solve network problems (network monitoring). Because of this, Vodafone on this issue still breaches the law. During the investigation, the CBP found that Vodafone NL stored detailed personal data regarding site visits and apps used. Vodafone NL has stated it no longer does this. After the closing of the investigation, Vodafone has modified its (short falling) privacy statement and the mandatory notification of the data processing to the CBP.
In the spring of 2011, telecom supervisory authority OPTA (since merged into the ACM) decided to launch a quick-scan investigation of the four telecom operators KPN, Vodafone, T-Mobile and Tele2, after reports in the media about deep packet inspection of the communication traffic. This quick scan examined whether and to what extent these operators were analysing data traffic. Based on the quick-scan, OPTA concluded in June 2011 that in this stage of the investigation it did not see reason for enforcement actions based on the Telecommunications Act. OPTA handed over its preliminary findings to the CBP, based on the collaboration covenant between the two supervisory authorities.