Dutch mobile operators modify data-analysis after investigation Dutch DPA - Results investigation Dutch DPA into packet inspection by the telecom operators


Press release 4 July 2013
The Dutch Data Protection Authority (CBP) today publishes its reports resulting from the investigation into the analysis of data traffic (packet inspection) on the mobile network by the mobile operators KPN, Tele2, T-Mobile and Vodafone. These four operators are the largest mobile network providers in the Netherlands. In the course of the investigation the Dutch DPA has found violations of the Dutch Data Protection Act and the Telecommunications Act at all four operators. The companies are found to have stored data, in breach of the law, on a detailed level about visited websites and used apps. According to the law, such data must be deleted as soon as possible after collection, or irreversibly anonymised. Data about visited websites and used apps via smartphones tell a lot about the behaviour and preferences of people. In many cases it is not necessary to store such data on an individual (customer) level.
The investigation has also shown that customers are not, or incorrectly, informed, about the fact that the telecom operators collect this detailed information about them and what they do with it. This lack of transparency is also in breach of the law.
As a result of the investigation, some of the established violations have stopped. The Dutch DPA will now verify to what extent some established violations are still on-going and decide whether it will take enforcement measures.

Following the investigation by the CBP, KPN has taken measures that have ended the established violations. The telecom operator acted in breach of the law by not irreversibly anonymising or deleting the data about website visits and apps usage that were collected for the operation of the network. The company has stopped using the equipment for data analysis during the investigation, and has deleted the collected data. KPN has indicated it has taken into use equipment that anonymises the data as soon as possible after the collection.

The CBP found multiple violations at Tele2 that are all on-going, but for one. Tele2  contravenes the law by not irreversibly anonymising the data about website visits and apps usage as soon as possible after the collection, even though Tele2 encrypts those data. It keeps those (hashed) data for a period of one year. Tele2 uses the collected data for market research purposes without the consent of its customers. That is also in breach of the law.
Following the investigation, Tele2 has created a general privacy policy with which the company informs its customers. This statement however is not complete. In case of maintenance or support, Tele2 offers access to the personal data to another company outside of the EU without an adequate data protection level. Tele2 NL has announced measures to end this violation.

T-Mobile Netherlands
T-Mobile Netherlands has resolved a number of violations as a result of the investigation. The company still acts in breach of the law, because it does not destroy email addresses as soon as possible. And, although T-Mobile has modified its privacy statement, it is still not clear about data retention periods.

Vodafone Netherlands
Vodafone Netherlands also resolved a number of violations following the investigation. In spite of changes, Vodafone still  keeps data longer than necessary to detect and solve network problems (network monitoring). Because of this, Vodafone on this issue  still breaches the law. During the investigation, the CBP found that Vodafone NL stored detailed personal data regarding site visits and apps used. Vodafone NL has stated it no longer does this.  After the closing of the investigation, Vodafone has modified its (short falling) privacy statement and the mandatory notification of the data processing to the CBP.

Background information
In the spring of 2011, telecom supervisory authority OPTA (since merged into the ACM) decided to launch a quick-scan investigation of the four telecom operators KPN, Vodafone, T-Mobile and Tele2, after reports in the media about deep packet inspection of the communication traffic. This quick scan examined whether and to  what extent these operators were analysing data traffic. Based on the quick-scan, OPTA concluded in June 2011 that in this stage of the investigation it did not see reason for enforcement actions based on the Telecommunications Act. OPTA handed over its preliminary findings to the CBP, based on the collaboration covenant between the two supervisory authorities.