US vendor accused of violating GDPR by reputation-scoring EU citizens A US-based fraud prevention company is in hot water over allegations it not only collected data from millions of EU citizens and processed it using automated tools without their knowledge, but that it did so in the United States, all in violation of the EU's data protection rules. The complaint was filed by Austrian privacy …
They maybe a US corp but they are owned by an EU (Belgian) corp BICS, who are in turn owned by Proximus (Belgian).
I know the article says BICS are former parents but it seems BICS still own TeleSign as the merger with North Atlantic Acquisition Corporation was cancelled.
As all three companies are listed in the complaint it is really Another day, another Big corp finding out
But like you the article made my day ;)
NP, but to be honest I have no idea why I looked it up. ;)
BTW I am not a lawyer so the info is not some AI "hallucination" and here are the links to prove it. ;)
https://www.naacq.com/news-releases/news-release-details/north-atlantic-acquisition-corp-announces-termination-business
https://pitchbook.com/profiles/company/54825-04#funding
TeleSign told The Register it was compliant with the law, saying: "Telesign has in place a data privacy program, which encompasses global law and regulations including the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The company constantly reviews internal policies and practices to maintain compliance with the evolving regulatory landscape."
TeleSign told The Register it was compliant with the law?
No, they didn't old chap. "data privacy program... encompasses global law and regulations" does not mean "abides by the laws", just means that the laws are taken into account. Not quite the same thing.
Belgian
Ah yes - Belgium. The place where, as a motorbike rider, I felt most unsafe. France is good (probably because just about everyone seems to ride a scooter as a kid and so grow up very aware of two-wheeled traffic). Germany is good (operating a bike is quite expensive). UK is *mostly* good (apart from the nutcases in the cities that seem to take personal offence at the fact that a motorbike can filter through traffic and will try to block your path). Ireland is good. The Netherlands are *really* good.
But Belgians are the rudest, most selfish drivers I've ever come across in Europe. They seem quite happy to use other cars and bikes as bumber-stoppers, cut you up and seem blind to the existence of two-wheeled traffic.
I'll never willing ride there again - I'd rather take the long way round and have the expectation of surviving.
I unfortunately had to spend several hours wading through the UK DPA 2018 and GDPR yesterday (Sunday), and there seems to be a bit of a hole here.
BICS appears to have collected call data through some sort of operation of exchanges. However, this is not necessarily in violation of GDPR, because the collected data, on the face of it, can not be associated with a real person. To get an identity, they would have needed information from the mobile operator.
So the mobile operator is the data controller (it possessed the private data, which was the caller identity), and BICS is simply a data processor. Transfer of data from a controller to a processor falls outside the data sharing code of conduct.
So the issue comes down to the contract between the mobile operators and BIC. I can't see any reason that the operators would give BIC the data unless they expected BIC to use that data, so the smoking gun appears to be at the operators.
IOW, maybe time to be kicking Vodafone, which sounds like a win.
However, this is not necessarily in violation of GDPR, because the collected data, on the face of it, can not be associated with a real person
Actually, I think you'll find that it is considered personal information - it's more personal than an IP address, and that's been found in courts to be personal information for the purposes of GDPR.
But as you say, it's a bit complicated, and yes, it's probably the case that every EU based mobile operator handing over the data - which must include subscriber information for BICS/Whoever to be able to offer identity verification services - making that also a breach of the regulations on the part of the operators (though I imagine they'll cover their backside by a "and to prevent fraud" clause on page 3 trillion of the contract terms).
But in any case, if it comes down to believing NOYB (headed by Max Schrems and putting it's money where it's mouth is) vs the opinion of a fellow "random person on the internet" - no offence, but I'll assume Schrems is more likely to be right here. He does have form in this game.
> wading through the UK DPA 2018 and GDPR
As this issue relates to a company in EU then the UK DPA 2018 is not relevant (however the UK GDPR is somewhat relevant as it is presently 99% equivalent to the (EU) GDPR).
> However, this is not necessarily in violation of GDPR, because the collected data, on the face of it,
> can not be associated with a real person. To get an identity, they would have needed information
> from the mobile operator.
"the collected data...can not be associated with a real person" yet "To get an identity, they would have needed information from the mobile operator". So in other words it *can* be associated with a real person, just not by BICS themselves - this still means that the data is considered "personal data" in terms of the GDPR - e.g. pseudonymised data is still personal data, if it's not anonymised data (so NO ONE can determine who it's about) then it's personal data.
> Transfer of data from a controller to a processor falls outside the data sharing code of conduct.
Correct, data sharing applies between Data Controllers (whether Joint or Independant). BTW the ICO Data Sharing Code of Conduct is not relevant as this happened in EU, not UK.
However if BICS was acting as a Data Processor for a (EU) Mobile Operator then the Mobile Operator was required to have a contract in place with BICS to engage them as a Data Processor and said contract was required to ensure that BICS only acted upon the Data Controller's instructions.
> So the issue comes down to the contract between the mobile operators and BIC. I can't see any reason
> that the operators would give BIC the data unless they expected BICS to use that data, so the smoking
> gun appears to be at the operators.
The Data Controller's contract, plus any further instructions, with BICS would detail exactly what processing BICS could do with the personal data - "unless they expected BICS to use that data" - the Controller would define how/for what purposes that BICS would use the personal data.
The contract would also ensure that BICS could not engage any sub-processors without the Controller's agreement. The contract would also ensure that BICS could not transfer any personal data outside the EU without the Controller's instruction and the Controller would be legally "on the hook" to ensure that the personal data would be "safe" in the non-EU destination (i.e. Adequacy Decision or alternative in place).
However from the article it is not clear exactly what the Data Controller or Data Processor relationships were between each of the Mobile Operators, Proximus (which is a Mobile Operator itself), BICS, and Telesign.
The accused provides a service "for verifying the identity of a person behind a phone number and preventing fraud."
To me that sounds like a useful functionality to have around. No doubt the fraudsters are anxiously waiting this company to go away so they can get back to the business of impersonating Amazon, MSFT, Google, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
