US Vendor Accused of Violating GDPR By Reputation-Scoring EU Citizens

TeleSign, a U.S.-based fraud prevention company, has allegedly collected data from millions of EU citizens and processed it in the United States using automated tools without their knowledge. The complaint "alleges that TeleSign is in violation of the GDPR's provisions that ban use of automated profiling tools, as well as rules that require affirmative consent be given to process EU citizen's data," reports The Register. From the report: The complaint was filed by Austrian privacy advocacy group noyb, helmed by lawyer Max Schrems, and it doesn't pull any punches in its claims that TeleSign, through its former Belgian parent company BICS, secretly collected data on cellphone users around the world. That data, noyb alleges, was fed into an automated system that generates "reputation scores" that TeleSign sells to its customers, which includes TikTok, Salesforce, Microsoft and AWS, among others, for verifying the identity of a person behind a phone number and preventing fraud.

BICS, which acquired TeleSign in 2017, describes itself as "a global provider of international wholesale connectivity and interoperability services," in essence operating as an interchange for various national cellular networks. Per noyb, BICS operates in more than 200 countries around the world and "gets detailed information (e.g. the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic) [on] about half of the worldwide mobile phone users." That data is regularly shared with TeleSign, noyb alleges, without any notification to the customers whose data is being collected and used. "Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a 'trust score' about you and sells phone data to third parties like Microsoft, Salesforce or TikTok -- without anyone being informed or giving consent," Schrems said. [...]

When BICS acquired TeleSign in 2017, it began to fall under the partial control of BICS' parent company, Belgian telecom giant Proximus. Proximus held a partial stake in BICS, which Proximus spun off from its own operations in 1997. In 2021, Proximus bought out BICS' other shareholders, making it the sole owner of both the telecom interchange and TeleSign. With that in mind, noyb is also leveling charges against Proximus and BICS. In its complaint, noyb said Proximus was asked by EU citizens from various countries to provide records of the data TeleSign processed, as is their right under Article 15 of the GDPR. [...] Noyb is seeking cessation of all data transfers from BICS to TeleSign, processing of said data, and is requesting deletion of all unlawfully transmitted data. It's also asking for Belgian data protection authorities to fine Proximus, which noyb said could reach as high as $257 million -- a mere 4 percent of Proximus's global turnover.

Silly Europeans

[rsilvergun]

Laws don't apply to us Americans. Laws are for wussies.

Re:

[Savage-Rabbit]

Laws don't apply to us Americans. Laws are for wussies.

That's not quite true, but an amazing number of Americans think [state.gov] that if they operate in foreign countries or commit crimes there they'll be subject to and prosecuted under US law, not local laws.

Re:

[Rujiel]

Sure it's true, the US believes in only its own rule of law, so non-Americans are considered subhuman. just ask the Nissour Square killers.. or any of Eddie Gallagher.. or judge Kenneth Marra, who decided that relatives of disappeared have no right to sue the oil companies that hired death squads to do it.

Re: Silly Europeans

[Fons_de_spons]

Meh, you may have guns... we use guillotines

Re:

[VeryFluffyBunny]

So you have no right to privacy? Great. Enjoy your freedumbs while your democracy crumbles around you. Everyone having guns just means you'll descend into a lawless failed state with warring factions, like Somalia, all the faster.

Re:

[Papaspud]

Evil Swiss will be fighting everyone...

Re:

[VeryFluffyBunny]

Nope. The Swiss have fewer that 1 privately owned gun per 3 people. Canada has more guns than Switzerland. The USA has nearly doble the number of guns per person than the next highest country. People in the USA don't seem to trust or like each other very much either.

Re:

[Local ID10T]

Except that these are European corporations (Proximus and BICS) with a wholly owned US subsidiary (TeleSign). They are all under EU jurisdiction. TeleSign would also fall under US jurisdiction.

Burying the real story

[bhcompy]

The issue isn't the US company. The EU has no jurisdiction to enforce GDPR on a US company that doesn't operate in the EU. The issue is the parent company (Proximus/BICS) that is sending the data. The EU has jurisdiction over them.

Re:Burying the real story

[Njovich]

The issue isn't the US company. The EU has no jurisdiction to enforce GDPR on a US company that doesn't operate in the EU. The issue is the parent company (Proximus/BICS) that is sending the data. The EU has jurisdiction over them.

Actually if this company collects data on EU citizens, EU considers that enough for jurisdiction (similar to US on various regulations). EU data protection authorities can fine companies that do business with that company. The issue is very much the US company even if enforcement is done on a parent or partner.

Re:

[drinkypoo]

Nothing you said conflicted with the GP comment. Being able to sue other companies is not the same as being able to do things directly to that company.

Re:

[Njovich]

It's a subtle distinction, but the GP said the issue was the EU company sending data. However, the American company is also being enforced against, as they are also in breach (and EU considers it has jurisdiction). If you sanction Iran by forbidding companies to do business with them, that is a sanction on Iran, not on those companies.

Re:

[gweihir]

Indeed. Whether the EU can actually enforce a fine against a company with no offices in the EU is another matter. It can certainly prohibit anybody within the EU from doing any more business with them though and it can sue them in the US and if that does not work find that the US does not have adequate privacy protections and prohibit _anybody_ from transferring any EU citizen data to the US. See also the "Schrems" rulings of the European Court of Justice.

Re:

[thegarbz]

Nothing you said conflicted with the GP comment.

Not every god damn Slashdot comment has to be in conflict with the parent.

Re:

[gweihir]

This is not about suing anybody. This is about punishment.

Re:

[SvnLyrBrto]

EVERY nation should care about and respect jurisdiction and NONE of them should be allowed to legislate behavior outside their own borders. Maybe the US is still worse about it than the EU, maybe not. But even it's behind, the EU is doing its damndest to catch up on this particular misbehavior. And yes, just like the EU should be told to fuck off and go pound sand wrt/ this particular (And really... many, Many, MANY others.) instance involving the GDPR; The US should be told to go fuck off and pound sand

Re:

[AmiMoJo]

There's a big difference between the EU here and the US. The US claims jurisdiction over things like transactions in USD. Doesn't matter if no US citizens are involved, and it's outside US territory. Using USD is enough.

The EU is claiming jurisdiction over data that belongs to its citizens. Its citizens are directly involved.

Re:

[VeryFluffyBunny]

Yeah, um, the Geneva Convention might want a word with you about that.

Re:

[Growlley]

Faird fair that makes all your merkins were criminals and genocides.

"Fuck off and die"

[Malay2bowman]

I don't need any heartless corporation "reputation scoring" me. Well two can play at that game. I rate them as sexual creeps and perverts who spy on women and children and it's entered into the big giant database that my company controls. They can appeal my decisions, but I will never get them because it all goes to /dev/nul without any intervention from me.

Ha.

[Motleypuss]

Figures that it would've been the USA who got there first. Getting there first is what the USA is good at.