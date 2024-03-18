Telecommunications provider Odido has been fined by the National Digital Infrastructure Inspectorate (RDI) for violating the privacy of millions of subscribers. The largest mobile provider in the Netherlands is being punished for its cooperation with Statistics Netherlands (CBS), as the NRC wrote about in 2021. The fine is 175,000 euros.

Between 2018 and 2020, Odido and CBS wanted to develop a profitable algorithm that could track the movements of groups of citizens based on the location data of millions of mobile subscribers. Customers using the T-Mobile (formerly Odido) network were not informed about this. The algorithm could help governments invest in infrastructure as governments will be able to see where groups of people are throughout the day. This can help determine, for example, where a car lane should be located. Or from a safety point of view: what places need to be closed due to crowds?

To develop the algorithm, CBS employees were given access to “traffic data” from 2.5 million to 4.5 million subscribers over nearly two years, according to a study released Monday by RDI, a former telecommunications agency. An investigation was launched following the NRC article. “Traffic data contains sensitive information such as the time of phone calls and the location of callers,” RDI wrote in a press release. This included traffic data that was “pseudonymized” or encrypted but could be decrypted. According to RDI, the investigation did not show that this actually happened.

Pseudonymized data is also considered tracked data. Pseudonymization means that the unique IMSI numbers of mobile devices have been replaced with other numbers. If you know where someone has been, you can find data about a phone that traveled the same route to establish a connection between the person and the phone. From that moment on, someone could be followed. There were “no serious consequences,” according to RDI. The call and location data of millions of Dutch people would not have ended up on the street through CBS employees.

“Incredibly important”

RDI’s Inspector General Angeline van Dijk calls it “incredibly important” that this type of data is properly protected. “The strength of our intervention lies not so much in the size of the fine, but in the awareness of the importance of this case. We are convinced that this fine and public attention contribute to ensuring the security of Dutch citizens’ telephone data,” says Van Dijk.

At the time, Odido did everything possible to keep his collaboration with CBS under wraps. In early 2020, the telecommunications company wanted to continue developing the algorithm, but management told CBS that communication about it was “off the table.” The PR risks would be too great. This was evident from the documents that the NRC requested at the time under the Public Access to Government Act (WOB). For the same reason, Odido has challenged the RDI fine in court in recent years. With some success, as the original fine of 450,000 euros was reduced to 175,000 euros. The judge took into account that the call data did not end up on the street.

In a written response, Odido said it would not appeal. “Odido always emphasized that CBS did not share personal information. That is why the provider is also pleased that RDI stated that it could not prove that non-anonymous data was provided,” Odido’s response said.

The supervisory authority for CBS is the Dutch Data Protection Authority (AP). Following the NRC publication, the privacy watchdog entered into negotiations with CBS. Partly in response, the statistics agency says it has taken additional measures to protect citizens’ privacy. For example, a “chief privacy officer” has been appointed to formulate privacy policies.

