US vendor accused of violating GDPR by reputation-scoring EU citizens

A US-based fraud prevention company is in hot water over allegations it not only collected data from millions of EU citizens and processed it using automated tools without their knowledge, but that it did so in the United States, all in violation of the EU's data protection rules.

The complaint was filed by Austrian privacy advocacy group noyb, helmed by lawyer Max Schrems, and it doesn't pull any punches in its claims that TeleSign, through its former Belgian parent company BICS, secretly collected data on cellphone users around the world.

That data, noyb alleges, was fed into an automated system that generates "reputation scores" that TeleSign sells to its customers, which includes TikTok, Salesforce, Microsoft and AWS, among others, for verifying the identity of a person behind a phone number and preventing fraud.

BICS, which acquired TeleSign in 2017, describes itself as "a global provider of international wholesale connectivity and interoperability services," in essence operating as an interchange for various national cellular networks. Per noyb, BICS operates in more than 200 countries around the world and "gets detailed information (e.g. the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic) [on] about half of the worldwide mobile phone users."

That data is regularly shared with TeleSign, noyb alleges, without any notification to the customers whose data is being collected and used.

"Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a 'trust score' about you and sells phone data to third parties like Microsoft, Salesforce or TikTok  – without anyone being informed or giving consent," Schrems said.

Spot the GDPR violations

In its complaint, an auto-translated English version of which was reviewed by The Register, noyb alleges that TeleSign is in violation of the GDPR's provisions that ban use of automated profiling tools, as well as rules that require affirmative consent be given to process EU citizen's data.

But that's not all, and to understand why we need to dig a bit deeper into TeleSign's corporate parentage and the history of its behavior.

When BICS acquired TeleSign in 2017, it began to fall under the partial control of BICS' parent company, Belgian telecom giant Proximus. Proximus held a partial stake in BICS, which Proximus spun off from its own operations in 1997.

• That Meta GDPR fine is €1.2B. Plus biz must stop sending EU data to US
• Meta facing third fine of 2023 for mishandling EU user data under GDPR
• EU-US Privacy Framework could make life easier for a data biz, if it survives
• Fresh GDPR ruling says even 'minor anxiety' could mean payouts for EU folks

In 2021, Proximus bought out BICS' other shareholders, making it the sole owner of both the telecom interchange and TeleSign.

With that in mind, noyb is also leveling charges against Proximus and BICS. In its complaint, noyb said Proximus was asked by EU citizens from various countries to provide records of the data TeleSign processed, as is their right under Article 15 of the GDPR. 

The complainants weren't given the information they requested, says noyb, and claims what was handed over was simply a template copy of the EU's standard contractual clause (SCC), which has been used by businesses transmitting data between the EU and US while the pair try to work out data transfer rules that Schrems won't get struck down in court.

In addition to that article 15 allegation, TeleSign, and ultimately Proximus by virtue of its ownership of the company, are also accused of violating the GDPR's SCC rules "by carrying out a subsequent transfer that does not comply with its contractual obligations," noyb alleges in its complaint.

Noyb also asserts that BICS violated the GDPR by transferring data without appropriate safeguards to protect it. Schrems and other EU privacy advocates have long argued against the transfer of data to the US on the grounds that the States lack a federal data protection regulation, and as such federal authorities have free rein to access data protected in the EU.

Noyb is seeking cessation of all data transfers from BICS to TeleSign, processing of said data, and is requesting deletion of all unlawfully transmitted data. It's also asking for Belgian data protection authorities to fine Proximus, which noyb said could reach as high as €236 million ($257 million) – a mere 4 percent of Proximus's global turnover. 

According to the noyb complaint: "TeleSign considers that it processes data on the basis of legitimate interest within the meaning of Article 6.1.f of the GDPR, for reasons of 'fraud prevention, protection against spamming, phishing, promotion abuse, fake accounts, unlawful account takeovers and any other attack entailing costs.'"

TeleSign told The Register it was compliant with the law, saying: "Telesign has in place a data privacy program, which encompasses global law and regulations including the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The company constantly reviews internal policies and practices to maintain compliance with the evolving regulatory landscape." ®