A Belgian telecommunications company named ‘BICS,’ which cooperates with over 500 mobile operators in 200 countries worldwide, is accused of collecting user identification, phone, and web traffic pattern data of billions of people.
As the European Digital Rights Center NOYB (“None of Your Business”) alleges in a complaint filed with the Belgian Data Protection Authority, BICS (and its parent company ‘Proximus’) collects the said data and sends it to Telesign. This U.S.-based fraud detection company utilizes AI to generate trustworthiness/reputation scores for people, ranging between 0 and 300. Telesign’s website mentions harnessing intelligence from more than 5 billion unique phone numbers from 230 countries and collecting 2,200 digital identity signals to generate trustworthy reports.
NOYB has shared a diagram that explains where that data goes, claiming that Telesign shares the generated scores with Microsoft, Salesforce, TikTok, IBM, EA, GoFundMe, Citrix, Upwork, Fiverr, and possibly many other technology companies, who use them for their own, private purposes. NOYB claims that these scores are used for deciding what confirmation steps should be added when a person attempts to create an account or if they will be allowed to create an account on the platform in the first place.
NOYB’s allegations surfaced after a March 2022 article in the “Le Soir” newspaper that claimed that BICS was covertly sharing customer phone activity data with TeleSign, including details such as the type of technology used for calls or texts, frequency of activity, and duration of calls.
If it is proven that BICS transfers identification data from Europe to the California-based Telesign and does so without obtaining the user’s consent, this activity will constitute a violation of the GDPR (General Data Protection Regulation). Facebook was recently fined €1.2 billion by the Irish Data Protection Commission for a similar breach of the GDPR after the data protection authority verified that the social media company was transferring the data of Europe-based users to its servers in the United States.
A detail that complicates the data protection office’s investigation is that Proximus’ largest shareholder is the Belgian state, and it would be quite condemning to verify that the company’s business strategy is not GDPR compliant. However, it is essential to underline that none of NOYB’s allegations have been established at this point, and the relevant inquiry has not been launched yet.
People who would like to determine if their phone numbers, and, by extension, their device and personal data, have been forwarded to Telesign for processing, can send this form to the company’s data policy representative at “firstname.lastname@example.org.” Telesign is obliged by law to respond to these requests promptly.