USA's TeleSign 'breached GDPR' say campaigners

Company has allegedly gathered data on more than half of global mobile phone users

USA's TeleSign 'breached GDPR' say campaigners

US-based fraud prevention company TeleSign is facing allegations of mass unlawful data gathering and processing.

Last week the Austrian privacy advocacy group NOYB, led by lawyer Max Schrems, filed a complaint with the Belgian Data Protection Authority.

In it the group alleged that TeleSign, a subsidiary of Belgian telecom operator Proximus, has been secretly profiling millions of mobile phone users without their knowledge.

TeleSign is said to obtain the data from BICS, a Belgian company that offers interconnection services to mobile phone companies.

These services facilitate activities such as phone calls, roaming, and data transfer across different networks and services on a global scale.

TeleSign uses the acquired data to assign a "trust score" to each mobile phone user, ranging from 0 to 300. The company's clients can then use that score to make decisions about user access to their platforms.

For example, clients - which include TikTok, Salesforce and Microsoft - may choose to allow users to sign up directly or require SMS verification, depending on their score from TeleSign.

NOYB says TeleSign conducts verification for over five billion distinct phone numbers every month.

Belgian newspaper Le Soir first revealed the connection between TeleSign and BICS in March 2022, claiming that TeleSign was engaged in the profiling of millions of phone users worldwide.

BICS operates across more than 200 countries and has access to significant information about mobile phone users, including their call completion frequency, call duration, periods of prolonged inactivity and successful incoming traffic.

BICS acquired TeleSign in 2017. At the time BICS was itself under the partial control of the Belgian telecommunications giant Proximus.

Proximus became the sole owner of BICS, as well as TeleSign, in 2021.

NOYB has now implicated both Proximus and BICS in relation to the alleged data collection and profiling activities carried out by TeleSign.

Violating EU law

The privacy advocacy group alleges that TeleSign is in violation of GDPR regulations due to its use of automated profiling tools and the processing of EU citizens' personal data - in the USA - without obtaining their informed consent.

NOYB claims that EU citizens from different countries have exercised their rights under Article 15 of the GDPR, requesting Proximus to provide records of the data processed by TeleSign.

NOYB's complaint further alleges that TeleSign and Proximus have violated the GDPR's Standard Contractual Clauses (SCC), by conducting subsequent data transfers that do not comply with their contractual obligations.

In response, NOYB is seeking to stop all data transfers from BICS to TeleSign; the halt of data processing; and the deletion of unlawfully transmitted data.

The group is requesting that the Belgian data protection authorities impose fines on Proximus, with potential penalties reaching as high as €236 million. The company declared revenues of €5.9 billion, and net income of €450 million, in 2022.

TeleSign maintains that it is compliant with the law and has implemented a data privacy programme that adheres to global regulations such as the GDPR and the California Consumer Protection Act (CCPA).

"The company constantly reviews internal policies and practices to maintain compliance with the evolving regulatory landscape," it added.