Artikel 20 March 2024

RDI Imposes Symbolic Penalty on Odido for Data Handling

Odido has been fined 175,000 euros by the National Digital Infrastructure Inspectorate (RDI) for improper processing of data. This was done for the purpose of a collaborative project with Centraal Bureau voor de Statistiek (CBS). The accountants wanted to gain insight into the movements of large groups of citizens around 2017.

The amount falls so low because the judge last summer found a fine actually unnecessary. Originally, the RDI had a million-dollar sum in mind. But the department had to admit that nowhere was it found that the violation led to serious consequences or effected risks. Nor was it established that raw traffic data was provided to CBS.

However, the former Telecom Agency, which does not always operate happily (as in the conflict with Inmarsat over the satellite station in Burum), attached heavily to a public “punishment” in the form of a symbolic sum. To avoid further hassle, Odido accepted the 175,000 euro penalty.

Estimation

The telecom provider acknowledges having made a legal misjudgment of the Telecommunications Act, albeit that no one was harmed or harmed. Instead of pseudonymizing (data) traffic data, the company formerly known as T-Mobile should have anonymized the data. This decision was preceded internally by a legal discussion, which thus turned out to be incorrect. Because anonymization is more complex, the choice fell to the less far-reaching method of pseudonymization, replacing the IMEI number, a unique 15-digit identification number linked to a phone.

The data was needed to feed an algorithm that could provide information on the mobility of groups of citizens. Odido used the algorithm to process the traffic data into counts of large groups of people in an area. Traffic data contains privacy-sensitive data, such as about times of phone calls and locations of callers. Odido may use this data for legally permissible purposes, such as its own billing. But the operator should not have processed this (raw) traffic data on a pseudonymized basis for CBS, the RDI said.

According to an Odido spokesperson, CBS never had access to the underlying traffic data. CBS employees were only shown the final results on Odido’s laptop screens and systems. This was done in the presence of Odido staff. Therefore, the issue is purely legal in nature. The breach lasted from the beginning of 2018 to the end of 2019. During this period, traffic data from approximately 2.5 to 4.5 million subscribers was used.

The cooperation project between Odido and CBS ended in early 2020. The RDI did not find any violations thereafter. CBS wanted to use the project to gain more insight into tourism and mobility in municipalities.

Source: Alfred Monterie for Computable.nl

Ook interessant