Click here to subscribe to my free e-mail newsletter!

Monday, 22 August 2022

Deutsche Telekom "responds" to my complaint -- but not to me.

Deutsche Telekom has responded to my privacy complaint — not to me but to German journalist Matthias Monroy.

Earlier this month, I reported on the failure of Deutsche Telekom to make their U.S. subsidiary, T-Mobile USA, comply with their purportedly “binding corporate rules” on privacy, and the violation of a variety of laws in the European Union, Germany, and California by both Deutsche Telekom and T-Mobile USA.

T-Mobile — and, when I have been roaming in Germany, Deutsche Telekom — have collected, “shared”, and sold numerous categories of information about me — even such oddities as “olfactory information”, which I though only the Stasi collected. But both companies refuse to show me this information. Deutsche Telekom told me, most recently, “We kindly ask you to refrain from further inquiries regarding this matter… [W]e won’t answer further emails from you.”

Articles about this issue by Herr Monroy were published in Netzpolitik (in German) and in Herr Monroy’s blog (in English).

Deutsche Telekom did not respond to e-mail messages from Herr Monroy requesting comment before these articles were published. Several days after the articles were published, Deutsche Telekom contacted Herr Monroy, claiming that it had not received his messages and had not been given an opportunity to comment. Herr Monroy has updated his articles with comments from Deutsche Telekom.

Deutsche’s Telekom’s responses are, basically, bullshit.

According to Herr Monroy, “Deutsche Telekom justifies why T-Mobile US did not join the ‘Binding Rules’ and why Deutsche Telekom could not push for this with stock corporation law. ‘Shareholders of a listed company are not allowed to issue instructions to the company, and the same applies to the supervisory board. The company is managed exclusively by the board of management, which must be guided by the interests of the company,’ Telekom said.”

But a U.S. company like T-Mobile USA does not have a separate “supervisory board” and “management board”. That is a feature of German, not U.S., corporate structure. There is only one “board of directors” for a U.S. company.

Telekom also claimed to Herr Monroy that “it is also forbidden to enforce Deutsche Telekom’s interests ‘via members of the board of management who have been delegated, for example’.”

But there is no conflict between the interests of the two companies on this issue. Violating contractual promises creates legal and financial liabilities, damages the reputations, and is against the interests of both companies. A reputation for protecting personal data and for consistent good corporate behavior worldwide, throughout the conglomerate, is in the interests of both companies.

T-Mobile’s corporate governance rules require the approval of T-Mobile’s auditors for certain contracts between T-Mobile and Deutsche Telekom, to avoid improper “self-dealing”. But many contracts between T-Mobile and Deutsche Telekom have been approved, including agreements for roaming of Deutsche Telekom customers in T-Mobile territory and roaming of T-Mobile customers in Deutsche Telekom territory. The BCRP could also be approved, in the same manner, by the directors of T-Mobile designated by Deutsche Telekom.

Billing for roaming cellphone, SMS, and mobile Internet usage requires transfers of usage data between the two companies. The transfers to T-Mobile in the USA of data about me collected by Deutsche Telekom in Germany while I was roaming in Germany with a T-Mobile SIM with a U.S. telephone number are the strongest basis for my complaint to German data protection authorities pursuant to the EU General Data Protection Regulations (GDPR) and German law.

At a minimum, personal information about me collected in Germany by Deutsche Telekom, while I was roaming in Germany, is subject to the GDPR. Deutsche Telekom has failed to respond to my subject access request for this information. Deutsche Telekom transferred this data to the USA without having in place binding corporate rules or any other mechanism to ensure adequate protection for this data. Both the failure to respond to my subject access request and the transfer of this data to the USA without adequate protection are violations of the GDPR.

Finally, Deutsche Telekom claimed to Herr Monroy that T-Mobile USA complies with the California Consumer Privacy Act (CCPA). But T-Mobile has not complied with the CCPA. T-Mobile’s purported response to my subject access request includes almost none of the specific data in the categories it admits that it has collected. The response was largely unintelligible. Some of the withholding was unexplained, and some categories of data were not even mentioned. Some of the withholding was explained as being “for your protection”, which is not a permissible exception or basis under the CCPA for withholding of information.

I have made a complaint to the Office of the Attorney General of the State of California, which has jurisdiction to enforce the CCPA.

But the CCPA is not comparable to the GDPR. Unlike with a complaint under the GDPR to a data protection authority in the EU, the Attorney General of California does not have to disclose their decision, so I do not know whether they will act, or why they have not acted.

As is noted in the letter I received from the Attorney General’s office acknowledging my CCPA complaint, “you cannot sue businesses for most CCPA violations. Consumers may only file a lawsuit against a business if there is a data breach, and even then, only under limited circumstances.”

Issues related to subject access rights under the CCPA could have been raised in the pending class action lawsuits against T-Mobile USA. But so far as I can tell, subject access rights were not raised, and nothing in the proposed settlement would require T-Mobile to comply with subject access requests under the CCPA.

I thank Herr Monroy for obtaining this belated and bullshit “response” from Deutsche Telekom, confirming the company’s inability to provide a valid excuse for their actions. I continue to urge other journalists to ask questions about the issues this raises. And I continue to urge Deutsche Telekom and T-Mobile USA to keep their promises, comply with the laws in Germany and the USA, and show me all the data they have about me.

[Follow-up, 30 August 2022: I mentioned the problems with T-Mobile in my testimony to the Federal Trade Commission’s public forum on “Commercial Surveillance and Data Security”.]

[Follow-up, 12 October 2022: German data protection agency says visitors have no privacy rights]

[Follow-up, 3 December 2022: German data protection authority reaffirms that visitors have no privacy rights]

Link | Posted by Edward on Monday, 22 August 2022, 09:15 ( 9:15 AM)
Comments
Post a comment









Save personal info as cookie?








About | Archives | Bicycle Travel | Blog | Books | Contact | Disclosures | Events | FAQs & Explainers | Home | Mastodon | Newsletter | Privacy | Resisters.Info | Sitemap | The Amazing Race | The Identity Project | Travel Privacy & Human Rights

"Don't believe anything just because you read it on the Internet. Anyone can say anything on the Internet, and they do. The Internet is the most effective medium in history for the rapid global propagation of rumor, myth, and false information." (From The Practical Nomad Guide to the Online Travel Marketplace, 2001)
RSS 2.0 feed of this blog
RSS 2.0 feed of this blog
RSS 1.0 feed of this blog
Powered by
Movable Type Open Source
Movable Type Open Source 5.2.13

Pegasus Mail
Pegasus Mail by David Harris
Notices
Copyright © 1991-2024 Edward Hasbrouck (ORCID 0000-0001-9698-7556), except as otherwise noted. Caricature by Rhoda Draws, rhodadraws.com. Linking welcomed and encouraged, but reproduction permitted by permission only.

Use of any information obtained from this site for the purpose of sending unsolicited bulk e-mail or any SMS messages is expressly forbidden, and is a violation of your license to use this copyrighted material.