Educational CyberPlayGround NetHappenings ∞/21M
https://edu-cyberpg.com
https://k12playground.com
https://RichAsHell.com
daily read https://twitter.com/cyberplayground
Hey, Hey, NRA, how many kids did you kill today?
Deutsche Telekom and T-Mobile USA privacy policies and practices
From: “Edward Hasbrouck” <edward [ @ ] hasbrouck.org>
Date: August 10, 2022 10:21:37 JST
T-Mobile subscribers and others who look to European companies for better privacy policies than their US competitors may be interested in my new report (based on research undertaken purely in my personal capacity, and not part of my work with any organization) on Deutsche Telekom and T-Mobile USA:
https://hasbrouck.org/blog/archives/002653.html
Excerpts:
With more than a hundred million subscribers in the USA, T-Mobile USA — the largest subsidiary of the German company Deutsche Telekom — collects more personal information about more people in the USA than any other U.S. subsidiary of a parent corporation based in the European Union. T-Mobile USA is thus the single most important test of the applicability to EU-based companies’ U.S. subsidiaries of European data protection rules and the privacy and data protection promises made by European multinational companies on behalf of their worldwide subsidiaries.
This matters because European laws and the stated policies of European companies like Deutsche Telekom typically claim to provide much better privacy protection than U.S. laws. People in the U.S. like me who care about privacy often chose to give our business to European companies, which often operate in the U.S. through subsidiary corporations they control, in order to obtain greater protection for our personal information than if we dealt with U.S.-based companies. But do these European companies practice what they preach?
This issue is spotlighted by my latest discover: Just as T-Mobile USA and lawyers for some of its customers have proposed a settlement of multiple class-action lawsuits growing out of a massive breach a year ago of poorly-secured personal data about current and past T-Mobile customers, I’ve uncovered what may be any even more significant pattern of fraudulent privacy claims and breach of privacy promises by both T-Mobile USA and its German corporate parent, Deutsche Telekom.
For many years, both Deutsche Telekom AG and its U.S. subsidiary T-Mobile USA, Inc. have been lying to customers about their privacy and data protection policies and practices.
I’ve relied on those promises, and assumed that — if I ever needed or wanted to do so — I would be able to exercise my access rights as a data subject in accordance with those policies. But now that I have a reason — because of T-Mobile’s own failure to secure my data — to seek access to the data about me held by T-Mobile (and obtained from them by hackers), T-Mobile has refused to comply with the policies advertised as applicable to it as a subsidiary of Deutsche Telekom, or to allow me to inspect most of the data it holds about me.
Let that sink in: T-Mobile allowed unknown and unauthorized third parties to obtain personal information about me, but now refuses to allow me to see or get a copy of the information about me that it allowed those third parties to have.
Deutsche Telekom claims that it isn’t “able” to compel its own U.S.
subsidiary, T-Mobile, to adopt or comply with Deutsche Telekom’s
purportedly “binding corporate rules” on privacy. This makes a mockery of the whole idea of “binding” corporate rules or contracts as a basis for compliance with privacy principles or for transfers of personal data between companies or across borders….
These actions appear to violate both U.S. and German laws against breach of contract, truth in advertising, and fraud. As discussed further below, they also raise significant questions as to the framework of “binding” contractual commitments which many other European companies have claimed as the legal basis for transfers of personal data not only to foreignsubsidiaries but also to unrelated companies abroad.
If, as Deutsche Telekom now claims (as detailed below), it is unable to compel even its own U.S. subsidiary, in which it holds a majority or at least controlling ownership interest, to comply with its “binding” promises and contractual commitments, the entire edifice of contracts and “binding corporate rules” as a basis for “adequate” privacy and data protection is a complete sham. I think Deutsche Telekom is simply lying. But if it is telling the truth, and it is really unable (perhaps due to some overriding non-public agreement) to compel compliance by T-Mobile USA, than any finding of “adequacy” for the protection of data transferred from the EU to a U.S. company on the basis of such unenforceable “commitments” must be reconsidered and rescinded. If Deutshce Telekom can’t make its own subsidiaries enforce its “binding” contractual commitments on its own subsidiaries, how can it be expected to enforce them on unrelated companies?
For Deutsche Telekom, this isn’t a secondary or minor issue. T-Mobile USA has more than a hundred million subscribers. That’s more than Deutsche Telekom has in Germany, and more than any other Deutsche Telekom subsidiary. The single most important test of Deutsche Telekom’s “Binding Corporate Rules Privacy” is whether they are applied to, and observed by, T-Mobile USA. And the single most important task for Deutsche Telekom’s privacy team is to make sure that the “Binding Corporate Rules Privacy” are adopted and complied with by T-Mobile USA.
With respect to personal privacy, the relationship between Deutsche Telekom and T-Mobile USA is the single most important relationship between an EU-based corporation and a subsidiary in the USA. It is rivalled, although probably not equalled, only by the relationships between the largest European automobile conglomerates and their U.S. subsidiaries.
This could be the most serious case exposed to date of failure to comply with, and/or to be able to obtain compliance with, “binding corporate rules” with respect to privacy and data protection. As such, it poses a profound challenge to the claims (fictions?) that have propped up continued transfers of personal data from the EU to the USA, despite the lack of any specific privacy or data protection law in the USA applicable to most commercial data.
The last message I got from Deutsche Telekom is, “We kindly ask you torefrain from further inquiries regarding this matter…. [W]e won’t answer further emails from you.” If you can help with legal advice, whistle-blowing, tips, or contacts for internal or external oversight or enforcement bodies with jurisdiction over these matters, please get in touch.
I have not only relied on promises by Deutsche Telekom and T-Mobile USA but have also recommended that others do so. Both companies have now given me their purportedly “final answer” that they will not act in accordance with these promises and policies. Deutsche Telekom says it won’t even discuss the issue with me any further. In these circumstances, I feel obligated to warn my readers now without further delay that they cannot and should not expect these companies to honor their privacy and data protection promises and policies.
With this dismissal of further dialogue, Deutsche Telekom and T-Mobile USA have left many questions unanswered. Since Deutsche Telekom says they won’t talk to me any more, I encourage other journalists to ask these questions.
More:
https://hasbrouck.org/blog/archives/002653.html
Best regards,
Edward Hasbrouck
—————-
Edward Hasbrouck
<edward [ @ ] hasbrouck.org>
<https://hasbrouck.org>
<https://twitter.com/ehasbrouck>
+1-415-824-0214 (voice/Signal)
Consultant to The Identity Project:
<https://papersplease.org>
Travel privacy, surveillance, civil liberties, & human rights
<https://hasbrouck.org/articles/travelprivacy.html>
Travel FAQ’s, “How-Tos”, & Explainers:
<https://hasbrouck.org/faq/>
The Practical Nomad blog:
<https://hasbrouck.org/blog/>
The Practical Nomad’s travel newsletter:
<https://hasbrouck.org/newsletter/>
“The Practical Nomad: How to Travel Around the World”
“The Practical Nomad Guide to the Online Travel Marketplace”
<https://practicalnomad.com>