Tuesday, 9 August 2022

T-Mobile and Deutsche Telekom lie to customers


[Some of the categories of information about me that Deutsche Telekom’s U.S. subsidiary, T-Mobile USA, has collected, including “olfactory information” — but that neither T-Mobile USA nor Deutsche Telekom will allow me to see.]

With more than a hundred million subscribers in the USA, T-Mobile USA — the largest subsidiary of the German company Deutsche Telekom — collects more personal information about more people in the USA than any other U.S. subsidiary of a parent corporation based in the European Union. T-Mobile USA is thus the single most important test of the applicability to EU-based companies’ U.S. subsidiaries of European data protection rules and the privacy and data protection promises made by European multinational companies on behalf of their worldwide subsidiaries.

This matters because European laws and the stated policies of European companies like Deutsche Telekom typically claim to provide much better privacy protection than U.S. laws. People in the U.S. like me who care about privacy often chose to give our business to European companies, which often operate in the U.S. through subsidiary corporations they control, in order to obtain greater protection for our personal information than if we dealt with U.S.-based companies. But do these European companies practice what they preach?

This issue is spotlighted by my latest discovery, as discussed below: Just as T-Mobile USA and lawyers for some of its customers have proposed a settlement of multiple class-action lawsuits growing out of a massive breach a year ago of poorly-secured personal data about current and past T-Mobile customers, I’ve uncovered what may be an even more significant pattern of fraudulent privacy claims and breach of privacy promises by both T-Mobile USA and its German corporate parent, Deutsche Telekom.

For many years, both Deutsche Telekom AG and its U.S. subsidiary T-Mobile USA, Inc. have been lying to customers about their privacy and data protection policies and practices.

I’ve relied on those promises, and assumed that — if I ever needed or wanted to do so — I would be able to exercise my access rights as a data subject in accordance with those policies. But now that I have a reason — because of T-Mobile’s own failure to secure my data — to seek access to the data about me held by T-Mobile (and obtained from them by hackers), T-Mobile has refused to comply with the policies advertised as applicable to it as a subsidiary of Deutsche Telekom, or to allow me to inspect most of the data it holds about me.

Let that sink in: T-Mobile allowed unknown and unauthorized third parties to obtain personal information about me, but now refuses to allow me to see or get a copy of the information about me that it allowed those third parties to have.

Deutsche Telekom claims that it isn’t “able” to compel its own U.S. subsidiary, T-Mobile, to adopt or comply with Deutsche Telekom’s purportedly binding corporate rules on privacy. This makes a mockery of the whole idea of “binding” corporate rules or contracts as a basis for compliance with privacy principles or for transfers of personal data between companies or across borders.

What’s going on?

Almost exactly a year ago, T-Mobile confirmed reports that hackers had obtained personal information about tens of millions (the exact number remains unclear) of T-Mobile’s more than a hundred million current and former cellular phone, messaging, and Internet access customers.

I’m one of those T-Mobile customers, although I received no notice from T-Mobile until more than two months after t-Mobile learned that my data had been obtained from T-Mobile by unknown and unauthorized third parties.

In the past, I have recommended T-Mobile repeatedly to my readers in the USA, primarily on the basis of its relatively favorable tariffs for international travelers, but significantly, although secondarily, on the basis of its superior privacy and data protection policies and promises compared to those of its major competitors among U.S. cellular service providers.

As I’ve pointed out in explaining my (unpaid) endorsements of T-Mobile’s services for U.S.-based international travelers, T-Mobile’s more consumer-protective privacy and data protection policies, compared to its U.S. competitors, are related to the status of T-Mobile USA, Inc. (TMUS) as a subsidiary of the German multinational company Deutsche Telekom AG (DTAG). Deutsche Telekom is one of the two main privatized successors to the former German government post and telecommunications service. The telecom portion of that government agency became what is today Deutsche Telekom, while the postal portion became what is today DHL.

Privacy and data protection should give European (and Canadian) companies a competitive advantage over US-based companies, since these companies are required by the laws in their home countries to observe higher standards in their worldwide operations, including in the USA, than are required by U.S. privacy law (or the lack thereof). But few companies based in the EU or Canada advertise privacy as a competitive advantage in the U.S. market. And it’s not yet entirely clear when and to what extent EU or Canadian data protection law applies to U.S. subsidiaries of European or Canadian parent companies.

When I first signed up for cellphone service with T-Mobile in the U.S. in 2004, the U.S. division of T-Mobile was wholly owned by its German parent. Several restructurings later, Deutsche Telekom and T-Mobile USA have provided conflicting statements to me recently as to the percentage of T-Mobile USA stock owned or controlled by Deutsche Telekom. But both Deutsche Telekom and T-Mobile USA continue to claim publicly, as they have throughout the time that I have been a T-Mobile USA customer, that Deutsche Telekom owns or has voting control of the majority of T-Mobile USA stock and thus has a “controlling” interest in T-Mobile USA.

But in the course of trying (unsuccessfully) to find out what data about me was obtained from T-Mobile, in order to assess the threat and mitigate the damage from their data breach, I have discovered that T-Mobile USA refuses to comply with the policies that Deutsche Telekom claims apply to all members of the Telekom Group of companies worldwide, to the extent that Deutsche Telekom can require those companies to do so. And Deutsche Telekom refuses to compel T-Mobile USA to comply with the “binding” Telekom Group privacy policy, claiming inexplicably (and almost certainly falsely) that Deutsche Telekom is unable to use its ownership and/or voting control of the majority of T-Mobile USA stock to compel its U.S. subsidiary to comply with Telekom Group policies and promises.

These actions appear to violate both U.S. and German laws against breach of contract, truth in advertising, and fraud. As discussed further below, they also raise significant questions as to the framework of “binding” contractual commitments which many other European companies have claimed as the legal basis for transfers of personal data not only to foreign subsidiaries but also to unrelated companies abroad.

If, as Deutsche Telekom now claims (as detailed below), it is unable to compel even its own U.S. subsidiary, in which it holds a majority or at least controlling ownership interest, to comply with its “binding” promises and contractual commitments, the entire edifice of contracts and “binding corporate rules” as a basis for “adequate” privacy and data protection is a complete sham. I think Deutsche Telekom is simply lying. But if it is telling the truth, and it is really unable (perhaps due to some overriding non-public agreement) to compel compliance by T-Mobile USA, than any finding of “adequacy” for the protection of data transferred from the EU to a U.S. company on the basis of such unenforceable “commitments” must be reconsidered and rescinded. If Deutshce Telekom can’t make its own subsidiaries enforce its “binding” contractual commitments on its own subsidiaries, how can it be expected to enforce them on unrelated companies?

For Deutsche Telekom, this isn’t a secondary or minor issue. T-Mobile USA has more than a hundred million subscribers. That’s more than Deutsche Telekom has in Germany, and more than any other Deutsche Telekom subsidiary. The single most important test of Deutsche Telekom’s “Binding Corporate Rules Privacy” is whether they are applied to, and observed by, T-Mobile USA. And the single most important task for Deutsche Telekom’s privacy team is to make sure that the “Binding Corporate Rules Privacy” are adopted and complied with by T-Mobile USA.

With respect to personal privacy, the relationship between Deutsche Telekom and T-Mobile USA is the single most important relationship between an EU-based corporation and a subsidiary in the USA. It is rivalled, although probably not equalled, only by the relationships between the largest European automobile conglomerates and their U.S. subsidiaries. This could be the most serious case exposed to date of failure to comply with, and/or to be able to obtain compliance with, “binding corporate rules” with respect to privacy and data protection. As such, it poses a profound challenge to the claims (fictions?) that have propped up continued transfers of personal data from the EU to the USA, despite the lack of any specific privacy or data protection law in the USA applicable to most commercial data.

My investigation is continuing, with or without cooperation from Deutsche Telekom.

The last message I got from Deutsche Telekom is, “We kindly ask you to refrain from further inquiries regarding this matter…. [W]e won’t answer further emails from you.” It’s not entirely clear whether this is intended to foreclose or discourage appeals to their internal compliance and oversight bodies, although on its face it appears to do so. If you can help with legal advice, whistle-blowing, tips, or contacts for internal or external oversight or enforcement bodies with jurisdiction over these matters, please get in touch.

I have not only relied on promises by Deutsche Telekom and T-Mobile USA but have also recommended that others do so. Both companies have now given me their purportedly “final answer” that they will not act in accordance with these promises and policies. Deutsche Telekom says it won’t even discuss the issue with me any further. In these circumstances, I feel obligated to warn my readers now without further delay that they cannot and should not expect these companies to honor their privacy and data protection promises and policies.

I would still welcome a chance to meet with whomever is responsible for these decisions, or for oversight of compliance with U.S. and German law, at Deutsche Telekom and/or T-Mobile USA. I would especially welcome a chance to talk to any of the members of the Supervisory Board of Deutsche Telekom, including the members of the Supervisory Board representing the Deutsche Telekom “works councils”. Pursuant to German law, each member of the Supervisory Board has a personal responsibility to assure that the company complies with the law, and to take action to bring it into compliance if it does not.

I began this project as a personal attempt to protect my own data. Normally, at this point I would seek to interview a spokesperson for Deutsche Telekom. Since the company has told me they won’t talk to me any more , I’ve included extensive excerpts from my correspondence with T-Mobile and Deutsche Telekom to avoid any accusation of quoting out of context or denying them a chance to state their positions. I remain eager to interview their corporate decision-makers and their corporate officers responsible for legal compliance.

As of now, here’s what I know about what happened, what I’ve been told by by both companies, and what this means for consumers:

As a T-Mobile customer for almost 20 years, I was worried when I heard first heard news about the T-Mobile data breach in August 2021. But in a blog post on 27 August 2021, Mike Sievert, CEO of T-Mobile, said that, “As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised.” Having heard nothing by then from T-Mobile, I assumed that I was not among those customers whose data T-Mobile knew or suspected to have been exfiltrated.

But two months later I received this curious notice from T-Mobile dated 22 October 2021:

On August 17, 2021, T-Mobile learned that a bad actor illegally accessed personal data from T-Mobile systems, to which the criminal gained access on or before July 19, 2021…. [W]e have determined that unauthorized access to your personal information has occurred, including your name, driver’s license/ID information, date of birth, and Social Security number.

Why wasn’t I notified until almost two months after T-Mobile had “notified just about every current T-Mobile customer or primary account holder who had data… compromised”? I still have no clue.

I was puzzled by some of the categories of data mentioned in the notice.

I can imagine that I might have (grudgingly) shown a driver’s license or some other ID when I applied for an account with T-Mobile, although I don’t remember doing so. But even if T-Mobile wanted that information to run a credit check, the company would have had no legitimate business need to retain that information more than 15 years later.

I would have had even less reason (or willingness) to provide any business with my Social Security number.

One of my first steps in assessing the threat and mitigating the damage posed by the data breach was, as yours should be in any such circumstances, to request a complete copy of the data about me held by the company and an accounting of what data had been disclosed.

Although the notice had a section on “What you can do”, it didn’t say anything about how to request a copy of the data about me held by T-Mobile or an accounting of what data had been disclosed.

But for as long as I had been a T-Mobile customer I had known that T-Mobile was and is, as discussed further below, a subsidiary of the German telecom giant Deutsche Telekom, and that Deutsche Telekom had promised that all the subsidiaries that it could control, which included and still includes T-Mobile, would grant customers more contractual rights to access their personal data than would otherwise be required by (generally nonexistent) U.S. privacy or data protection law.

So I contacted T-Mobile on 26 October 2021, as soon as I received the data breach notice, to request a complete copy of the personal data about me held by T-Mobile, and an accounting of what data had been disclosed.

I had some idea of what to expect that I would (or at least should) receive. In 2011, the German newspaper “Die Ziet” published an interactive graphic visualization of the location, messaging, and call log data obtained from T-Mobile’s German parent company Deutsche Telekom by the German Green politician and privacy activist Malte Spitz. Herr Spitz also gave interviews and a TED talk in 2012 about the data Deutsche Telekom provided in response to his subject access request. Herr Spitz had to sue before he received most of the information to which he was entitled, but I figured that Deutsche Telekom had learned its lesson. And I assumed that T-Mobile collected at least as much information today about its U.S. customers as Deutsche Telekom did ten years ago about its German customers.

On 1 November 2021, after jumping through some unnecessarily convoluted technical and bureaucratic hoops, I received a “response” to my access request in the form of a 46-page PDF file. It was obviously incomplete, largely incomprehensible in the absence of field definitions, and raised more questions than it answered. The snapshot below is a representative, unredacted sample of its contents:

I wrote back to T-Mobile’s privacy office (“privacy@t-mobile.com”) and Chief Privacy Officer Kelsey Joyce (“kelsey.joyce@t-mobile.com”) on 20 November 2021, as follows:

On 26 October 2021 I received a letter from T-Mobile dated 22 October 2021, headed “NOTICE OF DATA BREACH”.

This letter stated that, “we have determined that unauthorized access to your personal information has occurred, including your name, driver’s license/ID information, date of birth, and Social Security number.

I found this notice surprising, since I have no memory of providing my driver’s license/ID information or Social security number to T-Mobile. While I can imagine that I might (reluctantly), if I had been told that it was a condition of obtaining services from you, have provided such information for one-time use in conducting a credit check, you would have no legitimate reason to have retained this information.

In order to mitigate the risks created by this data breach, and to determine which information held by you I would ask you to expunge, I promptly requested a copy of all of my personal information from you….

In response, I was provided with a 46-page PDF file, “render_[redacted].pdf”.

This “response” is both incomplete and incomprehensible.

The data in the file appears to have been extracted from some sort of database, but it includes no explanation of the field labels or values, making it impossible to know what much of the coded data means.

The response does not appear to include my driver’s license/ID information or Social Security number, although your breach notice told me you had this information in your records and that it had been disclosed.

The PDF includes a list of categories of personal information about me held by you, most of which are not included in the response PDF.

According to the PDF you provided in response to my request, “A report with specific pieces of personal data we hold about you is attached. For your protection, we are not including full responses for sensitive personal data, such as your Social Security Number or credit card number, but the report will indicate when we hold such data. Similarly, we are not including other sensitive network or business records that may reflect the network activities for you or others using your account, such as websites visited, viewing history and location history. Certain billing related activity, such as calls made and received, may be available through your online account depending on your account type and relationship with the person responsible for the account.”

Your claim that your failure to disclose, on my request, the personal data about me which you hold is [“for your protection”] is untrue, irrelevant, and insulting.

Untrue, because I can best mitigate the damage from potential future data breaches if I know what information you hold and might disclose, and can request you to expunge data which you should not be holding.

Irrelevant, because your obligation to disclose to me, on request, the personal information about me which you hold, is not limited by whether you think that you would be “protecting” me by withholding some of it.

Insulting, because, having admitted to having disclosed personal information about me to as-yet-unknown third parties, you are now withholding that same information about me from me, the data subject.

My request was not limited to selected data. In fact, the Web-based system to which I was directed to make my request provided no option to specify which data was requested. You had no basis for construing as a qualified request a request that neither was nor could be qualified.

I reiterate my request for all personal data about me held by you, including but not limited to billing records, customer service records (whether in text form or audio recordings of customer service calls), call records, mobile data records, cell tower records, roaming records, location records, biometric information, and records of my driver’s license/ID information and Social Security number.

I request that all of this information be provided in readily understandable form. I request that database extracts or other tabular data be provided in non-proprietary database or tabular format, so that I can readily import it into other data analytics software, and that it be accompanied by field definitions and field value coding schema.

Feel free to contact me if you would like to discuss how most usefully and comprehensibly to provide the information I have requested.

In response, I received the following message on 24 November 2022:

Thank you for contacting the T-Mobile Privacy Team.

For your protection, we do not include full responses for sensitive personal data, such as your Social Security Number or credit card number. Similarly, we do not include other sensitive network or business records that may reflect the network activities for you or others using your account, such as websites visited, viewing history and location history. At this time, T-Mobile does not provide this information.

Sincerely,

The T-Mobile Privacy Team

After I requested that Deutsche Telekom intervene, I eventually received the following message on 30 March 2022 as the “final answer” from T-Mobile USA to my request:

We are writing to bring a resolution to your inquiry with the T-Mobile Privacy Office about concerns related to our response to your DSAR [data subject access request] request. We welcome the chance to clarify the information and our privacy practices.

T-Mobile’s Privacy Notice explains how T-Mobile and our subsidiaries and representatives collect, use, share, and protect your personal data. It also provides you with important information about your personal data choices. This Privacy Notice, and not that of Deutsche Telekom, applies to US-based customers and consumers of T-Mobile services.

As our access report reflects, we do process certain sensitive personally-identifiable information about you; however, for your protection, and consistent with the California Consumer Privacy Act, we have redacted from our access report certain personal identifiers such as your Social Security Number or credit card number. The reason for this is to protect you against fraudulent or illegal activity if your access report is viewed by any unauthorized person….

Finally, we understand that you also requested copies of all call recordings between you and T-Mobile. Please know that not all calls are recorded and those that are recorded are for quality and training purposes. To the extent that we do have recorded calls between you and T-Mobile, release of those recordings is done only upon receipt of a validly issued subpoena or court order which can be faxed to our Legal and Emergency Response Group at 973-292-8697. T-Mobile appreciates your understanding and your business as a T-Mobile customer.

Respectfully,

Sheila Dedeaux (She/Her/Hers)
Sr. Manager, Privacy Compliance
12502 Sunrise Valley Drive
Reston, VA 20191
(703) 926-0402

This wasn’t what I expected. I was, and I am, legally entitled to more.

I’ve been a customer of T-Mobile since early 2004. Before I switched to T-Mobile, I researched their privacy policies and which laws applied to their policies and practices. I don’t always read all the fine print before I sign a contract, but I read more of it than most people. In an e-mail message to “privacy@t-mobile.com” on 17 February 2004, shortly after I opened my account, I noted that:

My account contact information is provided solely for billing (by postal mail) purposes, and on condition that it will be used exclusively for that purpose and not for any marketing purpose, by T-Mobile or anyone else, and that you will not disclose it to anyone else except for purposes of fulfillment of my service requests. A major factor in my choice of mobile phone carrier was your status as a subsidiary of a company based in the European Union, and subject to the EU Data Protection Directive.

I got a response on 26 February 2004 from the same e-mail address, signed only “T-Mobile Privacy”, acknowledging my message and concluding, “Thank you for choosing T-Mobile.”

If T-Mobile thought I had misunderstood their advertisements, legal status, or obligations under EU law, they had an opportunity to correct any misimpressions. But they said nothing to dispute what I said, even when I put them on notice that it was part of what I relied on as the basis for my decision to enter into (and remain in) a contract with them.

Since then, the ownership structure of the “Deutsche Telekom Group” has changed several times. But I’ve never received any notice repudiating T-Mobile’s status as a subsidiary of Deutsche Telekom.

Both the T-Mobile and Deutsche Telekom Web sites continue to confirm explicitly that T-Mobile is a subsidiary owned and controlled by Deutsche Telekom.

In its profile of the Chairman of T-Mobile’s Board of Directors, T-Mobile’s Web site says that Deutsche Telekom is “T-Mobile’s majority stockholder”:

Timotheus Höttges has served as a director of T-Mobile and chairman of the board since April 30, 2013…. Since January 2014, Mr. Höttges has served as chief executive officer of Deutsche Telekom, T-Mobile’s majority stockholder.

Deutsche Telekom’s Web site says that the “Stake held by Deutsche Telekom (directly/indirectly)” in T-Mobile USA is 64.78%:

I’m not sure about the percentage, although it seems oddly precise to be completely wrong. But I believe that the statement that Deutsche Telekom is the “majority stockholder” of T-Mobile USA is true (at least if it includes both direct and indirect ownership and voting rights).

Does it matter if these statements — which have been a feature of both the Deutsche Telekom and T-Mobile USA Web sites and public statements since before I became a T-Mobile customer — might not have been correct, or might no longer be correct? And does it matter if the EU General Data Protection Regulation (GDPR), the successor to the EU Data Protection Directive in effect when I became a T-Mobile customer, might not apply to less-than-100%-owned foreign subsidiaries of EU-based companies?

I’ve seen a lot of discussion of whether the GDPR applies to subsidiaries in the EU of U.S.-based parent companies, but much less discussion of the reverse: Does the GDPR apply to the activities of subsidiaries in the USA or other non-EU countries of EU-based parent companies? I invite comments and feedback on this important legal question. As I noted earlier, T-Mobile USA is the single most important test of the applicability of the GDPR to U.S. subsidiaries of EU companies.

None of this matters in this case, though. Regardless of whether the GDPR applies to T-Mobile USA, T-Mobile and Deutsche Telekom are still contractually bound by the statements they made to current and potential customers to induce them to become and remain customers.

These statements were made with the intention that customers would believe them and rely on them. These statements were intended to help induce customers to sign up with T-Mobile, by reassuring them that “T-Mobile” (then small, new, and relatively unknown in the USA) was in fact part of a large, established, German company. “German” quality, reliability, stability, and management are selling points for products and services that command a premium price today in the USA, as in Germany itself and much of the rest of the world. And “Deutsche Telekom” is, and is intended to be, a brand that connotes certain values and denotes commitment to certain policies — not least its privacy policy binding on all its subsidiaries to the extent that Deutsche Telekom is “able” to enforce it.

If the “German” and “a subsidiary of Deutsche Telekom” marketing label for T-Mobile USA in these official corporate statements wasn’t true and/or isn’t true any more, making these statements and/or continuing to make them was and/or is fraud.

Having made these promises to consumers, failing to keep them would be breach of contract.

Even if Deutsche Telekom and T-Mobile USA were to retract and repudiate these statements, and notify their customers that they had done so, they would still be bound by them with respect to the time during which they were in effect and the data collected then on the basis of customers’ reliance on these statements.

This is all especially important because, in the absence of privacy or data protection law governing most collection and use of personal information by U.S. entities, “binding corporate rules” and enforcement of general prohibitions on “fraud” and “breach of contract” are the (purported) legal basis for most transfers of personal data from the European Union to the USA. U.S. data protection law is “adequate”, this argument goes, because as long as a U.S. entity promises and makes a contractual commitment to respect certain rights and comply with certain policies, it can be legally compelled to do so.

What exactly is it that Deutsche Telekom has promised (and continues, to this day, to promise)?

According to the publicly stated Binding Corporate Rules Privacy of Deutsche Telekom:

The Binding Corporate Rules Privacy shall be binding with regard to the processing of personal data… by all Deutsche Telekom Group companies which have adopted them on a legally binding basis. The Binding Corporate Rules Privacy shall also be binding on all companies that can be required by Deutsche Telekom to adopt them and on all companies that have adopted them on a voluntary basis, regardless of where data is collected…. The Binding Corporate Rules Privacy shall apply to all types of personal data processing within the Deutsche Telekom Group, regardless of where the data is collected.

By their own terms, these rules are “binding” on all companies that either (1) “can be required by Deutsche Telekom to adopt them” or (2) “have adopted them on a voluntary basis”. It’s obvious that, when Deutsche Telekom is majority or controlling stockholder of a subsidiary, Deutsche Telekom can require that subsidiary to comply with these or any other rules that don’t violate local laws in the subsidiary’s home country. The Deutsche Telekom BCRP isn’t required by U.S. law (except to the extent that a company has contractually committed itself to it, as T-Mobile has done by holding itself out as a subsidiary owned and controlled by Deutsche Telekom), but complying with the BCRP wouldn’t violate U.S. law. By the explicit and unambiguous terms of the BCRP, if Deutsche Telekom can require T-Mobile USA to adopt the BCP, Deutsche Telekom must require T-Mobile USA to do so. And the BCRP are thus binding on both Deutsche Telekom and T-Mobile USA.

With this in mind, my next step was to write again to Deutsche Telekom:

Subject: Request to compel T-Mobile USA to comply with Binding Corporate Rules
Date sent: Wed, 30 Mar 2022 14:51:19 -0700

As a customer of T-Mobile USA, a member of the Deutsche Telekom Group, I have received the message below from T-Mobile USA in response to my subject access request for all records pertaining to me held by T-Mobile.

My request includes, but is not limited to, location data, biometric data, call and billing records, mobile data records, and call recordings.

I am writing again to request that you compel T-Mobile USA to provide the information I have requested, in accordance with your promises.

Both T-Mobile USA and Deutsche Telekom have represented to customers and potential customers, and continue to represent to us, that T-Mobile USA is a member of the Deutsche Telekom Group. Deutsche Telekom has represented, and continues to represent, that all members of the Deutsche Telekom Group will comply with the “Binding corporate rules for the protection of personal rights in the handling of personal data within the Deutsche Telekom Group” (some previous versions of which were titled, “Code of Conduct for the Protection of the Individual’s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group”).

Your explicit, written commitment to provide customers with subject access rights beyond what would otherwise (in the absence of such a promise) be required by US law is, and has always been, a major selling point and factor distinguishing you from your US competitors. It was a major factor in my choice of T-Mobile and my continuing choice to remain a customer.

T-Mobile USA and Deutsche Telekom made these representations intending that customers would rely on them, and I have relied on them. As a result, you are contractually obligated to honor these promises.

I thank you for choosing to bind yourselves to a higher standard than your competitors. Now I am asking you to keep that promise.

Your “Binding Corporate Rules Privacy” provide, inter alia:


§ 22 Right of access

(1) Data subjects shall be entitled at any time to contact any company processing their data and request the following information:

a) the personal data held on them, including its origin and recipient(s);

b) the purpose of processing;

c) the persons and controllers to whom/which their data is or have been transferred, particularly if the data is transferred to a third country;

d) the provisions of these Binding Corporate Rules Privacy.

(2) The relevant information is to be made available to the data subject in an understandable form within a reasonable period of time.


However, according to the latest message I received from T-Mobile USA, as copied below, T-Mobile USA is unwilling to provide most of the information I requested and to which I am entitled by your policy.

T-Mobile USA claims that it has withheld from me the information pertaining to me that I requested, to “protect” me.

This is false, insulting, contrary to data protection best practices, and legally insufficient as a basis for withholding of my personal data.

It is false, because I have offered to come to a T-Mobile facility to inspect and copy these records on your promises, to avoid any risk that you might be held responsible for any “leakage” of data in transmission to me. I am also willing to waive any objection to your providing access to me to personal information pertaining to myself.

It is insulting, because it suggests that you know better than me — despite your recent massive leak of personal data — how to protect me.

It is contrary to privacy and data protection best practices, because sensitive data is the most important data for data subject to be able to obtain, especially in order to mitigate the damage form a data breach.

And it is legally insufficient, because the “Binding Corporate Rules Privacy” do not make or permit an exception to subject access rights for this or any other category of personal information.

When I became a T-Mobile customer, I relied on knowing that T-Mobile USA was committed to comply with the policies of the Deutsche Telekom Group, including in particular your Group privacy and data protection policies.

I have continued to rely on these promises….

T-Mobile USA now says that: “T-Mobile’s Privacy Notice … and not that of Deutsche Telekom, applies to US-based customers and consumers of T-Mobile services.”

Since T-Mobile USA is unwilling to keep its promise, I must again ask Deutsche Telekom to take prompt, effective action — as you have promised to do, and as I have counted on you to do if it ever became necessary — to compel T-Mobile USA to act in accordance with your Binding Corporate Rules Privacy by providing me with the information I have requested.

If T-Mobile USA wishes no longer to continue to make this promise with respect to information collected in the future, it is of the utmost importance and urgency to provide prompt, prominent, notice of that change to all T-Mobile USA customers, before any change takes effect.

I hope, of course, that T-Mobile USA will not seek to make such a change, and that if it does, Deutsche Telekom will not permit it to do so.

But even if such a change is made, it would have no effect on my pending subject access request or my rights with respect to data already collected. As your Binding Corporate Rules Privacy state explicitly:


§ 4 Expiry and termination

These Binding Corporate Rules Privacy shall cease to be binding on a company if it leaves the Deutsche Telekom Group or invalidates these rules. However, the expiry or invalidation of the Binding Corporate Rules Privacy shall not release the company from the obligations and/or provisions of the Binding Corporate Rules Privacy governing the processing of data already transmitted.


If you have any questions, or would like to discuss the best way to provide me with access to the information I have requested, I would be happy to discuss this matter by phone or in a virtual meeting.

Deutsche Telekom responded on 12 April 2022:

From our point of view, we can clarify the following:

  • With our global data privacy organization, we are constantly working to provide a transparent and high level of data privacy in all our companies. As far as legally possible, the companies of the Deutsche Telekom Group have also committed themselves to the Binding Corporate Rules Privacy, which are designed to ensure a uniformly high level of data privacy for our products and services.
  • T-Mobile is an independent stock corporation and complies with the laws and data privacy regulations that apply in the United States.
  • In accordance with its § 1, the Binding Corporate Rules Privacy apply to all companies of the DT [Deutsche Telekom] Group that have subscribed to it.
  • In view of the circumstances under stock corporation law, T-Mobile US has not subscribed to it.
  • Thus, the Binding Corporate Rules Privacy (and the mentioned paragraphs in your message) do not apply to T-Mobile US.

Best regards,

Group Privacy

As I noted in my immediate reply to Deutsche Telekom on 12 April 2022:

This statement cites to only a portion of § 1 of the Binding Corporate Rules Privacy. This section of the BCRP continues, “The Binding Corporate Rules Privacy shall also be binding on all companies that can be required by Deutsche Telekom to adopt them.” [emphasis added]

Both Deutsche Telekom and T-Mobile USA have represented, and continued to represent, that T-Mobile USA is a “subsidiary” of Deutsche Telekom. One of the most important implications of these representations, on which I have replied, was that Deutsche Telekom could and can require T-Mobile USA, as its subsidiary, to comply with your Binding Corporate Rules Privacy.

As a subsidiary of Deutsche Telekom, T-Mobile USA “can be required by Deutsche Telekom” to adopt and comply with the BCRP. T-Mobile USA must, of course, comply with US law. But it can also comply with the BCRP. The BCRP does not require T-Mobile USA to take any action prohibited by US law, and I have not requested that T-Mobile USA take any action to fulfill my data subject access rights that would be prohibited by US law.

Deutsche Telekom has promised that it would, if it can, “require” its subsidiaries and members of the Telekom Group it which it holds a controlling interest, including T-Mobile USA, to adopt the BCRP.

Deutsche Telekom is both able and obligated to keep this promise.

I request that, in accordance with the commitments made by both Deutsche Telekom and T-Mobile USA, and in accordance with your BCRP, Deutsche Telekom exercise its authority as the controlling shareholder of T-Mobile USA to compel T-Mobile USA (1) adopt the BCRP, and (2) comply with the BCRP by providing me with access to all of the information which I have requested in my pending data subject access request.

I look forward to prompt action by Deutsche Telekom to bring T-Mobile USA into compliance with your BCRP, as you have promised to do and as I have relied on you to do if it ever became necessary — as apparently it now has.

I reiterate my availability to discuss this matter by phone or in a virtual meeting, and I again apologize that I do not speak or read German. You can reach me by e-mail or by phone in San Francisco (or wherever I am, which you know if T-Mobile tracks my phone’s location).

In response, Deutsche Telekom repeated their previous statement verbatim, without further explanation. I wrote back on 13 April 2022:

Thank you for your message.

However, your message is unresponsive to my request.

Your message considers only the first of two clauses in section 1 of your BCRP, and ignores the applicable second clause, “The Binding Corporate Rules Privacy shall also be binding on all companies that can be required by Deutsche Telekom to adopt them.”

Your statement that, “Thus, the Binding Corporate Rules Privacy (and the mentioned paragraphs in your message) do not apply to T-Mobile US” is clearly false, in terms of the clause I cited.

As the controlling shareholder of T-Mobile USA, Deutsche Telekom can require T-Mobile USA to adopt these rules. Pursuant to your BCRP, Deutsche Telekom therefore must require T-Mobile USA to adopt them.

I again request that Deutsche Telekom take action to fulfill the promise you have made to Telekom Group customers worldwide, and that I have relied on.

In its response on 14 July 2022, Deutsche Telekom merely reiterated their claim to be unable to enforce their “binding” corporate rules on their own subsidiaries:

From a legal perspective, since TM [T-Mobile] US is an independent stock corporation, we as Deutsche Telekom cannot require TM US to adopt the BCRP.

At this point I was beginning to wonder whether the underlying problem might be that Deutsche Telekom no longer owns a controlling share T-Mobile. So on 14 July 2022 I asked:

(1) Is the claim made on both the T-Mobile USA and Deutsche Telekom Web sites, and on which I and other customers have relied, that Deutsche Telekom is the controlling stockholder of T-Mobile USA, not correct?

(2) As the controlling stockholder of T-Mbile USA, is not Deutsche Telekom able to compel T-Mobile USA to take action?

If this claim is false, it is of course deeply deceptive and fraudulent, since customers like myself have relied on it (as you undoubtedly intended that we would).

If it is not correct, it is of the utmost importance for both Deutsche Telekom and T-Mobile USA to correct it, and to notify your customers that this claim, on which they have relied, is false.

In addition, even if your promises to customers that they could rely on T-Mobile USA to act as a member of the Deutsche Telekom Group controlled by Deutsche Telekom as its controlling stockholder were false, you are both bound by those promises made by both Deutsche Telekom and T-Mobile USA.

However, I believe that the claim you have both made, and which you both continue to make on your current Web sites, is correct.

Please confirm whether Deutsche Telekom is, or is not, the controlling stockholder of T-Mobile USA.

The response from Deutsche Telekom on 15 July 2022 was as follows, in its entirety:

As already communicated to you with our previous response, we as Deutsche Telekom cannot require TM [T-Mobile] US to adopt the BCRP, since TM US is an independent stock corporation.

When I pointed out that this message didn’t answer the specific questions I had asked, I got the following detailed but largely irrelevant follow-up message on 27 July 2022:

TMUS [T-Mobile USA] became a publicly traded company in 2013 with a significant stockholder, DTAG [Deutsche Telekom AG] following a business combination with MetroPCS Communications, Inc., however TMUS is independent stock corporation and committed to Good Corporate Governance to promote the long-term interests of ALL stockholder.

Since Deutsche Telekom and SoftBank hold approximately 46.6% and 4.9%, respectively, of TMUS shares and pursuant to the Proxy Agreements (1; entered between DTAG and SoftBank 2; entered between DTAG and Marcelo Claure /Claure Mobile LLC) DTAG has voting control, over approximately 51.9% of the outstanding shares of TMUS´s common stock (including approximately 0.4% and 4.9% held by Claure Mobile and SoftBank, respectively), TMUS is deemed a “controlled company” under the NASDAQ Stock Market LLC rules.

These rules exempt “controlled companies” (TMUS) from certain corporate governance requirements including: (i) that a majority of our Board be independent, (ii) that our Nominating and Corporate Governance Committee be composed entirely of independent directors, and (iii) that our Compensation Committee be composed entirely of independent directors.

Moreover pursuant to the Second Amended and Restated Stockholders’ Agreement TMUS entered into with DTAG and SoftBank on June 22, 2020 , TMUS granted certain governance and other rights to DTAG and SoftBank, and each of DTAG and SoftBank agreed to certain restrictions. In September 2021, the Stockholders’ Agreement generally terminated with respect to SoftBank (when SoftBank ceased to hold at least 5% of the voting percentage of the outstanding stock of TMUS).

The rights and restrictions applicable to DTAG under the Stockholders’ Agreement are outlined in the Notice of the Annual meeting of the Stockholders & Proxy Statement of TMUS.

In the view of the above DTAG is not able to compel T-Mobile USA to take action and adopt the BCRP.

Thank you for your understanding.

Best regards,

Group Privacy

What’s that supposed to mean? As I noted in my reply on 27 July 2022:

If Deutsche Telekom has voting control over 51.9% of T-Mobile USA stock, why is Deutche Telekom not “able” to compel T-Mobile USA to take action and adopt the BCRP?

Your message seems only to confirm and clarify that Deutsche Telekom is, in fact, “able” to compel T-Mobile USA to adopt the BCRP.

Pursuant to the BCRP, if Deutsche Telekom is able to to compel T-Mobile USA to adopt the BCRP, Deutsche Telekom is required to do so.

I again request that Deutsche Telekom, as controlling shareholder of T-Mobile USA, compel T-Mobile USA to adopt and comply with the BCRP.

The seemingly “final answer” to me from Deutsche Telekom came on 1 August 2022:

The rights that DT can exercise against TMUS result from many different aspects, in particular from the overall context, and not from individual passages you extracted.

We have already described the overall context to you in the previous e-mail. We are happy to repeat…

In the view of the above DTAG is not able to compel T-Mobile USA to take action and adopt the BCRP.

We kindly ask you to refrain from further inquiries regarding this matter. Since we have discussed all aspects several times, we won’t answer further emails from you.

Thank you for your understanding.

All the best,

Group Privacy

With this dismissal of further dialogue, Deutsche Telekom and T-Mobile USA have left many questions unanswered. Since Deutsche Telekom says they won’t talk to me any more, I encourage other journalists to ask these questions:

Is Deutsche Telekom lying to U.S. data subjects about their ability to control their U.S. subsidiary? Or have they been lying to EU authorities about their ability to ensure compliance with their “binding corporate rules”?

What information does T-Mobile USA really have in their records about me and a hundred million other customers? Will they ever let us see their files about us?

If not, will Deutsche Telekom and/or T-Mobile USA be subjected to enforcement action or sanctions by U.S., EU, or German authorities? Individuals shouldn’t have to sue to enforce their rights. This ought to be a matter for the “fraud squad” to prosecute.

If law enforcement authorities don’t take action, will this make Deutsche Telekom and/or T-Mobile USA the target of new private actions for fraud and/or breach of contract? Will this derail the proposed settlement of the data breach class action lawsuits against T-Mobile, or lead to the addition of new claims?

Is there anything I or other customers can do to hold either or both of these companies accountable? Or does this just confirm that U.S. companies — including subsidiaries of EU companies that have promised to hold themselves and their subsidiaries to higher standards than would otherwise be required by U.S. law — can violate the privacy and data protection rights of U.S. data subjects with impunity?

I welcome your assistance as I continue to pursue these inquiries. I continue to invite dialogue with T-Mobile USA and Deutsche Telekom.

[Update, 19 August 2022: My complaint to the “Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen”, the data protection authority for the German state of North Rhine-Westphalia, which includes the city of Bonn where Deutsche Telekom’s headquarters is located as a holdover from when Deutsche Telekom was a government agency and the Federal capital was in Bonn.]

[Follow-up, 22 August 2022: Deutsche Telekom “responds” to my complaint — but not to me.]

[Follow-up, 30 August 2022: I mentioned the problems with T-Mobile in my testimony to the Federal Trade Commission’s public forum on “Commercial Surveillance and Data Security”.]

Link | Posted by Edward on Tuesday, 9 August 2022, 06:46 ( 6:46 AM)
Comments

Wolfie Christl on Twitter:

https://twitter.com/WolfieChristl/status/1557085149627666434

@WolfieChristl

Very interesting read, @ehasbrouck was affected by a data breach and accuses T-Mobile US of fraudulent privacy claims because it doesn't allow him to see his own data as promised in the 'Binding Corporate Rules' by its controlling owner, Deutsche Telekom.

This raises several questions. I think the German public must discuss how Deutsche Telekom and its subsidiary T-Mobile US process personal data about 100+ million people in the US, not least because the German state aka German citizens still own a large chunk of Deutsche Telekom.

Deutsche Telekom's "Binding Corporate Rules Privacy" grant consumers rights such as the "right of access".

They "shall be binding with regard to processing of personal data… by all Deutsche Telekom Group companies" that "can be required" to adopt them:

https://telekom.com/resource/blob/323318/ce2bab699cb8cb249bd66fa2d905e956/dl-binding-corporate-rules-privacy-data.pdf

According to correspondence published by @ehasbrouck in his article, Deutsche Telekom claims that it is "not able to compel" T-Mobile US to "adopt" the Binding Corporate Rules Privacy, even though it confirms it has voting control over 51.9% of shares of T-Mobile US common stock.

Deutsche Telekom argues in the "Binding Corporate Rules" that implementing them is a "common concern of Deutsche Telekom Group companies" because they are "perceived by its customers and the general public as a single entity". But it cannot make its largest subsidiary adopt them?

This is about whether T-Mobile US customers have de-facto GDPR rights via binding rules/contracts with its European owner, and as such a huge thing /cc @profcarroll

Anyway, @ehasbrouck's broader argument is that T-Mobile US advertised its services as "powered by German privacy".

I support his call for journalists and regulators to ask further questions.

Posted by: Edward Hasbrouck, 9 August 2022, 12:55 (12:55 PM)

George Chiesa on Twitter:

https://twitter.com/GeorgeChiesa/status/1557088537480204288

@GeorgeChiesa
Replying to @WolfieChristl and @ehasbrouck

If they do not comply with binding corporate rules, how the hell did they implement originally data transfers under GDPR?

Posted by: Edward Hasbrouck, 9 August 2022, 12:59 (12:59 PM)

ben on Twitter:

https://twitter.com/sqrt2/status/1557093525296136193

@sqrt2
Replying to @WolfieChristl and @ehasbrouck

Hmm, the only way that what DTAG says could make sense seems to be if appointing 10 out of 13 directors is somehow not enough to be able to force TMUS to adopt the BCRs?

https://twitter.com/sqrt2/status/1557093525296136193/photo/1

https://twitter.com/sqrt2/status/1557093525296136193/photo/2

Posted by: Edward Hasbrouck, 9 August 2022, 13:03 ( 1:03 PM)

Since I am a California resident, some private messages have asked me whether the failure by T-Mobile USA to provide access to specific pieces of personal information that I have requested *also* violates the California Consumer Privacy Act (CCPA):

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.

Yes, T-Mobile USA has violated the CCPA. T-Mobile USA sent a response which they *claimed* was sufficient under the CCPA. But the response was short, largely unintelligible, and did not include most of the personal information about me that is held by T-Mobile. Some of the withholding was unexplained, and some categories of data were not even mentioned. Some of the withholding was explained as being "for your protection", which is not a permissible exception or basis for withholding under the CCPA.

I have made a complaint to the Office of the Attorney General of the State of California, which has jurisdiction to enforce the CCPA:

https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

Unlike with a complaint under the GDPR to a data protection authority in the EU, the California Attorney General does not have to respond to the compliant or disclose their decision, so I do not know whether they will act, or why they have not acted.

In general, denial of subject access rights is not a basis for a private lawsuit under the CCPA.

I would prefer that T-Mobile USA adopt and comply with the Deutsche Telekom BCRP, as their promises and that BCRP itself require. This would protect all customers of T-Mobile USA, not only those in California.

Posted by: Edward Hasbrouck, 11 August 2022, 12:04 (12:04 PM)

Speaking to financial journalist Nadine Schimroszik of Reuters today after the announcement of Deutsche Telekom's quarterly financial results, Timotheus Höttges, CEO of Deutsche Telekom and chairman of the board of directors of T-Mobile US, said that for Deutsche Telekom, , "Acquiring a majority stake in T-Mobile U.S. is 'our most important strategic project at present.'":

https://www.reuters.com/business/media-telecom/deutsche-telekom-ceo-eyes-majority-stake-t-mobile-us-2022-08-11/

As noted in my original article above, Deutsche Telekom and T-Mobile USA both claim that Deutsche Telekom already "controls", directly or indirectly, voting rights in the majority of T-Mobile US stock.

But if Deutsche Telekom acquires *direct* ownership of more than 50% of T-Mobile US stock, will the GDPR itself (and not just Deutsche Telekom's "binding corporate rules" on privacy) also then be applicable to T-Mobile US?

Posted by: Edward Hasbrouck, 11 August 2022, 18:42 ( 6:42 PM)

"Trotz Datenschutzversprechen: Deutsche Telekom verkauft in den USA private Daten ihrer Kunden", by Philipp Alvares de Souza Soares and Stephan Scheuer, Handelsblatt, 29 March 2022:
https://www.handelsblatt.com/technik/it-internet/mobilfunkanbieter-trotz-datenschutzversprechen-deutsche-telekom-verkauft-in-den-usa-private-daten-ihrer-kunden/v_detail_tab_comments/28206086.html

Posted by: Edward Hasbrouck, 15 August 2022, 08:21 ( 8:21 AM)

"Millions of US accounts affected: Telecom group conceals information about hacked personal data", Security Architectures in the EU, by Matthias Monroy, 15 August 2022:

https://digit.site36.net/2022/08/15/millions-of-us-accounts-affected-telecom-group-conceals-information-about-hacked-personal-data/

Posted by: Edward Hasbrouck, 16 August 2022, 07:22 ( 7:22 AM)

Comments on Hacker News:

https://news.ycombinator.com/item?id=32481167

Note that although the Hacker News headline and many of the comments refer to the GDPR, my subject access request was *not* made pursuant to the GDPR. It was made pursuant to T-Mobile USA's *contractually binding promises* to act as a subsidiary of Deutsche Telekom AG, and DTAG's promises that all subsidiaries it is able to control would adopt and comply with its "binding corporate rules" on privacy.

Posted by: Edward Hasbrouck, 16 August 2022, 07:45 ( 7:45 AM)

"Fast 50 Millionen US-Konten betroffen, aber kein Recht auf Auskunft: T-Mobile will nicht angeben, welche Daten gespeichert sind und abflossen", by Matthias Monroy, Netzpolitik.org, 16 August 2022:

https://netzpolitik.org/2022/fast-50-millionen-us-konten-betroffen-telekom-gruppe-verschweigt-informationen-ueber-gehackte-personendaten/

Posted by: Edward Hasbrouck, 16 August 2022, 07:54 ( 7:54 AM)

Response to my complaint to the office of the Attorney General of California pursuant to the CCPA:

https://hasbrouck.org/documents/T-Mobile/CCPA-complaint-response-15AUG2022.pdf

As noted in this response, "you cannot sue businesses for most CCPA violations. Consumers may only file a lawsuit against a business if there is a data breach, and even then, only under limited circumstances."

Issues related to subject access rights under the CCPA could have been raised in the pending class lawsuits against T-Mobile USA. But so far as I can tell, subject access rights were not raised, and nothing in the proposed settlement would require T-Mobile to comply with subject access requests under the CCPA.

Posted by: Edward Hasbrouck, 21 August 2022, 13:04 ( 1:04 PM)

See my follow-up article here:

https://hasbrouck.org/blog/archives/002654.html

Posted by: Edward Hasbrouck, 22 August 2022, 14:03 ( 2:03 PM)
Post a comment









Save personal info as cookie?








Bio | Blog | Blogroll | Books | Contact | Disclosures | Events | FAQs & Explainers | Home | Newsletter | Privacy | Resisters.Info | Search | Sitemap | The Amazing Race | The Identity Project | Travel Privacy & Human Rights | Twitter

"Don't believe anything just because you read it on the Internet. Anyone can say anything on the Internet, and they do. The Internet is the most effective medium in history for the rapid global propagation of rumor, myth, and false information." (From The Practical Nomad Guide to the Online Travel Marketplace, 2001)
RSS 2.0 feed of this blog
RSS 2.0 feed of this blog
RSS 1.0 feed of this blog
Powered by
Movable Type Open Source
Movable Type Open Source 5.2.13

Pegasus Mail
Pegasus Mail by David Harris
Notices