Sweden

[SE] Use of Personal Data in Mobile Content Services

IRIS 2010-3:1/35

Helene H. Miksche and Sanna Thiel

Bird & Bird, Stockholm

The rapid growth of the market for mobile content services, such as weather and news reports, has brought with it an opportunity for mobile operators to sell personal data to content providers. In a joint project, the Swedish Data Inspection Board (DIB) and the Swedish Post and Telecom Agency (PTS) have reviewed how personal data is handled in mobile content services.

One of the project’s findings was that many stakeholders in the market have different opinions on what rules apply to their activities, leading to an uncertain situation as to who is responsible for the processing of the personal data.

The two authorities found that the processing of personal data in mobile content services is in general satisfactory, but improvements could be made in certain areas. These would concern, for example, the information that the content providers must provide to the users with regard to their right to obtain information about what data is processed by the content provider and the possibility for the user to request corrections, as well as the information on why personal data is collected and processed.

The report contains a number of recommendations, including that operators must not use mobile phone numbers for identification if not necessary, since access to mobile phone numbers makes it possible for content providers to survey the consumers’ use of mobile content services. This means that the operators should not design their systems for e.g., positioning and charging in such a manner that telephone numbers are used to identify the subscriber. It is the authorities’ opinion that it should be enough to use more anonymous information, which only the mobile operator can trace to the actual subscriber.

Further, integrity issues should be taken into consideration already when new services are being developed, for example by classifying information and analysing risks. Improving integrity protection at a later stage is more difficult and more expensive. It is also often suitable to protect information by safe authentication procedures and by using encryption. Authentication and transactions should also be logged so as to make tracing possible.