From the Dutch Data Protection Authority:
The Dutch Data Protection Authority (CBP) today publishes its reports resulting from the investigation into the analysis of data traffic (packet inspection) on the mobile network by the mobile operators KPN, Tele2, T-Mobile and Vodafone. These four operators are the largest mobile network providers in the Netherlands. In the course of the investigation the Dutch DPA has found violations of the Dutch Data Protection Act and the Telecommunications Act at all four operators. The companies are found to have stored data, in breach of the law, on a detailed level about visited websites and used apps. According to the law, such data must be deleted as soon as possible after collection, or irreversibly anonymised. Data about visited websites and used apps via smartphones tell a lot about the behaviour and preferences of people. In many cases it is not necessary to store such data on an individual (customer) level.
The investigation has also shown that customers are not, or incorrectly, informed, about the fact that the telecom operators collect this detailed information about them and what they do with it. This lack of transparency is also in breach of the law.
As a result of the investigation, some of the established violations have stopped. The Dutch DPA will now verify to what extent some established violations are still on-going and decide whether it will take enforcement measures.
Read the reports on the four operators on the Dutch DPA’s web site.
h/t, Frederik Borgesius