“From the looks of it, the data tracking package was meant for China variant of Nokia 7 Plus, but was mistakenly added in others, violating GDPR rules”

HMD Global has found itself in a rather awkward situation after certain handsets of the Nokia 7 Plus smartphone were caught relaying private information such as GPS coordinates, SIM card number, and handset serial number to a Chinese data server. The incident, which was previously reported by a Twitter user but went largely unnoticed, was more recently brought up by Norwegian user Henrik Austad, who realised that unencrypted information was being sent from his Nokia 7 Plus to a Chinese server.

The information in question reportedly included the GPS coordinates of the device, SIM card number, phone serial number, and network details. The tip off prompted NRK, Norway’s public broadcaster, to probe the incident. The investigation found out multiple Nokia 7 Plus units were indeed relaying such private information to a Chinese server under the domain zzhc.vnet.cn, which is located in state-run telecom operator China Telecom’s service.

HMD Global, which presently owns the rights to manufacture and sell devices under the Nokia brand, has so far enjoyed relatively smooth sailing, with the company being appreciated for its transparent operations, clear firmware in devices, regular and frequent updates and an overall no-frills approach to phones in general. The company has stated that the data collection occurred because of an “error” in the firmware coding and the same has already been rectified in a January software update that most users of the device in question have installed.

Further investigation has revealed that the code in question for data collection and transmission was originally written back in 2014. With this code, the devices were programmed to transmit data to a target server whenever it was switched on, or whenever the screen was unlocked or even activated. The code itself was contained in a folder that was rather non-cryptically named ‘China Telecom’, suggesting that the intended code was written for China-specific devices and may have been included in a non-China exclusive device unintentionally.

HMD Global will certainly hope that is the case, failing which will make the company liable for violating the stricter GDPR rules in the European Union. The stringent EU privacy laws impose strict penalties on those who violate fundamental privacy rights. It is not yet clear if any further private data was transmitted by this code and HMD Global has defended itself by stating that the information transmitted did not include any personal identifier of any user. The Office of the Data Protection Ombudsman in Finland is presently investigating the incident.