MEF’s Future of Messaging Programme was founded in 2015 to align best practices and sustain business messaging as a trusted channel for businesses to communicate with their customers. As new business communications channels evolve, SMS remains key thanks to its ubiquity.
However, use of unauthorised routes such as SIM Farms undermines trust in business messaging and programme members have developed a new whitepaper to raise awareness of the data protection risk for businesses when using SIM Farms.
It looks at the data protection obligations and liabilities for all stakeholders in the messaging value chain and demonstrates how possible data protection legislation breaches which are liable to hefty fines can mean ‘cheap’ messages can quickly become very expensive.
Here, MEF members who will be giving a briefing on the topic next week share their views why it is essential that all businesses sending SMS understand the roles of data controller and data processor as they relate to the messaging delivery chain and are aware of the possible data protection risks and liabilities.
Mariana Muller, Senior Partner Manager Digital Processes & Services, RCS & Rich Business Messaging, Telefónica Germany
Sending A2P SMS via SIM Farms has become one of the main ways of conducting illegitimate routing to terminate into the MNOs networks in order to surpass direct connection fees. Unfortunately, mobile operators are under constant threat from such practices, which nowadays have “evolved” form the traditional modem – based SIM farming towards crowdsourced (distributed) SIM farm apps.
Through that, the mobile subscriber is tempted to earn from their flat rate tariffs by reselling the unused SMS to the SIM farm providers, who on the other hand would use those messages to terminate enterprise messaging content. The problem needs to be tackled not only on the mobile operator´s side, but also to be taken seriously by all involved parties – mobile subscribers, SIM farm providers, app stores and most crucially the businesses sending SMS via such routes and who may face a real danger of breaching numerous legislations, depending on the country in which they are operating.
When trying to optimize the costs, businesses need to be aware that by using a crowdsourced SIM farm, they are clearly in breach of data protection legislation e.g. GDPR and how the considerable fines could make the cheap messaging offer quite expensive in the end. The whole phenomenon also undermines the value of the A2P messaging service and disrupts the ecosystem in a very negative way. The ecosystem needs to fight this in a coherent way. Businesses should ask for transparent routing information from their messaging provider; aggregators should use testing solutions to make sure they do not resell illegitimate routes and the MNOs should monitor constantly their networks to avoid such practices.
Robert Gerstmann, Chief Evangelist & Co-Founder, Sinch
One third of all business SMS globally are not sent to consumers in the way mobile operators intended.
The driving force behind this is a desire for businesses to save cost or for messaging service providers to generate higher profits.
Whereas some ways to cut cost are within what operator terms and conditions, regulation and legislation allow for and are a natural aspect of a highly competitive and innovative marketplace, others are in breach. Data protection legislation, like the EU’s GDPR, has introduced an additional factor that businesses need to consider when sending SMS.
The change for businesses is that under the GDPR they are responsible and hence liable for the entire SMS delivery chain whereas with breach against operator T&C, regulations or other legislation each party is responsible only for themselves. GDPR liabilities can be significant, up to €20,000,000 or 4 percent of total annual turnover.
SIM farms, standard or crowdsourced, are today probably the most common way for message service providers to cut SMS delivery cost. SIM farms are however very likely not GDPR compliant and hence businesses messaging their customers in Europe run significant risk if they have SIM farms in their business SMS delivery chains.
Businesses need to be aware and take precautionary measures to ensure GDPR compliance and avoid risk.
Rafael Pellon, Associate, Pellon de Lima Advogados
In this new world of pandemic of ours, digital life has spread through all aspects of our communal existence, transforming messaging tools into an even more critical asset for companies and brands. This paper highlights the importance of data privacy, use cases and how-tos to avoid miscommunication and harm on customers, which is now heavily penalized across several countries in the globe that implemented legislation to tackle the bad weeds out of the global communication networks.
The compliance of all players in communication networks is critical now that several countries – including the EU and most of the Latin American countries – have implemented data privacy regulations that preview solidarity amongst brands and their supply chain on the wrongful usages of personal data, meaning that compliance must involve not only brands and its data collection practices, but also the whole set of suppliers involved on a given network of content distribution through messaging.
Developed by MEF’s Future of Messaging Programme this paper looks at the convergence of data protection and the use of SIM Farms; and how the use of these unauthorised routes continues to undermine trust in business messaging.
MEF’s Future of Messaging Progamme has published guidelines for businesses to help understand data protection obligations when sending business SMS and highlights possible risks of data breaches particularly if using unauthorised, fraudulent or illegitimate routes e.g. SIM Farms. This briefing features Sinch, Telefonica and data privacy expert Rafael Pellon to walk-thru the issues, impact and what can be done to minimise the risks