It's easy to get confused with all the decimal numbers phones coming out of HMD lately—the Nokia 7.1, 6.1, 3.2, 9, and so on. Even HMD might be getting a little turned around. Finnish media reports that some Nokia 7 Plus handsets in Europe have been beaming data to China even though they aren't Chinese phones. This could be a violation of Europe's GDPR legislation. Oops.
European authorities are investigating claims reported by Norway's public broadcaster NRK that the Nokia 7 Plus has been sending data to a Chinese server. According to the original report, the phones connect to vnet.cn (a state-owned telecom company) to log the phone's location, SIM card number, and serial number. The data was allegedly sent without encryption.
The Nokia 7 Plus launched in Most of Europe and China in 2018. It's understandable that a Chinese phone might reach out to a Chinese carrier, but the European models should not. HMD says that it identified an "error" in some Nokia 7 Plus devices, and it has since corrected it. If it finds this was a violation of the GDPR, the EU could slap HMD with a substantial fine. The situation could get much uglier if other phones are found to do the same thing, but this appears to be an isolated incident for now.
If you have any more questions about what went what down here, and when, HMD has released a full statement on this incident:
"We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.
Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously."
- Matias and Honkytonk