The incident caused Finlands data regulator to launch an investigation against HMD Global regarding the incident, as it directly violated the GDPR guidelines for user data that the European Union launched a year ago.
While the Nokia phone maker has since issued a software update addressing the issue, Reuters reports that the Finnish data protection ombudsman isn't sweeping this under the carpet saying it will launch an investigation to ascertain if there was indeed a violation of GDPR law.
Based on NRK's investigation of the phone's firmware, the code responsible for the data collection was written circa 2014 and resided in a subfolder named "China Telecom", suggesting it was most likely meant to be deployed on phones sold only in China, to comply with local data collection laws. It said the company had "admitted that an unspecified number of Nokia 7 Plus phones had sent data to the Chinese server".
The domain name of the server is vnet.cn which is the CNNIC or China Internet Network Information Center. Monitoring the traffic on his device, he discovered that it was sending a packet of data to a remote server, a server based in China. The HTTP POST requests from the devices included IMEI numbers, SIM numbers, and MAC identifiers, which can be potentially used to identify and track the cellphones.
Backtracking a bit, a reader for Norwegian site NRKbeta observed that his Nokia 7 Plus was exhibiting odd network activity every time it was turned on or unlocked. Finland's ombudsman Reijo Aarnio told Reuters he would investigate whether the breaches involved "personal information and if there has been a legal justification for this". And when neither China Telecom nor HMD Global is able to tell who actually owns the server and receives the data, the plot thickens even further.
HMD insists "no personally identifiable information has been shared with any third party" and the the data sent was never processed - presumably because the activation attempt would fail in the absence of account data associated with an actual telecom customer in China.