Consumer Protection

Consumer Protection

As mobile services become more economically and socially important, particularly the mobile internet, there is a corresponding need to ensure that the more than five billion people currently connected via these services can continue to enjoy them safely and securely. The challenge is providing this protection while also ensuring users have control over their privacy and personal data.

It is therefore essential for the mobile industry to deliver safe and secure technologies, services and apps that inspire trust and confidence. At the same time, consumers need to be educated about potential risks and be aware of the steps they can take to avoid those risks.

The mobile industry takes consumer protection seriously. The GSMA and its members play a leading role in developing and implementing appropriate safety and security solutions, technical standards and protocols. They also work with governments, multilateral organisations and non-governmental organisations (NGOs) to address concerns related to consumer protection by:

  • Defining, sharing and promoting global best practice;
  • Building and participating in cross-sector coalitions;
  • Educating consumers and businesses in the safe use of mobile technologies and applications; and
  • Commissioning research that offers real-world insight and evidence.

The following pages illustrate the work undertaken by the mobile industry to ensure consumers are appropriately protected and informed as they enjoy the full range of benefits made possible by mobile technology.

Children and Mobile Technology


Young children and teenagers are enthusiastic users of mobile technology. Young people’s knowledge of mobile apps and platforms often surpasses that of parents, guardians and teachers, and children now use social networking services more than their parents.

For growing numbers of young people, mobile technology is an increasingly important tool for communicating, accessing information, enjoying entertainment, learning, playing and being creative. As mobile technology becomes increasingly embedded in everyday life, mobile operators have an important role to play in protecting and promoting children’s rights.

For children and youth, mobile devices can be key to accessing:

  • Employment skills;
  • Enhanced formal and informal education and learning;
  • Information and services to aid in health and well-being;
  • Improved social and civic engagement; and
  • Opportunities to play and be creative.

Mobile devices increasingly play a role in formal education and informal learning. For people in LMICs and rural areas, as well as places where certain people – girls in particular – are excluded from formal education, mobile connectivity offers new opportunities to learn.

Like any tool, a mobile device can be used in ways that cause harm, so young people require guidance in order to benefit from mobile technologies safely and securely.

The mobile industry has taken active steps to help with the safe and responsible use of mobile services by children. The GSMA plays a leading role in self-regulatory initiatives on issues such as parental controls, education and awareness.


What potential harm are children exposed to in the online environment?

How can all stakeholders navigate the tensions between differing child rights in the digital world?

Industry Position

Mobile devices and services enhance the lives of young people. This perspective needs to be embraced, encouraged and better understood by all stakeholders to ensure young people reap the full benefits of mobile technology.

Addressing safe and responsible use of mobile by children and young people is best approached through multistakeholder efforts.

Working closely with UNICEF, the GSMA and its mobile operator members and a range of other organisations, including the International Centre for Missing and Exploited Children (ICMEC) and INHOPE, hold national and regional multistakeholder workshops on the issue. These workshops bring together policymakers, NGOs, law enforcement and industry, to facilitate the development of collaborative approaches to safe and responsible use of the internet.

Through its mPower Youth programme, the GSMA also works closely with Child Helpline International to foster collaboration between mobile operators and child helplines in promoting children’s rights – in particular their right to be heard – and to work together on areas of mutual concern, such as safer internet.

The GSMA takes part in international initiatives related to safeguarding children online, including contributing to the ITU’s Child Online Protection programme, and actively engages with governments and regulators looking to address this issue. Through its Capacity Building programme, for example, the GSMA helps policymakers better understand children’s use of technology and discusses strategies for encouraging young people to become positive, engaged, responsible and resilient users of digital technology.

Young people are critical to the evolution of the mobile sector as they represent the first generation to have grown up in a connected, always-on world. They are future consumers and innovators who will deliver the next wave of innovation in mobile.


UNICEF Guidelines for Industry on Child Online Protection website

UNICEF Tools for Companies in the ICT Sector website

ICT Coalition website

GSMA mPower Youth: Enhancing children’s lives through mobile

GSMA and Child Helpline International: Internet Safety Guides

Global Kids Online: Research Results

Deeper Dive

Collaboration in Action

As more young people are leading digital lives, they reach out to child helplines for support and guidance when they encounter problems online.

While many child helplines already have experience in this area, globally there are still many that would benefit from guidance on these issues. The GSMA and Child Helpline International wanted to extend their support to child helplines by harnessing the experience of experts from a range of stakeholder groups. In May 2016, they co-hosted an intensive one-day workshop that brought together the child helpline community, the Child Helpline International youth panel, mobile operators and other industry players, NGOs, child online safety experts, including a specialist child and adolescent psychiatrist, and law enforcement.

The workshop kick-started the development of a series of high-level guides for child helpline counsellors and volunteers on nine common or challenging digital issues that lead young people to seek advice from helplines. The nine guides were launched in November 2016 and cover cyberbullying, discrimination and hate speech, grooming, illegal content, inappropriate content, privacy, sexual extortion, sexual harassment and unsolicited contact.

The guides were created with child helplines and their counsellors and volunteers in mind, especially those for whom internet safety issues were relatively new or where counsellor guidance and training was still under development. Each guide was created with input from a range of experts who also reviewed and approved the content. The guides are purposely high level to accommodate different local contexts, with each guide providing a definition and examples of the issue, discussion ideas with children, parents/caregivers, practical and technical advice, as well as “red flags” that counsellors should watch for.

The 30th anniversary of the UN Convention on the Rights of the Child

1989 was a milestone year, as it marked both the agreement of the UN Convention on the Rights of the Child (UNCRC) and the birth of the World Wide Web.

The UNCRC sets out child-specific needs and rights that children everywhere are entitled to in order to survive and thrive, to learn and grow and to reach their full potential. It outlines children’s rights to education, information, privacy and the highest attainable standard of health. It also outlines their rights to leisure and play, to be heard, as well as to protection from violence, sexual exploitation and abuse.

The provisions in the UNCRC were set out and agreed without knowledge of the technology revolution that would shortly follow. The UNCRC remains as important and relevant in today’s connected world as it was for children at the time of its creation more than 30 years ago.

The GSMA supports its members as they seek to enable children to safely and positively realise the many opportunities afforded through connectivity, while also taking steps to mitigate potential risks.

As the UNICEF State of the World’s Children 2017 report notes, the internet “...reflects and amplifies the best and worst of human nature. It is a tool that will always be used for good and for ill. Our job is to mitigate the harms and expand the opportunities digital technology makes possible.”

Cross-Border Flows of Data


The global digital economy depends on cross-border flows of data to deliver crucial social and economic benefits to individuals, businesses and governments.

When data is allowed to flow freely across borders, it enables organisations to adopt data-driven digital transformation strategies that benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions, or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general.[1]

 Cross-border flows of personal data are currently regulated by several international, regional and national instruments and laws intended to protect the privacy of individuals, the local economy or national security.

While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks, such as the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules and the EU Binding Corporate Rules, allow organisations to transfer personal data under certain conditions. They contain accountability mechanisms and are based on internationally accepted data protection principles.

However, their successful adoption is undermined by governments implementing data localisation rules (also known as “data sovereignty”) that impose local storage requirements or use of local technology.[2] Such localisation requirements can be found in a variety of sector- and subject-specific rules. They are sometimes imposed by countries based on the belief that supervisory authorities can more easily scrutinise data that is stored locally.[3]

 Today, bilateral and multilateral trade agreements are incorporating more modern trading arrangements that recognise the potential of digital trade powered by open, cross-border data flows. These can act as a catalyst for continued growth that facilitates trade and improves productivity and economic well-being. Examples are the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the ASEAN Regional Comprehensive Economic Partnership (RCEP), the African Continental Free Trade Area (AfCFTA) and the EU Binding Corporate Rules.

[1] International Chamber of Commerce. (2016). Trade in the Digital Economy; ECIPE. (2014). The Cost of Data Localisation.

[2] Chander, A. and Le, U. (2015). “Data Nationalism”. Emory Law Journal, 64(3); Hill, J.F. (2014). “The Growth of Data Localization Post-Snowden”. The Hague Institute for Global Justice, Conference on the Future of Cyber Governance, 2014.

[3] European Commission Report. (2017). Building a European Data Economy Communication.


How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border flows of data?

How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?

Industry Position

Cross-border flows of data play a key role in innovation, competition and economic and social development. Governments can facilitate data flows in a way that is consistent with consumer privacy and local laws by supporting industry best practices and frameworks for the movement of data, and by working to make these frameworks interoperable.

 Governments can also ensure these frameworks have strong accountability mechanisms and authorities have a role in overseeing and monitoring their implementation. Governments should only impose measures that restrict cross-border data flows if they are essential to achieving a legitimate public policy objective. The application of these measures should be proportionate and not arbitrary or discriminatory against foreign suppliers or services.

Mobile operators welcome frameworks such as the APEC Cross-Border Privacy Rules or the EU Binding Corporate Rules, which allow accountable organisations to transfer data globally provided they meet certain criteria. Such mechanisms are based on commonly recognised data privacy principles and require organisations to adopt a comprehensive approach to data privacy.

The frameworks encourage more effective protection for individuals than formal administrative requirements while also helping to realise potential social and economic benefits. Such frameworks should be made interoperable across countries and regions to the greatest extent possible. This would stimulate convergence between different approaches to privacy, while promoting appropriate standards of data protection and allow accountable companies to build scalable and consistent data privacy programmes.

Requirements for companies to use local data storage or technology create unnecessary duplication and costs. There is little evidence that the policies produce tangible benefits for local economies or improved privacy protections for individuals.

To the extent that governments need to scrutinise data for official purposes, mobile operators would encourage them to achieve this through existing lawful means and appropriate intergovernmental mechanisms that do not restrict the flow of data.

The GSMA and its members believe that cross-border data flows can be managed in ways that safeguard the personal data and privacy of individuals. We remain committed to working with stakeholders to ensure that restrictions are only implemented if they are necessary to achieve a legitimate public policy objective.


GSMA Mobile and Privacy website

GSMA Report: Mobile Privacy Principles

GSMA Report: Smart Data Privacy Laws

GSMA Report: 5G and Data Privacy 

GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem

GSMA Report: Protecting Privacy and Data in the Internet of Things

Deeper Dive

Deeper dive: National data privacy regimes should be based on shared, core principles and provide flexibility in implementation

The challenge of regulating data privacy, including cross-border flows of data, is putting measures in place that consistently provide consumers with confidence in existing and new services without limiting service adoption or imposing significant additional costs on service providers.

To achieve this, it is crucial for privacy regulation to be based on shared core principles, which, according to United Nations Conference on Trade and Development (UNCTAD), are “at the heart of most national [privacy] laws and international regimes”, as well as industry initiatives. This would allow companies to treat data consistently across their operations, innovate more rapidly, achieve greater scale and reduce costs. Consumers will benefit from wider choice, improved quality and lower prices of services

The 2009 Madrid Resolution on International Standards for the Protection of Personal Data and Privacy, for example, encourages consistent international protection of personal data and embraces privacy approaches from all five continents. As well as being designed “to ease the international flow of personal data, essential in a globalised world”[1] the resolution advocates six privacy principles to be adopted by policymakers.

Lawful and fair Purpose Proportionate
Personal data must be lawfully and fairly processed. Processing should be limited

to specified purposes.

Processing should be

proportionate and not


Quality Openness Accountable
Data held should be accurate. The processor should be open regarding their activities. The processor should be accountable for their activities.

Similar principles are reflected repeatedly in laws and policy initiatives around the world, such as the Council of Europe Convention 108, the OECD Guidelines, the EU General Data Protection Regulation, the US Federal Trade Commission Fair Information Practice Principles and the APEC Privacy Framework. The mobile industry has also adopted the GSMA Mobile Privacy Principles to give consumers confidence that their personal data is being protected, irrespective of service, device or country.

[1] International Standards on the Protection of Personal Data and Privacy: The Madrid Resolution 2009

Localisation Rules Risk Undermining the Protection of Personal Data

There are several reasons why countries seek to justify imposing data localisation rules, including concerns about foreign surveillance and national security, as well as a desire to stimulate a national digital economy through in-country data analysis.

The range of localisation restrictions can include subjecting the data flows to certain restrictions to benefit citizens’ privacy and requiring organisations to keep data in-country but allowing the data to flow thereafter. It may also include requiring the data to be kept in-country altogether or imposing requirements that have the indirect effect of keeping the data in-country, such as mandating the use of local infrastructure.

However, these restrictions do not necessarily lead to better protection of personal data and, in fact, can undermine it. For example, a fragmented approach results in inconsistent protection (e.g., differences across jurisdictions and sectors in what can be stored and for how long) and causes confusion, which ultimately has a negative impact on the secure management of personal data.

The risks identified by governments can be mitigated by various solutions and principles without restricting data flows. For example, internet platform companies and cloud computing providers are increasingly establishing regional hubs so that governments concerned about the surveillance activities of foreign countries can avoid data being held in particular jurisdictions. Encryption techniques also allow data to be protected from access and stored securely abroad. Requiring localisation on the grounds of a perceived economic benefit are equally flawed. Restricting data processing activities to a national rather than global scale, is likely to lead to significant operational costs per customer served and prevent citizens from accessing emerging innovative global digital services.

To address legitimate concerns about privacy, governments have adopted a patchwork of international, regional and national rules. In addition to the APEC Privacy Framework and the EU General Data Protection Regulation (GDPR), regional frameworks have emerged in the ASEAN region, Latin America and Africa. These frameworks are commendable in that they aim to align regional economies around a common understanding of data privacy. However, they need to be interoperable across regions to the greatest extent possible, to reflect the realities of a globally connected world. This would allow companies to build scalable and accountable data protection and privacy platforms.

Flows of data across borders are important for societal and economic reasons. Without them, economic growth and the potential benefits to society of digital transformation can be hampered. It is therefore incumbent on governments, regulators, industry and civil society groups to reject localisation measures and find other ways to enable the flow of data while also protecting individual privacy.



The internet and mobile connectivity have become ever more pervasive, making it vital to ensure that people can use increasingly essential services safely and securely.

Cyberattacks are not only harmful and criminal, but also undermine trust in digital services. The mobile industry is continually working to educate consumers while incorporating new features and enhancing existing security capabilities such as encryption, integrity checking and user identity validation, to minimise the potential for fraud, identity theft and other possible threats. Governments and policymakers have put measures in place to prevent cyberattacks, and national and regional strategies have been adopted in many countries to strengthen resilience, build capacity and fight cybercrime.

“Cybersecurity” covers several areas,[1] but generally refers to the protection of network-related systems and devices and the software and data they contain. It typically comprises the protection of technical infrastructure, procedures and workflows, physical assets, national security, as well as the confidentiality, integrity and availability (CIA triad) of information.

The mobile industry has a long history of providing secure products and services to its customers:[2]

Protecting network infrastructure and devices

Operators test for vulnerabilities and detect and deter malicious attacks on current generation and future networks. The GSMA and its members support the principles of “security-by-design” to be applied across the value chain. The GSMA plays a central role in coordinating activity and leads on industry-wide initiatives and programmes such as the Fraud and Security Group (FASG), the Security Accreditation Scheme (SAS) and the Network Equipment Security Assurance Scheme (NESAS), which provides a security assurance framework to facilitate improvements in security levels across the mobile industry.[3]

Protecting public safety

Mobile networks are considered to constitute critical national infrastructure in many jurisdictions, and the services they support play a key role in protecting the public. Operators have a legal obligation to assist law enforcement agencies, which they do while supporting human rights concerns.

Protecting consumers from fraud

Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, smishing or vishing, where victims are tricked into revealing sensitive personal information and service access credentials. Operators implement and offer solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.

Protecting consumer privacy

Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained, complete and available, throughout its life. The GSMA has undertaken extensive work on data protection and data privacy.


 In the context of 5G implementation and the expanding web of IoT devices and services, how can policymakers ensure that cybersecurity is the responsibility of everyone in the mobile ecosystem?

 What is needed to facilitate a more holistic response to cybersecurity?

Industry position

Cybersecurity is the shared responsibility of industry, government and regulators. Every actor in the digital value chain, across all sectors of the digital economy, needs to ensure the appropriate protection of infrastructure, products and services.

 Given that cybersecurity risks are dynamic and not confined to national borders, sustained international multistakeholder cooperation in all areas of security is key to managing risks. Robust security measures must also be adopted by the entire digital value chain.

Mobile operators continue to invest in the security of their own networks, devices and services, building solutions and capabilities to detect and deter malicious attacks. They are improving preparedness and incidence response and contributing to the development of globally recognised, industry-led, voluntary consensus security standards, assurance programmes and conformity assessment schemes. They also continue to participate in capacity building, engage with experts in the field of cybersecurity and share best practices with other stakeholders.

Governments and law enforcement agencies should ensure there are appropriate legal frameworks, resources and processes in place to deter, identify, investigate and prosecute criminal behaviour. This requires global cooperation between governments and the wider ecosystem. Future proofing across jurisdictions will ensure regulation and network security obligations are consistent and clear for all players involved in this complex and rapidly evolving area.


GSMA IoT Security

GSMA Report: The 5G Era: Age of Boundless Connectivity and Intelligent Automation

GSMA Report: Mobile Telecommunications Security Landscape 2021

GSMA Report: Cybersecurity: A Governance Framework for Mobile Money Providers

GSMA Cybersecurity and Mobile Money: Prioritising Consumer Trust and Awareness

Data Privacy


Research shows that mobile customers are concerned about their privacy and want simple and clear choices for controlling how their private information is used. They also want to know they can trust companies with their data. A lack of trust can act as a barrier to growth in economies that are increasingly data driven.

One of the major challenges created by the growth of the mobile internet is that the security and privacy of personal information is regulated by a patchwork of geographically bound privacy regulations while the mobile internet is, by definition, international. In many jurisdictions, the regulations governing how customer data is collected, processed and stored vary considerably between market participants. For example, the rules governing how personal data is treated by mobile operators may be different to those governing how it can be used by internet players.

This misalignment between national privacy laws and global standard practices makes it difficult for operators to provide customers with a consistent user experience. It may also cause legal uncertainty for operators, which can deter investment and innovation. Inconsistent levels of protection also create risks that consumers might unwittingly provide easy access to their personal information, leaving them exposed to unwanted or undesirable outcomes, such as identity theft and fraud.


How can policymakers help create a privacy framework that supports innovation in data use while balancing the need for privacy across borders, regardless of the technology involved?

 How is responsibility for ensuring privacy across borders best distributed across the mobile

internet value chain?

What role does self-regulation play in a continually evolving technology environment?

 What should be done to allow data to be used to support the social good and meet pressing public

policy needs?

Industry Position

Currently, the wide range of services available through mobile devices offers varying degrees of privacy protection. To give customers confidence that their personal data is being properly

protected – irrespective of service or device – a consistent level of protection must be provided.

Mobile operators believe that customer confidence and trust can only be fully achieved when users feel their privacy is appropriately protected.

The necessary safeguards should derive from a combination of internationally agreed approaches, national legislation and industry action. Governments should ensure legislation is technology neutral and that its rules are applied consistently to all players in the internet ecosystem.

Because of the high level of innovation in mobile services, legislation should focus on the overall risk to an individual’s privacy, rather than attempting to legislate for specific types of data. For example,

legislation must deal with the risk to an individual arising from a range of different data types and contexts, rather than focusing on individual data types.

The mobile industry should ensure privacy risks are considered when designing new apps and services and develop solutions that provide consumers with simple ways to understand their privacy choices and control their data.

The GSMA is committed to working with stakeholders from across the mobile industry to develop a consistent approach to privacy protection and promote trust in mobile services.


GSMA Mobile and Privacy website

GSMA Report: Mobile Privacy Principles

GSMA Report: Smart Data Privacy Laws

GSMA Report: 5G and Data Privacy

GSMA Report: Protecting Privacy and Data in the Internet of Things

GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem

Deeper Dive

Smart Privacy Practice and Regulation

A combination of smart data privacy practices and smart data privacy regulation is required to sustain consumers’ trust in the digital ecosystem that has evolved rapidly around them.

The GSMA has developed nine Mobile Privacy Principles as well as a range of resources to promote good practice. These resources include the GSMA’s Privacy Design Guidelines for Mobile Application Development, considerations that should be taken into account when engaging in Big Data analytics and a privacy-by-design decision tree for use in developing IoT products and services. They seek to strike a balance between protecting privacy and enabling organisations to achieve commercial, public policy and societal goals.

If organisations adopt comprehensive policies, processes and practices to protect the privacy of individuals — and can easily demonstrate these safeguards are effective — they will strengthen trust among consumers and regulators. Equally, if governments adopt smart data privacy rules, they can establish a regulatory environment that stimulates the digital economy while also unleashing its benefits for consumers and citizens.

While governments must ensure smart data privacy laws take account of citizen's privacy concerns, they must also recognise that these rules can have important consequence beyond the protection of privacy. As a result, when drafting these rules, governments must take into consideration how these laws sit within an economic and societal context.

Policymakers around the world have been studying the EU’s General Data Protection Regulation (GDPR) and other regional and national frameworks or laws to inform their own legislative proposals. Among the lessons learned are that smart data privacy rules are:

  • Horizontal, meaning they apply to all processing of personal data rather than focusing on just one technology or sector. This reduces the need for sectoral rules or operating licences that subject network operators to an additional set of competing privacy obligations.
  • Principles-based, allowing innovation to thrive without having to reinvent the rules every time new technologies or business methods are introduced.
  • Risk-based, encouraging companies to focus on preventing harm (for example, by setting a threshold for reporting of data breaches rather than mandating that all breaches are reported), or encouraging organisations to implement privacy-by-design and privacy impact assessment processes.
  • Based on the idea of accountability, holding companies to account, but allowing them to innovate and comply in a way that makes sense for their business and rewarding those that embed a culture of privacy in their organisations.
  • Open to data flows, allowing data to cross borders provided there are sufficient safeguards to protect an individual’s privacy (see the Cross-Border Flows of Data section in this handbook).

Best Practice

Mobile Privacy Principles

The GSMA has published a set of universal Mobile Privacy Principles that describe how mobile consumers’ privacy should be respected and protected:

Openness, transparency and notice

Responsible persons (e.g., application or service providers) shall be open and honest with users and will ensure users are provided with clear, prominent and timely information regarding their identity and data privacy practices.

Purpose and use

The access, collection, sharing, disclosure and further use of personal information shall be limited to legitimate business purposes, such as providing applications or services as requested by users, or to otherwise meet legal obligations.

User choice and control

Users shall be given opportunities to exercise meaningful choice and control over their personal information.

Data minimisation and retention

Only the minimum personal information necessary to meet legitimate business purposes should be collected and otherwise accessed and used. Personal information must not be kept for longer than is necessary for those legitimate business purposes or to meet legal retention obligations.

Respect user rights

Users should be provided with information about, and an easy means to exercise, their rights over the use of their personal information.


Personal information must be protected, using reasonable safeguards appropriate to the sensitivity of the information.


Users should be provided with information about privacy and security issues and ways to manage and protect their privacy.

Children and adolescents

An application or service that is directed at children and adolescents should ensure that the collection, access and use of personal information is appropriate in all given circumstances and is compatible with national law.

Electromagnetic Fields and Health


Research into the safety of radio signals has been conducted for several decades and underpins human exposure limits that provide protection to all people (including children) against all established health risks.

The WHO and ITU encourage governments to adopt the radio frequency electromagnetic field (RF-EMF) exposure limits developed by the International Commission on Non-Ionizing Radiation Protection (ICNIRP). These were reviewed and updated in 2020.

New applications, such as 5G, wireless IoT and wearable devices, are designed to comply with relevant exposure limits. The international exposure guidelines are not technology specific and apply to all mobile technologies, including 5G.

The strong consensus of expert groups and public health agencies, such as the WHO, is that no health risks have been established from exposure to the radio signals of mobile devices and mobile network antennas that comply with international safety recommendations.

However, research has suggested a possible increased risk of brain tumours among long-term users of mobile phones. As a result, in May 2011, the International Agency for Research on Cancer classified radio signals as a possible human carcinogen. Health authorities advise that given the scientific uncertainty and lack of supporting evidence from cancer trend data, this classification should be understood to mean that more research is needed. They also remind mobile phone users of practical measures for individuals to reduce exposure, such as using a hands-free kit or text messaging.

Mobile phones are tested for compliance with exposure limits when operating at maximum power. In use a mobile phone operates at a much lower power level.

For mobile networks, whether 2G, 3G, 4G or 5G, the typical levels in publicly accessible areas are a small fraction of the exposure limits and similar to broadcast services.

A comprehensive health-risk assessment of radio signals is being conducted by the WHO. The conclusions are expected in late 2022.


Does using a mobile phone regularly or living near a base station have any health implications?

Are there benefits to adopting the updated international EMF limits for mobile networks or devices?

Should there be specific restrictions to protect children, pregnant women or other potentially vulnerable groups?

Industry Position

National authorities should implement EMF-related policies based on established science, in line with international recommendations and technical standards.

Significant differences between national limits and international guidelines can cause confusion and increase public anxiety. Consistency is vital, and governments should:

  • Base EMF-related policy on reliable information sources, including the WHO, trusted international health authorities and expert scientists.
  • Set a national policy covering the siting of masts, balancing effective network roll out with consideration of public concerns.
  • Accept mobile operators’ declarations of compliance with international or national radio frequency levels using technical standards from organisations such as the International Electrotechnical Commission (IEC) and the ITU.
  • Actively communicate with the public and address their concerns based on the positions of the WHO.

Parents should have access to accurate information so they can decide when and whether their children should use mobile phones. The current WHO position is that international safety guidelines protect everyone in the population with a large safety factor, and that there is no scientific basis to restrict children’s use of phones or the locations of base stations. We encourage governments to provide information and voluntary practical guidance to consumers and parents based on the position of the WHO.

Concerned individuals can choose to limit their exposure by making shorter calls, using text messaging or hands-free devices that can be kept away from the head and body. Bluetooth earpieces use very low radio power and reduce exposure.

The mobile industry works with national and local governments to help address public concerns about mobile communications. Adoption of evidence-based national policies for exposure limits and siting of antennas, public consultations and information can help to reassure the public.

On-going, high-quality independent research is necessary to support health-risk assessments, develop safety standards and provide information to inform policy development. Studies should follow good laboratory practice for EMF research and be governed by contracts that encourage open publication of findings in peer-reviewed scientific literature.


WHO International EMF Project website

GSMA Report: EMF Exposure Compliance Policies for Mobile Network Sites

GSMA Report: International EMF Exposure Guidelines

GSMA website: Safety of 5G Networks

GSMA interactive map: 5G EMF Surveys

Deeper Dive

Health authorities on the science

To date, and after much research performed, no adverse health effect has been causally linked with exposure to wireless technologies. Health-related conclusions are drawn from studies performed across the entire radio spectrum but, so far, only a few studies have been carried out at the frequencies to be used by 5G.

Tissue heating is the main mechanism of interaction between radiofrequency fields and the human body. Radiofrequency exposure levels from current technologies result in negligible temperature rise in the human body.

As the frequency increases, there is less penetration into the body tissues and absorption of the energy becomes more confined to the surface of the body (skin and eye). Provided that the overall exposure remains below international guidelines, no consequences for public health are anticipated.

– WHO Question and Answer, February 2020

Most of the epidemiological research does not support an association between mobile phone use and tumours occurring in the head, which is the body part with the highest exposure to radiofrequency electromagnetic fields. In studies reporting positive associations, it is difficult to exclude various forms of bias, such as recall bias in retrospective exposure assessment.

– International Agency for Research on Cancer, IARC, 2020

A large number of studies have been undertaken on both acute and long-term effects from RF EMF exposure typical of base stations. Research at these levels of exposure has provided no conclusive evidence of any related adverse health effects.

– International Commission on Non-Ionizing Radiation Protection - ICNIRP, acc

Health Authorities on the Science

A large number of studies have been performed over the last two decades to assess whether mobile phones pose a potential health risk. To date, no adverse health effects have been established as being caused by mobile phone use.
— WHO Fact Sheet 193, October 2014

The results of epidemiological studies in the period reviewed confirm that no higher risk of brain tumors is observed in cell phone users. This conclusion coincides with those of other systematic reviews and risk assessments in the same period by agencies and competent international committees in the evaluation of the effects of electromagnetic fields on health.
— Scientific Advisory Committee on Radiofrequency and Health — CCARS (Spain), 2017

Whether mobile phone use causes brain tumours or not was mainly addressed using time trends studies in the last two years. The results were not entirely consistent but mainly point towards a lack of association. Whereas these time series studies do not suffer from recall and selection bias, which is of concern for case-control studies, they are vulnerable to secular time trends. Changes in coding praxis or improved diagnostic tools and thus better detection rate may produce an apparent increase or a decrease in the incidence of brain tumours or specific subtypes. The few indications of changing incidence are thus rather attributed to such methodological limitations than actual changes in risk.
— Swedish Radiation Safety Authority, 2018

Advanced Antenna Technologies

Many of the antennas used for 5G are similar to those in use today. Advanced antenna technologies, such as beamforming, require the use of arrays of small antenna elements to optimise the delivery of radio signals to connected mobile devices. At high-band 5G frequencies these antennas can be small.

 A global look at mobile network exposure limits

The WHO endorses the guidelines of the ICNIRP and encourages countries to adopt them. While many countries have adopted this recommendation, some have chosen to adopt other limits or additional measures on the siting of base stations.

Much of the world follows the ICNIRP guidelines or the similar US Federal Communications Commission (FCC) rules.

In some cases (e.g. China and Russia) RF limits have not been updated to reflect more recent scientific knowledge. In other cases, limits applicable to mobile networks may be the result of arbitrary reductions made as a political response to public concern.

Excluding countries or territories with unknown RF limits, 137 apply ICNIRP (1998 or 2020 limits), 10 follow the FCC limits from 1996 and 37 have other limits.


Illegal Content


Today, mobile networks not only offer traditional voice and messaging services, but also provide access to virtually all forms of digital content via the internet. In this respect, mobile operators offer the same service as any other internet service provider (ISP). This means mobile networks are inevitably used to access illegal content, ranging from pirated material that infringes intellectual property rights (IPR) to racist content or child sexual abuse material (child pornography).

Laws regarding illegal content vary considerably. Some content, such as child sexual abuse material, is considered illegal around the world, while other content, such as dialogue that calls for political reform, is illegal in some countries while in others they are protected by rights to freedom of expression.

Communications service providers, including mobile operators and ISPs, are not usually liable for illegal content on their networks and services, provided they are not aware of its presence and follow certain rules (e.g., “notice and takedown” processes to remove or disable access to the illegal content as soon as they are notified of its existence by the appropriate legal authority).

Mobile operators are typically alerted to illegal content by national hotline organisations or law enforcement agencies. When content is reported, operators follow procedures based on relevant data protection, privacy and disclosure legislation. In the case of child sexual abuse content, mobile operators use terms and conditions, notice and takedown processes and reporting mechanisms to keep their services free of this material.


  • Should all types of illegal content, from IPR infringements to child sexual abuse content, be subject to the same reporting and removal processes?
  • What responsibilities should governments, law enforcement or industry have in the policing and removal of illegal content?
  • Should access to illegal content on the internet be blocked by ISPs and mobile operators?

Industry Position

The mobile industry is committed to working with law enforcement agencies and appropriate authorities and having robust processes in place that enable the swift removal or disabling of confirmed instances of illegal content hosted on their services.

ISPs, including mobile operators, are not qualified to decide what constitutes illegal content, the scope of which is broad and varies between countries. As such, they should not be expected to monitor and judge third-party material, whether it is hosted on, or accessed through, their own network.

National governments decide what constitutes illegal content in their country. They should be open and transparent about which content is illegal before placing responsibility for enforcement on hotlines, law enforcement agencies and industry.

The mobile industry condemns the misuse of its services for sharing child sexual abuse content. The GSMA Mobile Alliance Against Child Sexual Abuse Content provides leadership in this area and works proactively to combat the misuse of mobile networks and services by criminals seeking to access or share child sexual abuse content.

Regarding copyright infringement and piracy, the mobile industry recognises the importance of proper compensation for rights holders and the prevention of unauthorised distribution.


GSMA Reference Document: Mobile Alliance Against Child Sexual Abuse Content Interpol Crimes Against Children

GSMA and UNICEF Report: Notice and Takedown: Company Policies and Practices to Remove Online Child Sexual Abuse Material

GSMA Guide: Hotlines: Responding to Reports of Illegal Online Content

GSMA and Child Helpline International Guides: Internet Safety Guides

International Centre for Missing & Exploited Children Report: Model Legislation & Global Review


WePROTECT Global Alliance Guidance Document: The Model National Response

Deeper Dive

Mobile Alliance Against Child Sexual Abuse Content

The Mobile Alliance Against Child Sexual Abuse Content was founded by an international group of mobile operators within the GSMA to obstruct the use of the mobile environment by individuals or organisations wishing to consume or profit from child sexual abuse content.

Alliance members have made the commitment to:

  • Implement technical mechanisms to restrict access to websites or URLs identified by an appropriate, internationally recognised agency as hosting child sexual abuse content.
  • Implement notice and take-down processes to enable the removal of any child sexual abuse content posted on their own services.
  • Support and promote hotlines or other mechanisms for customers to report child sexual abuse content discovered on the internet or on mobile content services.

Through a combination of technical measures, cooperation and information sharing, the Mobile Alliance is working to stem, and ultimately reverse, the growth of online child sexual abuse content around the world.

The Mobile Alliance also contributes to wider efforts to eradicate online child sexual abuse content by publishing guidance and toolkits for the benefit of the entire mobile industry. For example, it has produced a guide to establishing and managing a hotline in collaboration with INHOPE, the umbrella organisation for hotlines, and a guide to implementing notice and take-down processes with UNICEF.

In the 10 years since the Mobile Alliance was founded, changes to the digital ecosystem, including the increase in online interactivity and user-generated content, have altered the nature of online child sexual exploitation and abuse. For example, hotlines are increasingly seeing self-generated content (also known as “sexting”) being shared online. Child helplines are receiving calls from young people reporting “sexual extortion” or being blackmailed by an offender using self-produced sexual images or videos to make sexual or financial demands.

GSMA and Mobile Alliance members continue to work with their external partners to monitor emerging issues such as these and find additional ways to contribute to wider efforts to address them. For example, they are collaboratively developing guidance for child helpline counsellors on internet safety issues (including illegal content and sexual extortion) and members lead internet safety consumer education and awareness campaigns on an on-going basis.

Internet Governance

Internet governance involves an array of activities related to the policy and procedures of the management of the internet. It encompasses legal and regulatory issues, such as privacy, cybercrime, intellectual property rights and spam. It is also concerned with technical issues related to network management and standards, and economic issues such as taxation and internet interconnection arrangements.

Because the growth of the mobile industry is tied to the evolution of internet-enabled services and devices, decisions about the use, management and regulation of the internet affect mobile service providers and other industry players and their customers.

Internet governance requires input and collaboration from diverse stakeholders relating to their interests and expertise in technical engineering, resource management, standards and policy issues, among others. Relevant stakeholder groups will vary depending on the specific internet governance issues that are being addressed.


Who “owns” the internet?

Should certain countries or organisations be allowed to have greater decision-making powers than others about the management of the internet?

How should a multistakeholder model be applied to internet governance?

“Only a concerted joint global effort by governments, businesses, the technical community and civil society will produce a governance architecture that is as generic, scalable and transnational as the internet itself. No single actor or group of actors can solve this alone.”

– Vint Cerf, Chief Internet Evangelist at Google and Co-inventor of the Internet Protocol suite, February 2018

Industry Position

The internet should be secure, stable, trustworthy and interoperable, and no single institution or organisation can or should manage it. The existing multistakeholder model for internet governance and decision-making should be preserved and allowed to evolve.

Given the ubiquity of the internet in today’s world, any architecture designed to govern its use should be capable of addressing a range of issues and challenges relevant to different stakeholders in a manner that is more agile and flexible than traditional government and intergovernmental mechanisms.

Collaborative, diverse and inclusive decision-making models are required for stakeholders to participate in internet governance.

The decentralised development of the internet should continue, without the control of a particular business model or regulatory approach.

Some internet governance issues warrant a different approach at the local, national, regional or global level. An effective and efficient multistakeholder model ensures that stakeholders, within their respective roles, can participate in building consensus on such issues.

Technical aspects related to the management and development of internet networks and architecture should be addressed collaboratively by different stakeholder groups through relevant standards bodies, the Internet Engineering Task Force (IETF), the Internet Architecture Board (IAB) and other forums.

Economic and transactional issues, such as internet interconnection charges, are best left to commercial negotiation, consistent with commercial law and regulatory regimes.


The Internet Governance Forum website
World Summit on the Information Society WSIS+10 website
The Internet Society Internet Governance website
UNESCO Internet Governance website

Mandated Government Access


Mobile operators are often subject to a range of laws and/or licence conditions that require them to support law enforcement and security activities in countries where they operate. These requirements vary from country to country and have an impact on the privacy of mobile customers.

Where they exist, such laws and licence conditions typically require operators to retain data about their customers’ mobile service use and disclose it, including their personal data, to law enforcement and national security agencies on lawful demand. They may also require operators to have the ability to intercept customer communications following lawful demand.

Such laws provide a framework for the operation of law enforcement and security service surveillance and guide mobile operators in their mandatory liaison with these services. However, in some countries, there is a lack of clarity in the legal framework to regulate the disclosure of data or lawful interception of customer communications. This creates challenges for the industry in protecting the privacy of its customers’ information and their communications.

Legislation often lags behind technological developments. For example, obligations may apply only to established telecommunications operators but not to more recent market entrants, such as those providing internet-based services, including Voice over IP (VoIP), video or instant messaging.

In response to public debate concerning the extent of government access to mobile subscriber data, a number of major telecommunications providers (such as AT&T, Deutsche Telekom, Orange, Rogers, SaskTel, Sprint, T-Mobile, TekSavvy, TeliaSonera, Telstra, Telus, Verizon, Vodafone and Wind Mobile), as well as internet companies (such as Apple, Amazon, Dropbox, Facebook, Google, LinkedIn, Microsoft, Pinterest, Snapchat, Tumblr, Twitter and Yahoo!) publish “transparency reports” that provide statistics relating to government requests for disclosure of such data.


What is the correct legal framework to achieve a balance between a government’s obligation to ensure its law enforcement and security agencies can protect citizens, and the rights of those citizens to privacy?

Should all providers of communications services be subject to the same interception, retention and disclosure laws on a technology-neutral basis?

Would greater transparency about the number and nature of requests governments make assist the debate, improve government accountability and bolster consumer confidence?

Industry Position

Governments should ensure they have a proportionate legal framework that clearly specifies the surveillance powers available to national law enforcement and security agencies.

Any interference with the right to privacy of telecommunications customers must be in accordance with the law.

The retention and disclosure of data and the interception of communications for law enforcement or security purposes should take place only under a clear legal framework and using the proper process and authorisation specified by that framework.

There should be a legal process available to telecommunications providers to challenge requests which they believe to be outside the scope of the relevant laws.

The framework should be transparent, proportionate, justified and compatible with human rights principles, including obligations under applicable international human rights conventions, such as the International Convention on Civil and Political Rights.

Given the expanding range of communications services, the legal framework should be technology neutral.

Governments should provide appropriate limitations of liability or indemnify telecommunications providers against legal claims brought in respect of compliance with requests and obligations for the retention, disclosure and interception of communications and data.

The costs of complying with all laws covering the interception of communications and the retention and disclosure of data should be borne by governments. Such costs and the basis for their calculation should be agreed in advance.

The GSMA and its members are supportive of initiatives that seek to increase government transparency and the publication by government of statistics related to requests for access to customer data.


United Nations General Assembly Report: Guiding Principles on Business and Human Rights — Implementing the United Nations “Protect, Respect and Remedy” Framework Sixth Form Law — Malone v. The United Kingdom website
High Court Judgement: Data Retention and Investigatory Powers Act 2014 (“DRIPA”)
UK Investigatory Powers Review Report: A Question of Trust
Office of the Privacy Commissioner of Canada website

Deeper Dive

Trending Towards Transparency

There is an important global debate on the scope, necessity and legitimacy of the legal powers government authorities use to access the communications of private individuals. ICT firms are increasingly reporting the demands of governments for communications data where it is legal to do so. These reports have revealed the degree to which government intelligence and law enforcement agencies rely on such information.

Many of the largest communications and internet content providers (including AT&T, Deutsche Telekom, Telenor, Verizon, Vodafone, Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo!) publish periodic transparency reports.

Typically these reports include how many of these requests resulted in the disclosure of customer information. They reveal the frequency of such requests, as well as some detail about the kind of information accessed. This can include customer account information, the interception of communications and metadata, which can reveal an individual’s location, interests or relationships. Mobile operators often have no option but to comply with such requests, but they are increasingly pressing for greater transparency about the nature and scale of government access.

Questions have also arisen about the role of telecommunications network and service providers in relation to such access. For example, misunderstandings can arise about the extent to which mobile operators have the technical capacity to intercept communications. Intercepting standard phone calls or SMS messages to and from specific users is technically possible, and lawful interception requirements and capabilities have been described in global mobile standards for decades.

However, communications between users on an internet-based platform, known as an over-the-top (OTT) service, is generally beyond the reach of mobile operators. OTT messaging applications are usually encrypted, and messages are not stored by operators nor are decryption keys made available to them. This leaves operators unable to access or provide the content of messages, even by lawful request. Both internet companies and mobile operators may find themselves in a difficult position, bound to meet their obligations to provide lawful access while also assuring their customers that they protect their personal information.

To further support their commitment to transparency, some operators have joined forces with internet companies and other stakeholders in initiatives such as the Global Network Initiative (GNI). The GNI brings together telecommunications operators, major internet companies, leading academics, civil society organisations and investors to advance privacy and freedom of expression in the ICT sector. In March 2017, seven operators – Millicom, Nokia, Orange, Telefónica, Telenor Group, Telia Company and Vodafone – joined an expanded GNI after having promoted transparency through the Telecommunications Industry Dialogue. These companies committed to the GNI Principles on Freedom of Expression and Privacy, which provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of these human rights globally.

Civil society organisations have contributed to the advancement of these issues by trying to provide trustworthy measures of transparency. Ranking Digital Rights (RDR) publishes an annual report on telecoms’ and internet companies’ disclosed commitments, policies and practices that affect users’ privacy and freedom of expression. The RDR calls for governments to allow encryption and publish their own transparency reports to make it clear what information they demanded from companies and why.

The debate can be heated between those who argue that law enforcement agencies require broad access to fight crime and those who challenge the level of government inquiry into private lives and strive to maintain citizens’ rights to privacy in the digital age. GSMA members maintain that transparency reporting brings valid information to the public and policymakers, raising key questions about the balance between government access and privacy.

Case Study

National Regulatory Approaches to Government Access

Increasingly, as witnessed in the UK, France, Germany and Australia, laws are being proposed that would require service providers to capture and retain communications data and grant the government systematic access to this information.

In the UK, communications service providers are required to separately retain a range of account and communications data and must ensure the data can be disclosed in a timely manner to UK law enforcement agencies, the security services and a number of prescribed public authorities under the UK Regulation of Investigatory Powers Act (RIPA). Prescribed authorities can also seek a warrant from the Secretary of State to intercept communications. The two main objectives of RIPA are to regulate the investigatory powers of the state and to set the legitimate expectations for citizens’ privacy. As RIPA is subject to oversight by the Surveillance Commissioner and the Interception Commissioner, citizens can seek redress for alleged unlawful access to their data or communications, and service providers operating in the UK can raise concerns about the validity of requests.

In April 2014, the European Court of Justice ruled that the EU Data Retention Directive is “invalid” as it violated two basic rights: respect for private life and protection of personal data. The European Commission has emphasised that the decision of whether to introduce national data-retention laws is a national decision and consequently, the UK and several other EU countries are reviewing their data-retention laws, which required communications service providers to store communications data for up to two years.

Meanwhile, in May 2015, the German Government outlined plans for a new data-retention law that would require telecoms companies to retain “traffic data” relevant to communications and hand them over (under certain conditions) to Germany’s law enforcement and security agencies. Germany’s privacy campaigners questioned whether the plans were constitutional, adding that, in their opinion, the German Government had not sufficiently outlined why the retention of the data is necessary.

In July 2015, the French Parliament approved a bill that allows intelligence agencies to tap phones and emails without seeking permission from a judge. The new law requires communications providers and internet service providers to hand over customers’ data upon request, if the relevant customers are linked to a “terrorist” inquiry. Protesters from civil liberties groups claimed the bill would legalise intrusive surveillance methods without guarantees for individual freedom and privacy.

Australia’s new Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires telecommunication service providers to retain for two years certain telecommunications metadata prescribed by regulations. This two-year retention period equals the maximum allowed under the earlier EU Data Retention Directive that the EU Court of Justice ruled as invalid.

Mandated Service Restriction Orders


From time to time, mobile operators receive orders from government authorities to restrict services on their networks. These service restriction orders (SROs) require operators to shut down or restrict access to their mobile network, network service or OTT service. Orders include blocking particular apps or content, restricting data bandwidth and degrading the quality of SMS or voice services. In some cases, operators would risk criminal sanctions or the loss of their licence if they disclosed that they had been issued with an SRO.

SROs can have serious consequences. For example, national security can be undermined if powers are misused, and public safety can be endangered if emergency services and citizens are unable to communicate with one another. Freedom of expression, freedom of assembly, freedom to conduct business and other human rights can also be affected.

Individuals and businesses can also be affected by an SRO, unable to pay friends, suppliers or salaries. This can have a knock-on effect on credit and investment plans, ultimately damaging a country’s reputation for managing the economy and foreign investment and discouraging donor countries from providing funds or other resources.

MNOs also suffer. Not only do they sustain financial losses from the suspension of services, and damage to their reputation, but their local staff can also face pressure from authorities and possibly even public retaliation.


What factors and alternatives should governments consider before planning an SRO?

What tools and methods can be used to avoid the need for an SRO or to avoid negative impacts if an SRO is the only option?


Australian government draft guidelines on website blocking 

Global Network Initiative and the Telecommunications Industry Dialogue Joint Statement: Service Restrictions
Telia Company form for assessment and escalation of SROs

Industry Position

The GSMA discourages the use of SROs. Governments should only resort to SROs in exceptional and pre-defined circumstances, and only if absolutely necessary and proportionate to achieve a specified and legitimate aim that is consistent with internationally recognised human rights and relevant laws.

In order to aid transparency, governments should only issue SROs to operators in writing, citing the legal basis and with a clear audit trail to the person authorising the order. They should inform citizens that the service restriction has been ordered by the government and has been approved by a judicial or other authority in accordance with administrative procedures laid down in law. They should allow operators to investigate the impacts on their networks and customers and to communicate freely with their customers about the order. If it would undermine national security to do so at the time when the service is restricted, citizens should be informed as soon as possible after the event.

Governments should seek to avoid or mitigate the potentially harmful effects of SROs by minimising the number of demands, the geographic scope, the number of potentially affected individuals and businesses, the functional scope and the duration of the restriction.

For example, rather than block an entire network or social media platform, it may be possible for the SRO to target particular content or users. In any event, the SRO should always specify an end date. Independent oversight mechanisms should be established to ensure these principles are observed.

Operators can play an important role by raising awareness among government officials of the potential impact of SROs. They can also be prepared to work swiftly and efficiently to determine the legitimacy of the SRO once it has been received. This will help establish whether it has been approved by a judicial authority, whether it is valid and binding and whether there is opportunity for appeal, working with the government to limit the scope and impact of the order. Procedures can include guidance on how local personnel are to deal with SROs and the use of standardised forms to quickly assess and escalate SROs to senior company representatives.

All decisions should first and foremost be made with the safety and security of the operators’ customers, networks and staff in mind, and with the aim of being able to restore services as quickly as possible.

Mandatory Registration of Prepaid SIMs


In a number of countries, customers of prepaid or pay-as-you-go (PAYG) services can anonymously activate their subscriber identity module (SIM) card simply by purchasing credit, as formal user registration is not required. Some 150 governments around the world[1] have mandated prepaid SIM registration, citing a perceived but unproven link between the introduction of such policies and the reduction of criminal and anti-social behaviour. Mandated prepaid SIM registration is most prevalent in Africa where 90 per cent of UN-recognised states have such laws.

Some governments, including the Czech Republic, UK and US, have decided against mandating registration of prepaid SIM users, concluding that the potential loopholes and implementation challenges outweigh the merits.

SIM registration can, however, allow many consumers to access value-added mobile and digital services that would not otherwise be available to them as unregistered users, including identity-linked services such as mobile money, e-health and e-government services.

For a SIM registration policy to create positive outcomes for consumers, it must be implemented in a pragmatic way that takes local market conditions into account, such as the ability of mobile operators to verify customer IDs. If registration requirements are too onerous for a customer to meet, mandating a SIM registration policy may lead to implementation challenges and unforeseen consequences. For example, it could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required IDs. It might also lead to the emergence of an underground market for fraudulently registered or stolen SIM cards, driven by the desire of some mobile users, including criminals, to remain anonymous.

[1] GSMA report: Access to Mobile Services and Proof of Identity 2021


To what extent do the benefits of mandatory prepaid SIM registration outweigh the costs and risks?

What factors should governments consider before mandating such a policy?

Industry Position

While registration of prepaid SIM card users can deliver valuable benefits to citizens, governments should not mandate it.

To date, there has been no empirical evidence that mandatory SIM registration directly leads to a reduction in crime. Where a decision to mandate the registration of prepaid SIM users has been made, we recommend that governments take into account global best practices and allow registration mechanisms that are flexible, proportionate and relevant to the specific market, including the level of official ID penetration in that market and the timing of any national identity roll-out plans.

If these conditions are met, the SIM registration exercise is more likely to be effective and lead to more accurate customer databases. Furthermore, a robust customer verification and authentication system can enable mobile operators to facilitate the creation of digital identity solutions, empowering customers to access a variety of mobile and non-mobile services.

We urge governments considering the introduction or revision of mandatory SIM-registration to take the following steps prior to finalising their plans:

  • Consult, collaborate and communicate with mobile operators before, during and after the implementation exercise.
  • Balance national security demands against the protection of citizens’ rights, particularly where governments mandate SIM registration for security reasons.
  • Set realistic timescales for designing, testing and implementing registration processes.
  • Provide certainty and clarity on registration requirements before any implementation.
  • Allow and/or encourage the storage of electronic records and design registration processes that are administratively “light”.
  • Allow and/or encourage the SIM-registered customer to access other value-added mobile and digital services.
  • Support mobile operators in the implementation of SIM-registration programmes by contributing to joint communication activities and to their operational costs.


GSMA Mandatory Registration of Prepaid SIMs website

GSMA Report: Access to Mobile Services and Proof of Identity

GSMA Policy Note: Enabling Access to Mobile Services for the Forcibly Displaced

GSMA Report: Mandatory Registration of Prepaid SIM Cards: Addressing Challenges through Best Practice

GSMA Report: Regulatory and Policy Trends Impacting Digital Identity and the Role of Mobile

Misinformation and disinformation


It is important to distinguish between misinformation and disinformation. Misinformation is information that is false but not created with the intent to cause harm. Disinformation is information that is false and deliberately created to harm a person, social group, organisation or country.

Mobile operators do not typically host content, but they can nevertheless be affected by false information. In particular, misinformation linking 5G and the COVID-19 pandemic has had direct consequences for the industry, such as attacks on telecommunications equipment and staff.

Through its work with the mobile industry, the GSMA provides access to factual information, including independent expert reports on EMF and health.  

In some countries, governments have used service restriction orders (SROs) to require operators to shut down or restrict access to their mobile network or service or an OTT service. Orders can include blocking particular apps or content, restricting data bandwidth and degrading the quality of SMS or voice services. This can have consequences for customers and society in general.


Who determines whether information is true or false?

What are the most effective mechanisms to deal with misinformation and disinformation?

Industry position

False information can have a harmful impact on society. It can erode public confidence and distort perceptions of independently verifiable facts, leading to a lack of public trust in democratic processes and in institutions. It can also create or deepen tensions in society by exploiting individual or collective vulnerabilities.

Governments and policymakers should explore appropriate counter measures to false online information.The EU Code of Practice on Disinformation, signed by online platforms, is an example of organisations collaborating to create an accountability mechanism and opportunities to share information and best practice.

Awareness campaigns can also be used to point citizens to trustworthy sources of information, equip them with tools to use technology safely and provide a mechanism to report websites containing false or harmful information.

Mobile operators continue to communicate accurate information on their networks and services to their customers.

While governments and law enforcement agencies have a legitimate mandate to protect citizens, this sometimes leads them to use powers that require mobile operators to block or restrict communication services. Internet shutdowns should be avoided or used only in very exceptional and predefined circumstances.


GSMA Report: Mobile Privacy Principles

GSMA EMF and Health website

GSMA Report: Exploring Online Misinformation and Disinformation in Asia Pacific

GSMA Report: Safety, Privacy and Security across the Mobile Ecosystem

EU Code of Practice on Disinformation

WHO FAQ: Radiation: 5G Mobile Networks and Health

WHO Mythbusters: 5G Mobile Networks DO NOT Spread COVID-19

Mobile Devices: Counterfeit


A counterfeit mobile device explicitly infringes the trademark or design of an original or authentic branded product, even where there are slight variations to the established brand name.

Due to their illicit nature, these mobile devices are typically shipped and sold on shadow or underground markets globally by organised criminal networks. It is estimated that almost one in five mobile devices may be counterfeit.[1] This has far-reaching negative impacts. Consumers risk lower quality, safety, security, environmental health and privacy assurances. Governments forego taxes and duties and must contend with increased crime. Industry players are also affected, as it can harm their trademarks and brands.

Some countries are considering introducing national lists of homologated (i.e., approved) devices to combat counterfeiting, smuggling and tax evasion. The purpose of homologated lists is to indicate which devices are permitted access to mobile networks. Operators add device-blocking capabilities to their local networks and connect with the national homologated list to ensure only permitted devices are allowed network access.

However, counterfeit mobile devices are not easy to identify and block, given that many have International Mobile Equipment Identity (IMEI) numbers that appear legitimate. It is now common for counterfeiters to hijack IMEI number ranges allocated to legitimate device manufacturers for use in their products, which makes it more difficult to differentiate between authentic and counterfeit products.

[1] According to figures from OECD, 2017


How can governments and other stakeholders best address the issue of counterfeit mobile devices?


GSMA IMEI Services: The Global Source of IMEI Data

GSMA Device Check Platform

EUIPO-ITU Report: The Economic Cost of IPR Infringement in the Smartphones Sector

Spot a Fake Phone website

Industry Position

The mobile industry supports the need for legal and product integrity in the device market and is increasingly concerned about the negative impact of counterfeit devices on consumer welfare and society in general.

Although mobile operators and legitimate vendors cannot stop the production and distribution of counterfeit devices, multistakeholder collaboration can help combat the issue at the source. National law enforcement and customs agencies should take measures to stop the production and exportation of counterfeit devices in their jurisdictions. Information on crime patterns and specific criminal activity relating to counterfeit devices must be provided by national agencies to appropriate international bodies, such as Interpol and the World Customs Organization, to facilitate action by relevant agencies in other jurisdictions.

The GSMA has made its device information and device status services available for customs agencies and other industry stakeholders to verify the authenticity of mobile device identities online. National customs agencies are advised to use these services as part of a rigorous set of measures to monitor the importation of mobile devices.

The GSMA encourages operators to deploy systems like Equipment Identity Registers (EIRs) and to connect to GSMA systems like EIR with access to the GSMA Device Database. Using the GSMA global Type Allocation Code (TAC) list of all legitimate device identity number ranges, operators can block devices with invalid IMEIs.

National authorities should study which factors, such as import duties and taxation levels, contribute to local demand for counterfeit devices. The potential of reducing tax levels on devices to narrow the price gap between counterfeit/smuggled and legitimate devices should be carefully considered, as it could make the underground market a less lucrative place to trade.

Implementing national lists of homologated devices can be successful if they are linked to the GSMA TAC list. National import verification systems and national device homologation systems should also be linked to national lists of approved devices. Some implementations propose that customers register their details and devices centrally. The GSMA does not support central customer registrations because they are unnecessary – the subscriber identities associated with each device can be established by operators themselves.

Where national authorities are considering introducing a system to block non-homologated devices, they should consider offering amnesty to consumers who already own non-compliant devices. Blocking huge quantities of devices would not only be a major loss for consumers, but would also have significant social, economic and security impacts. It is recommended that the funding model for such systems should not place a burden on consumers and mobile operators, since they are not the cause of the underlying issue. National systems should also not be applied to roamers who might be denied service without cause.

Mobile Devices: Theft


Policymakers in many countries are concerned about the incidence of mobile device theft, particularly when organised crime becomes involved in the bulk export of stolen devices to other markets.

The GSMA has been leading industry initiatives to block stolen mobile devices based on a shared database of the unique identifiers of devices reported lost or stolen. Using the IMEI of mobile devices, the GSMA Device Registry maintains a central list, known as the GSMA Block List, of devices reported lost or stolen by mobile customers. The GSMA Device Registry is available to mobile operators around the world to ensure stolen devices transported to other countries are also denied network access.

The effectiveness of blocking stolen devices on individual network EIRs depends on the secure implementation of the IMEI in all mobile devices. Leading device manufacturers are encouraged to support a range of measures to strengthen IMEI security in accordance with GSMA-defined security requirements.


What can industry do to prevent mobile phone theft?

What are the policy implications of this rising trend?


GSMA IMEI Services: The Global Source of IMEI Data

GSMA Device Registry

GSMA IMEI Security Technical Design Principles

GSMA Report: IMEI Security Weakness Reporting and Correction Process

GSMA Reference Document: Anti-Theft Device Feature Requirements GSMA Mobile Phone Theft: Consumer Advice

Industry Position

The mobile industry has led numerous initiatives and made great strides in the global fight against mobile device theft.

Although the problem of device theft is not of the industry’s creation, the industry is part of the solution. When lost or stolen mobile devices are rendered useless they have significantly reduced value, removing the incentive for thieves to target them.

The GSMA encourages operators to participate in its Device Registry Programme to report and block the IMEIs of devices flagged as stolen on the global Block List. Typically, operators deploy EIRs on their networks to deny connectivity to flagged devices and share identifiers of devices from their own local network’s block list to ensure devices stolen from their customers can be blocked on the networks of other participants. These block list solutions have been in place on some networks for many years.

To enable a wider range of stakeholders to combat device crime, the GSMA provides services that allow eligible parties, such as law enforcement, device traders and insurers, to check the status of devices against the GSMA Block List and, in some cases, to also flag stolen devices.

IMEI blocking, when combined with other multistakeholder measures, can be the cornerstone of a highly effective anti-theft campaign.

Consumers that have had their devices stolen are particularly vulnerable to their personal data being used to commit a range of additional crimes. Industry, law enforcement agencies and regulators are recommended to provide anti-theft consumer education material on their websites with advice and measures appropriate to their market.

The concept of a “kill switch” – a mechanism that disables a stolen phone remotely – has been developed for a range of devices. The GSMA supports device-based anti-theft features and has defined feature requirements for a globally applicable solution. These high-level requirements have set a benchmark for anti-theft functionality while allowing the industry to innovate.

The deployment of persistent endpoint security solutions on mobile devices can also help render devices useless and unattractive to criminals by preventing those devices from working on non-mobile networks such as Wi-Fi where EIR blocking would otherwise be ineffective.

National authorities have a significant role to play in combating criminal activity. It is critical that they engage constructively with the industry to ensure the distribution of mobile devices through unauthorised channels is monitored and that action is taken against those involved in the theft or illegal distribution of stolen devices.

A coherent cross-border information-sharing approach involving all relevant stakeholders makes national measures more effective. The GSMA advocates the sharing of stolen device data internationally for blocking and status-checking purposes, which can be facilitated by the GSMA Device Registry and Device Check services. Only if regulation allows stolen device information to be shared across all countries will this deterrent have a global impact.

In markets with a national homologated list, lost and stolen device information can be exchanged between mobile operators through the GSMA Device Registry. Alternatively, if a national device block list system is already in place, and complies with GSMA requirements, it may be approved to use the GSMA Device Registry to exchange block list information.

Mobile Network and Device Security


Security attacks can impact all technology, including mobile devices. Mobile operators use encryption technologies to deter criminals from eavesdropping and intercepting traffic.

The barriers to compromising mobile security are high and research into possible vulnerabilities has generally been technically quite complex. While no security technology is guaranteed to be unbreakable, practical attacks on mobile services are rare, as they tend to require considerable resources, including specialised equipment, computer processing power and a high level of technical expertise beyond the capability of most people.

Reports of eavesdropping are not uncommon, but such attacks have not taken place on a wide scale, and LTE and 5G networks are considerably better protected against eavesdropping risks than GSM networks. Moreover, 5G technology boasts a host of new security capabilities that further enhance protection levels.


How secure are mobile voice and data technologies and what is being done to mitigate the risks?

Do emerging technologies and services create new opportunities for criminals?

What will the 5G security landscape look like?


GSMA Security Accreditation Scheme website

GSMA Network Equipment Security Assurance Scheme

GSMA Security Advice for Mobile Device Users website

GSMA Coordinated Vulnerability Disclosure website

GSMA T-ISAC website

Industry Position

The protection and privacy of customer communications is at the forefront of operators’ concerns.

The mobile industry makes every reasonable effort to protect the privacy and integrity of customer and network communications.

The GSMA leads a range of industry initiatives to make operators aware of the risks and mitigation options available to protect their networks and customers and its work is acknowledged by regulators around the world as being sufficient to eliminate the need to formally regulate.

  • It works with a wide group of experts to facilitate an appropriate response to threats. It plays a key role in coordinating the industry response to security vulnerability research through its Coordinated Vulnerability Disclosure (CVD) programme.
  • The GSMA’s Telecommunication Information Sharing and Analysis Centre (T-ISAC) collects and disseminates information and advice on security incidents within the mobile community in a trusted and anonymised way. The GSMA has also conducted a comprehensive threat analysis involving industry experts from across the ecosystem, regulators as well as public sources such as 3GPP, the European Union Agency for Cybersecurity (ENISA) and the National Institute of Standards and Technology (NIST) and mapped these threats to appropriate and effective security controls. This analysis has been collated into a 5G Cybersecurity Knowledge Base providing useful guidance on a range of 5G security risks and mitigation measures.
  • The GSMA’s Fraud and Security Group acts as a centre of expertise to drive the industry’s management of fraud and security matters. The group seeks to maintain or increase the protection of mobile operator technology and infrastructure, and customer identity, security and privacy, so that the industry’s reputation stays strong and mobile operators remain trusted partners in the ecosystem.
  • The GSMA’s 5G Cybersecurity Knowledge Base makes available the combined knowledge of the 5G ecosystem to increase trust in 5G networks and make the interconnected world as secure as possible.
  • The GSMA supports global security standards for emerging services and acknowledges the role that SIM-based secure elements have played in protecting customers and mobile services because the SIM card has proven itself to be resilient to attack. The Embedded Universal Integrated Circuit Card (eUICC) approach used in eSIM solutions that has been defined by GSMA, and has been rolled out by industry, inherits the best security properties from the SIM and is designed to build on the protection levels achieved in the past.
  • The GSMA constantly monitors the activities of hacker groups, as well as researchers, innovators and a range of industry stakeholders, to improve the security of communications networks. Our ability to learn and adapt can be seen in the security improvements implemented from one generation of mobile technology to the next.

Number Resource Misuse and Fraud


Many countries have serious concerns about number resource misuse or calls that never reach the destination indicated by the international country code. These calls are instead terminated prematurely, through carrier and/or content provider collusion, to revenue-generating content services without the knowledge of the ITU-T assigned number-range holder.

This abuse puts such calls outside any national regulatory controls on premium-rate and revenue-share call arrangements and is a key contributing factor to International Revenue Share Fraud (IRSF) perpetrated against telephone networks and their customers. Perpetrators of IRSF are motivated to generate incoming traffic to their own services with no intention of paying the originating network for the calls. They then receive payment quickly, long before other parties, within the settlement process. Misuse also affects legitimate telephony traffic, as high-risk number ranges can be blocked as a side effect.


How can regulators, number-range holders and other industry players collaborate to address this type of misuse and fraud?


ITU-T Notification of Possible Misuse of E.164 Resources website

Industry Position

Number resource misuse has a significant economic impact on many countries, so multistakeholder collaboration is key.

The telecommunications fraud carried out as a consequence of number resource misuse is one of the topics being addressed by the GSMA Fraud and Security Group, a global conduit for best practice with respect to fraud and security management for mobile operators. The Fraud and Security Group’s main focus is to drive industry management of mobile fraud and security matters to protect operators and consumers and safeguard the mobile industry’s trusted reputation.

The Fraud and Security Group supports EU guidelines under which national regulators can instruct communications providers to withhold payment to downstream traffic partners in cases of suspected fraud and misuse.

The group believes that national regulators can help communications providers reduce the risk of number resource misuse by enforcing stricter management of national numbering resources. Specifically, regulators can:

  • Ensure national numbering plans are easily available, accurate and comprehensive.
  • Implement stricter controls over the assignment of national number ranges to applicants and ensure the ranges are used for the purpose for which they have been assigned.
  • Implement stricter controls over leasing of number ranges by number-range assignees to third parties.

The Fraud and Security Group shares abused number ranges among its members and with other fraud management industry bodies. It has also worked with leading international transit carriers to reduce the risk of fraud that arises as a result of number resource misuse, and with law enforcement agencies to support criminal investigations in this area.

Best Practice

Best practice

Recommended operator controls to reduce exposure to fraud from number resource misuse

  • Implement controls at the point of subscriber acquisition and controls to prevent account takeover.
  • Remove the conference or multi-call facility from a mobile connection unless specifically requested, as fraudsters can use this feature to establish up to six simultaneous calls.
  • Remove the ability to call forward to international destinations, particularly to countries whose numbering plans are commonly misused.

  • Utilise the High-Risk Number List available from the GSMA Fraud Intelligence Service, so that unusual call patterns to known fraudulent destinations can raise alarms or be blocked.
  • Ensure roaming usage reports received from other networks are monitored 24x7, preferably through an automated system.
  • Ensure that up-to-date tariffs, particularly for premium numbers, are applied within roaming agreements.
  • Implement the Barring of International Calls Except to Home Country (BOIC-exHC) function for new or high-risk subscriptions.

Privacy and Big Data


Increases in computing power and falling prices of information technology systems make it possible to process huge volumes of data from a variety of sources, in a range of formats, at greater speed than ever before. It is now possible to analyse all data from one or more large data sets, rather than relying on smaller samples of data. This allows meaningful insights to be drawn, where appropriate, from mere correlations in the data rather than having to identify causal connections. These capabilities are often referred to as “big data analytics” techniques.

At the same time, Internet of Things(IoT) is equipping an ever-increasing number of devices with sensors that collect and communicate data.

Together, these capabilities represent a sea change in society’s ability to create new products and services and solve some of the most pressing public policy needs of our time, from road management in congested and polluted urban areas to understanding and preventing the spread of diseases.

Mobile operators will increasingly use the information they collect for big data initiatives. They have an important role to play as responsible stewards of that data and potentially as facilitators in a future marketplace for access to this type of data.

However, big data capabilities also give rise to questions about security and privacy and how these important concerns can be addressed.


How can mobile operators and policymakers help society realise the benefits of big data analytics in a privacy protective manner and in compliance with applicable laws?

How can the GSMA further the trust among stakeholders involved in collecting and analysing data?


GSMA Report: Mobile Privacy and Big Data Analytics

GSMA Report: Mobile Privacy Principles

GSMA Report: Privacy Design Guidelines for Mobile Applications

OECD Report: Data-driven Innovation for Growth and Well-being

Federal Trade Commission Report: Big Data: A Tool for Inclusion or Exclusion?

Industry Position

The mobile industry recognises the societal benefits that can result from big data and wants to unlock the huge potential of big data analytics in a way that respects well-established privacy principles and fosters an environment of trust.

New laws are not necessary to address big data analytics and IoT. Rather, mobile operators recognise that existing privacy principles apply in these areas. Rules that restrict the legitimate use of data or metadata should be qualified and proportional to the risk of privacy harm that consumers might suffer if their data is misused. These rules should also be applied consistently across different industry sectors and types of technology.

Operators are well placed to understand the potential risks to individuals and groups from big data analytics and can implement measures to avoid or mitigate those risks.

New insights derived from the data will often give rise to new uses or “purposes of processing” that had not been considered or identified when the data was initially collected. Accordingly, privacy frameworks must recognise this potential and make such uses possible.

Mobile operators can address these types of challenges and increase trust between industry stakeholders and consumers by:

  • Building on existing privacy initiatives, such as the GSMA Mobile Privacy Principles and the Privacy Design Guidelines for Mobile Application Development.
  • Finding innovative ways to provide individuals with meaningful choice, control and transparency to individuals on what data is collected and how it is used. For example, this could be addressed through user-friendly dashboards or signals from IoT devices easily discoverable by smartphones.
  • Thinking carefully about the impact on individuals (and groups) of insights derived from big data and the actions or decisions that may be taken based on those insights.
  • Reducing the risk of re-identification of individuals after data has been processed where this may raise privacy concerns.
  • Establishing clarity on responsibilities between parties when collaborating on big data analytics projects.
  • Incorporating ethical decision-making into governance models.

Equally, governments can ensure their country and citizens gain the most benefit from the potential of big data by:

  • Understanding how big data analytics works and the context in which it takes place.
  • Accommodating innovative approaches to transparency and consent.
  • Developing and adopting practical industry guidelines and self-regulatory measures that seek to harness, rather than hinder, big data analytics.

Signal Inhibitors (jammers)


Signal inhibitors, also known as jammers, are devices that generate interference or otherwise intentionally disrupt communications services. In the case of mobile services, they interfere with communication between the mobile terminal and the base station. Their use by private individuals is banned in countries such as Australia, the UK and US.

In some regions, such as Latin America, signal inhibitors are used to prevent the illegal use of mobile phones in specific locations, such as prisons. However, blocking the signal does not address the root cause of the problem: wireless devices illegally ending up in the hands of inmates who then use them for illegal purposes.

Moreover, signal inhibitors do not prevent mobile devices from connecting to Wi-Fi networks because they do not affect the frequency bands used by Wi-Fi routers. As a result, signal inhibitors do not block people from using OTT voice applications to make calls to phone networks.

Mobile operators provide coverage and capacity by investing heavily in the installation of radio base stations. However, the indiscriminate use of signal inhibitors compromises these investments by causing extensive disruption to the operation of mobile networks, reducing coverage and leading to the deterioration of service for consumers.


Should governments or private organisations be allowed to use signal inhibitors that interfere with the provision of mobile voice and data services to consumers?

Should the marketing and sale of signal inhibitors to private individuals and organisations be prohibited?


GSMA Common position proposal on signal inhibitors (jammers) in Latin America

GSMA Report: Signal-Blocking Solutions: Use of Jammers in Prisons

GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem

Industry Position

In some Latin American countries, such as Colombia, El Salvador, Guatemala and Honduras, governments are promoting the deployment of signal inhibitors to limit the use of mobile services in prisons. The GSMA and its members are committed to working with governments to use technology to help keep mobile phones out of sensitive areas, and to cooperating on efforts to detect, track and prevent the use of smuggled devices.

It is vital that a long-term, practical solution is found that does not have a negative impact on legitimate users, nor affect the substantial investments that mobile operators have made to improve their coverage.

The nature of radio signals makes it virtually impossible to ensure that the interference generated by inhibitors is confined, for example, within the walls of a building. Consequently, the interference caused by signal inhibitors affects citizens, services and public safety. It restricts network coverage and has a negative effect on the quality of services delivered to mobile users. Inhibitors also cause problems for other critical services that rely on mobile communications. For example, during an emergency they could limit the ability of mobile users to contact emergency services via numbers such as 999, 911 or 112, and they can interfere with the operation of mobile-connected alarms or personal health devices.

The industry’s position is that signal inhibitors should only be used as a last resort and only deployed in coordination with operators. This coordination must continue for the total duration of the deployment of the devices, from installation through to deactivation, to ensure that interference is minimised in adjacent areas and legitimate mobile phone users are not affected.

Furthermore, to protect the public interest and safeguard the delivery of mobile services, regulatory authorities should ban the use of signal inhibitors by private entities and establish sanctions for private entities that use or commercialise them without permission from relevant authorities. The import and sale of inhibitors or jammers must be restricted to those considered qualified and authorised to do so and their operation must be authorised by the national telecommunications regulator.

Nevertheless, strengthening security to prevent wireless devices being smuggled into sensitive areas such as prisons is the most effective measure against the illegal use of mobile devices in these areas, as it would not affect the rights of legitimate users of mobile services.