My letter to datainspektionen on how the “Mobile BankID” app is compromising privacy of Swedish citizen and the (anonymized) negative reply by datainspektionen leaves the question open, who is taking responsibility in such cases.
Von: “Wilmar Igl” <REMOVED>
Betreff: Mobile BankID (android-based version) breaches data privacy
to increase my privacy and avoid sharing data with Google on US servers, I have installed the open-source Android system “Lineage OS”  on my smartphone (Motorola Moto G4) including the “Mobile BankID” app . Unfortunately, “Mobile BankID” requires Google Mobile Services (ie Google Play Store etc) [3, 4] and a Google account. This means that Google Mobile Services will continuously send and store user information (call history, text messages, emails, calendar, location data, connection data, …)  on the servers of Google, as a very powerful, profit-driven US-american company subject to US law and the US government.
Gesendet: Montag, 02. März 2020 um 10:40 Uhr
Von: “Datainspektionen (no-reply)” <firstname.lastname@example.org>
An: “email@example.com” <firstname.lastname@example.org>
Betreff: Reply from Swedish Data Protection Authority
Thank you for contacting the Swedish Data Protection Authority (SDPA).
The company you refers to is a private company and does not have anything to do with the SDPA. We can offer general guidance in questions about the rules in the General Data Protection Regulation (GDPR), but we cannot take decision about how a company must design a particular service. A recommendation is therefore that you send your suggestion also to the company.
The Swedish Data Protection Authority
The Swedish Data Protection Authority is a public authority.