The 'excessive' angle seems hopeless to argue: that just leads to endless debates about what is 'excessive'.
Instead, I'd rather argue about whether this piece of personal data is 'relevant'. It obviously isn't. As you say, they could easily replace it with a UUID or, to use something permanent already at their disposal, your O2 customer-id (which might arguably also be personal information, but at least not something anyone with wireshark can immediately use to get you on the bloody phone).
It's an example of sheer laziness to send the telephone number itself instead of doing a lookup and sending something less sensitive. I've dealt with a similar situation with zipcode verification and you can bet I refused to send the zipcode straight up or hashed (the number of zipcodes is rather limited).
Instead, I'd rather argue about whether this piece of personal data is 'relevant'. It obviously isn't. As you say, they could easily replace it with a UUID or, to use something permanent already at their disposal, your O2 customer-id (which might arguably also be personal information, but at least not something anyone with wireshark can immediately use to get you on the bloody phone).
It's an example of sheer laziness to send the telephone number itself instead of doing a lookup and sending something less sensitive. I've dealt with a similar situation with zipcode verification and you can bet I refused to send the zipcode straight up or hashed (the number of zipcodes is rather limited).