noyb.eu filed a GDPR complaint against A1 Telekom Austria on Friday, as A1 refuses to provide traffic and location data to its customers. Since A1 also uses this data for movement analyses (recently for corona analyses), the lack of transparency seems particularly problematic.
- Download: Complaint German (PDF)
Location data. Part of the complaint deals with "location data". This is data indicating the geographical location of the telecommunication equipment of a user; it can therefore be used to determine the location of a user's mobile telephone. A1 also uses this data for the recently debated anonymous movement analyses.
Mobile phone not "personal" enough? Here, A1 relies on an old decision from the Austrian data protection authority (DSB) and believes that they are not obliged to provide data information, as users aren't able to sufficiently prove that they are the sole useres of the phone number/ SIM card. It was therefore unclear whether the location data recorded were really data about the user - and not about another person.
"This view is completely illogical. A cell phone is a highly personal item and has lock codes for this reason. It i bizarre to make the general assumption that mobile phones are passed around in circles every day. Refusing to provide information violates European and Austrian data protection law. The law even requires that a user's personal data be made more easily accessible. Instead of transparently informing users, A1 is trying to do exactly the opposite with these tricks. - Marco Blocher, data protection lawyer at noyb.eu.
Traffic data. The second part of the complaint concerns "traffic data". This includes IP addresses, log data, time and duration of the connection, the amount of data transmitted and certain location data. A1 only provides this traffic data as part of the bill including itemised billing, although the GDPR entitles the user to receive a copy of all their personal data at any time.
Is the governement entitled to know more than the person affected? A1 bases its refusal on a highly questionable interpretation of the Austrian Telecommunications Act (TKG). In simple terms, this provides that traffic data may only be transmitted to the police, the public prosecutor's office and to courts in connection with criminal investigations or criminal proceedings. Based on the case law of the data protection authority, which was issued well before GDPR came into force, A1 refuses to grant the users access to the traffic data.
"A1's approach of transferring old decisions of the data protection authority to the new legal situation under GDPR is disturbing. § 99 TKG is intended to prevent telecommunications providers from passing on traffic data to any third party and therefore restricts the transfer to certain authorities or courts. Withholding the user's own data is not the purpose of the provision and is not compatible with the DSGVO! - Marco Blocher, data protection lawyer at noyb.eu.
GDPR over national laws and decisions. On May 25, 2018 - now, two years ago - GDPR became applicable. With complaints about national traditions that are certainly not in line with GDPR, noyb.eu wants to ensure that the rights of those affected are enforced throughout Europe. After all, GDPR should not only create a unified legal framework for companies, but also for citizens.