Cell phone not personal enough for GDPR protection?!

17 March 2023
A1 Logo

Cell phone not personal enough for GDPR protection?!

Contradictory decision from the Austrian Federal Administrative Court (BVwG): Cell phone traffic and location data are particularly sensitive data that require additional protection, but at the same time they are not personal data at all. According to the BVwG, the mobile phone provider A1 may refuse to provide information about traffic and location data, as this data is particularly sensitive and there would be no way to prove that a cell phone was not used by other people. noyb will file an appeal.

Complaint before DSB. Ever since A1 Telekom Austria provided cell phone user’s movement data to the government during the Corona pandemic, many users have wanted to know which location data was collected and stored on them. When a user submitted an access request, A1 refused to provide information about traffic and location data because the user could not sufficiently prove that he was the sole user of the phone number/SIM card. According to A1, it was therefore unclear whether the location data collected was in fact from the same person who filed the access request. As a result, noyb filed a complaint against A1 with the Austrian authority (DSB) in June 2020 and comprehensively argued that the cell phone in question was used by the complainant alone. Without investigating the facts itself, the DSB agreed with A1's argument. noyb then took the case to the Federal Administrative Court.

Impossible proof required. According to the Federal Administrative Court, the mobile provider can refuse to answer an access request because the location of a cell phone does not necessarily have to be the location of the owner. The user would therefore have to prove that his cell phone (also protected by PIN and fingerprint) was not used by anyone else. But even an affidavit from the user was not accepted by the court.

"The Federal Administrative Court requires data subjects to prove that they are the sole user of a cell phone in order to obtain a copy of their data. At the same time, however, the court holds that such proof is practically impossible - an unsolvable dilemma with the result that one gets no information about the use of data by A1." - Marco Blocher, data protection lawyer at noyb

Far-reaching implications. If the decision of the Federal Administrative Court is upheld, affected individuals in Austria will be threatened with massive discrimination. The court requires proof of exclusive use in particular because traffic and location data are sensitive information in terms of their content. According to the court's logic, data controllers could simply refuse to provide information as soon as the data in question is somewhat more sensitive. After all, even a person wearing a smartwatch, the user of a dating app or the user of a menstruation or pregnancy app cannot provide objective proof that they were actually the only one using the device or app at all times. noyb will appeal the decision of the Federal Administrative Court before the Supreme Administrative Court.