Data protection authority finds traffic and location data from cell phones not "personal" - noyb appeals to federal administrative court
In June 2020, noyb had filed a formal complaint against the Austrian mobile provider A1. The reason: A1 had persistently refused to disclose location data and certain traffic data to a customer, citing the outdated ruling practice of the data protection authority prior to the applicability of the GDPR (25.05.2018). The argument: the data on a cell phone would not be "personal" because someone other than the owner of the cell phone could have used the device. In mid-October, the Austrian data protection authority (DSB) issued a decision stating that A1 had been justified in refusing to provide the information and that there was no reason to deviate from the previous decision. The decision, which is only superficially substantiated, is not legally binding - noyb has now filed a notice of appeal with the Federal Administrative Court, which will now review the matter.
Location data: Your cell phone - but not your data!
Who else could it have been. Regarding the location data generated by the user's cell phone - these indicate the geographical location of the cell phone - the DSB regrettably saw no reason to depart from its old ruling practice before the GDPR. Since a user cannot prove that the location data generated relates exclusively to him or her, location data is generally not covered by the right to receive a copy of the data under Article 15 of the GDPR. The DPA thus concludes from the abstract possibility that someone else may have used the user's cell phone that the user has no right of access to the data generated by his cell phone - a highly personal, password-protected device. This is despite the fact that the person concerned has protected the cell phone with a PIN, has made a declaration that he has never lent the cell phone and there is no other indication that someone else could have used the cell phone. If one continues this reasoning of the DSB, there is virtually no claim to receive a copy of the data. After all, with any Internet-enabled device or account, it is theoretically possible that someone else is using it.
"It is disappointing that the DSB has not taken our complaint as an opportunity to revise your simply illogical ruling practice. Let's think this through: you have a smartwatch? No data disclosure on collected health data, someone else might have been wearing it! You use Netflix? No data disclosure, someone else might have been watching TV with your account! You order regularly on Amazon? No data disclosure, someone else might have placed an order! As a result, the fundamental right to data access would only exist in exceptional cases." - Marco Blocher, data protection lawyer at noyb.
Impossible to prove. Of course, there are scenarios in which, contract holder and cell phone user fall apart - e.g. in the case of a company cell phone or the contract for a minor child. In the case at hand, however, it is a private individual contract of a childless user. Nevertheless, A1 and now also the DSB insinuate without any evidence that he would pass on his cell phone - which, on top of that, is locked by PIN and fingerprint. He would have to prove the opposite, but he could not - even an affidavit of exclusively own use was not accepted by the authority.
"Apart from the fact that even the blanket insinuation of third-party use of the private cell phone is completely out of touch with life, the DSB does not allow a user to show that it is indeed exclusively his cell phone. This is also a bottomless pit: A user simply cannot prove exclusive use of a device or account unless he or she videotapes his or her entire life. Here, the DSB should have relied on general life experience and settled for prima facie evidence. With decisions like this one, the DPA is becoming the gravedigger of the data subject rights provided for in the GDPR." - Marco Blocher, data protection lawyer at noyb.
Traffic data: Only the authorities are allowed to know
Misinterpretation of the legal situation. Regarding traffic data, the DPA also saw no reason to depart from its questionable historical ruling practice. Traffic data includes IP addresses, log data, time and duration of the connection, or the amount of data transmitted. Although the GDPR requires that a user receives a copy of all personal data concerning him, A1 only transmitted an itemized bill, the rest is concealed from the user. The DPA covers this procedure with an undifferentiated standing sentence: the Austrian Telecommunications Act takes precedence over the GDPR as a more specific rule:
"Also with regard to traffic data, the DPA simply cited a historical decision as justification and did not respond to our complaint with a single word. The fact that the Austrian Telecommunications Act displaces the rights under the GDPR would only be possible if it implemented rights under the e-Privacy Directive that actually conflict with the GDPR. This is not the case: the e-Privacy Directive does not require a restriction of the right to information under data protection law in any word. Although legal doctrine is also clearly in favor of a right to information also within the scope of the e-Privacy Directive, mobile providers are given what appears to be arbitrary special treatment." - Marco Blocher, data protection lawyer at noyb.
Authorities may know more than the user? Moreover, it is particularly problematic that the DPA relies, among other things, on § 99 para 5 TKG 2003 to justify why a mobile user is not to be provided with information about all traffic data. This provision does not even implement the e-Privacy Directive, but was introduced in the course of the "Data Retention Directive", which was repealed by the ECJ, and was retained as appropriate. It allows police, public prosecutors and courts to demand a user's traffic data from the mobile network provider in connection with possible criminal data. From this, the DPA concludes that only these state institutions are entitled to access all traffic data - but not the user himself, although Article 15 of the GDPR and Article 8 of the Charter of Fundamental Rights enshrine a fundamental right to self-disclosure.
"Here, the DPA is completely barking up the wrong tree. Because authorities and courts are allowed to get traffic data from the mobile provider under strict conditions, the user himself should never get it? That is not at all the content or purpose of the provision and not compatible with the GDPR!" - Marco Blocher, data protection lawyer at noyb.
National traditions and special treatments must give way to the GDPR. The GDPR is applicable in all EU member states since 25.05.2018 and replaces national data protection laws that existed before. Within the scope of the e-Privacy Directive (e-Privacy Directive for electronic communications), the member states may or must in some cases also issue special rules under data protection law for "providers of electronic communications services" (such as A1). In relation to the GDPR, the following applies: If a national provision implementing the e-Privacy Directive and a GDPR provision pursue the same objective, the GDPR provision must take a back seat if it would impose additional obligations on the provider (Article 95 GDPR). For this reason, consent is not required under the GDPR for technically necessary cookies, for example. For the objective "data protection rights of data subjects", however, the e-Privacy Directive does not provide any regulation at all - not even regarding traffic or location data - so that the GDPR rights of data subjects " (access, rectification, deletion, etc.) apply as everywhere else. There are no additional obligations; a mobile operator such as A1 simply has the same obligations to data subjects under the GDPR as any other company.
Against this background, national special approaches - such as the historical practice of the DPAs - must not be maintained. After all, the GDPR requires uniform application throughout the EU. noyb is committed to ensuring that this European standard is also enforced. It now remains to be seen whether the Federal Administrative Court will correct the DPA's decision.