The privacy lobbyists noyb, which stands for “none of your business”, have filed a complaint accusing A1 Telekom Austria of not complying with Europe’s General Data Protection Regulation (GDPR). They specifically argue that A1 Telekom Austria refuses to provide customers with information about their location and movements, although the same data is being used for other purposes, such as tackling coronavirus. According to noyb’s statement:
A1 bases its refusal on a highly questionable interpretation of the Austrian Telecommunications Act (TKG). In simple terms, this provides that traffic data may only be transmitted to the police, the public prosecutor’s office and to courts in connection with criminal investigations or criminal proceedings. Based on the case law of the data protection authority, which was issued well before GDPR came into force, A1 refuses to grant the users access to the traffic data.
GDPR requires businesses to respond with all the personal information they hold about a customer, if the customer asks for it. noyb is testing the limits of this obligation for all telcos by essentially demanding information that A1 Telecom Austria must have at some level, but which the telco is understandably reluctant to share. As well as asking for information about location and movements, the complaint also states customers should be entitled to receive more information than typically available through itemized billing, such as IP addresses, log data, time and duration of each network connection, and the amount of data transmitted.
It says a lot about the flaws of GDPR that noyb is still picking important holes in its implementation two years after the new data protection rules came into force. Some telco managers may believe that common sense dictates that noyb’s bid to impose extensive additional costs on telcos must fail. This misses the point; GDPR compliance relates to what the law actually states, not how it should have been drafted by politicians who were eager to show they cared about privacy but who have little comprehension of how to realize it in practice.
Do not underestimate the potential for noyb to turn this complaint into a potential fiasco for the authorities and telcos. noyb are both intelligent and persistent, as proven when founder Max Schrems (pictured) destroyed the transatlantic rules for exchanging personal data by convincing the highest EU court that the European Commission failed to meet the legal requirements when agreeing to a ‘safe harbor’ for exchanging data with organizations in the USA.
You can download the whole of noyb’s complaint (in German) by clicking here.