By Epicenter.works

After a media report from the media outlet “Addendum”, the Austrian postal service faces public outcry over its data gathering and sales activities. The Austrian Post is known for not only exercising their main duty of post delivery, but also selling addresses of Austrian residents to companies and political parties, for advertising. The media report said that not only are addresses being sold, but also sensitive data of 2,2 million Austrian inhabitants.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The postal service’s data sheet includes a person’s name, address, age and gender, but also more than 40 other data sets, some of which are very sensitive types of personal information. One of those data points is the preference to a political party, which is a “special category of data”, and therefore requires explicit consent for processing. The postal service answered to the public outcry by stating that the data they are collecting on political preference is just an estimated probability, which is generated in a similar way as polls on elections.

Due to a lack of explicit consent, we believe this must be considered a breach of the General Data Protection Regulation (GDPR). To build public pressure, EDRi member epicenter.works provided a form for individuals to easily request access to their data. Within a week, the form was downloaded nearly 2000 times, and sent to the Austrian Posts data protection officer, which lead into wide media coverage by national and international news outlets.

A few days after stating the absolute confidence in the legality of this kind of data collection, the postal service changed their strategy to the opposite, and declared that they intend to delete these records and refrain from selling them further to their clients.

Further investigations by the Austrian Data Protection Authority (DPA), that need to take action immediately on this and other similar cases that may exist. Once the result of out data access requests, further actions could be started. Because of the dangerous precedent this case could be related to political profiling on a massive scale, the work of the DPA to oversee the implementation of the GDPR is crucial. If they set a strong precedent on this case, other businesses would be discouraged from keeping or starting similar cases of data exploitation in the future.

Epicenter.works
https://epicenter.works/

The post tells something to everybody! (only in German, 07.01.2019)
https://epicenter.works/content/die-post-verraet-allen-was

When the Post takes sides (only in German, 07.01.2019)
https://www.addendum.org/datenhandel/parteiaffinitaet/

Austria’s Post Office under fire over sharing data on political allegiances (11.01.2019)
https://www.thelocal.at/20190111/austrias-post-office-under-fire-over-data-sharing-political

Austrian Post Office to delete customers’ political data (10.01.2019)
https://phys.org/news/2019-01-austrian-office-delete-customers-political.html

Austria’s national post office under fire over data sharing (08.01.2019)
https://economictimes.indiatimes.com/news/international/business/austrias-national-post-office-under-fire-over-data-sharing/articleshow/67444380.cms

(Contribution by Iwona Laub, EDRi member Epicenter.works, Austria)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner