Last June was published the Regulation (EU) 2017/1128 on cross-border portability of on line content services in the internal market. Sorry, the title is too long to make a cool acronym out of such a long name.
First important concept: portability
I think that is important to inmediately clarify the concept of the portability regulated here, which is completely different from the concept with the same name regulated by the GDPR.
The Article 2 of Regulation 2017/1128 defines the concept of «portable«: it «means a feature of a on line content service whereby subscribers can effectively access and use the on line content sercice in their Member State of residence without being limitated to a specific location«.
An example for non-lawyers: if you are a citizen resident in an EU country and you are a subscriber of an on line content (for example, Spotify), you can use the service you pay for, when you are on vacation/work/temporary stay in another EU country.
It is a vvery good news for consumers, that can enjoy the services they pay for, with no territorial limitations. I insisted in the concept of the «paid services», because this Regulation only applies to onerous services; the free services are excluded from the application of this Regulation.
It makes completely sense: if you pay for something in your country, and travel temporarely to another EU country, why the heck you shouldn’t enjoy your subscription?
No retrictions are allowed to the services for legitimate subscribers. Actually, the Article 3 clearly states that services must begiven «in the same manner as in th Member State of residence». That means: same content, same range and number of devices, same number of users and same range of functionalities, without any additional charges.
This Regulation shall apply from 20 March 2018.
The provider shall verify the Member State of residence of the subscriber, to understand when he/she is at home or temporarely visiting another EU country. In its legitimate verification process, the provider can just use no more than two identification factors listed in the Article 5. Fine; no privacy threatning methods allowed.
These identifications factors are obviously personal data and they must be processed «in compliance with the Directive 95/46/EC and 2002/58/EC«.
No mention to the GDPR. It’s curious, isn’t it?