We got this protection with phone number porting eventually. So there’s hope, when government becomes sane again.

An interesting point here actually - number porting was viewed to be core to a telecoms service operator. They have to provide it free of charge as a cost of doing business.

Perhaps we need similar for email forwarding - it's clear that the major email platforms (Google, Microsoft) can already handle mail that is simply deferred to another mail server (see partial cloud email transitions).

Perhaps we need the same for email? So a user can have a Gmail address, but receive their email elsewhere. Would still require an authenticated backend to let the user control the end destination email server, but that's the same for number portability. Telecoms operators handle that part, and each provider is regulated. For email it could be a basic login ability for the old account to enable picking the destination mail server.

It's also worth remembering that number portability didn't happen on its own: incumbent telcos fought against it tooth and nail.

Absolutely. Perhaps an angle for the current ongoing antitrust/anticompetitive behaviour investigations going on in the House?

Incumbent telcos fought portability, but in the end it has become a "given". There's no reason OTT services can't also have the same - email is already federated. I could see issues around whether people should be able to "port" their email and still send using their old "From" address (not least SPF/DKIM technical aspects), but the ability to receive seems an obvious one that could be handled.

The challenge for OTT services is that absent regulation to force it, if an email provider goes down, there's nobody to step up and continue to provide the relay service.

Of course they did. Who wouldn't fight for a huge moat around their business? :)

Number portability also helped unlocked competition between providers.

It's easy to forward from gmail to any address if you want that.

Does that continue to work if you get locked out though?

No. And it wouldn't help rebuild the historical record.

I’ve heard off at least one case where a fella’s wife was locked out and still forwarded email.

Be sure to disable gmail’s spam detector if you do this. I’ve seen > 30% false positives in a setup like that.

> Companies that provide public utility type services

The only "public utility type services" Google provides is phone service through Fi. Nothing else counts as a utility. Even then I'm not sure if being an MVNO counts.

> The only "public utility type services" Google provides is phone service

I guess my implicit suggestion that email services be regarded as a type of public utility was a bit convoluted. But gmail is surely a close enough parallel to postal services of old (traditionally a public utility) to be regarded as such. Legislation has simply not caught up with technological developments.

It's not. Email is decentralized, anyone can run a server, and there are no email monopolies.

If you live in the EU, Google are legally obligated to hand over your data under GDPR notice.

If they have it. They can delete your data.

An interesting perspective, but GDPR also requires them to delete data according to policy. If, by their policies, the data should still be held, then you have the right to access it. If they deleted it contrary to policy, that would itself be a breach of GDPR, and you would likely have strong grounds to sue and seek relief. If the data was to be held pending court action and they deleted it, that could get even more serious for them, and into the contempt-of-court territory.

I don't think that's correct. The GDPR retention policy sets out maximum retention time.

The guiding principle is that data should only be retained as long as is required to serve the purposes for which it was collected. So if your account is permanently terminated, there is probably an argument that GDPR requires the deletion of all data as soon as possible.

GDPR sets out a maximum retention time as you point out, but it also regards the act of "erasure or destruction" as a processing operation (Art 4(2)).

Recital 83 highlights the importance of preventing "accidental or unlawful destruction, loss, alteration" of data, and Art 5(1) says "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)"

I wouldn't want to be in Google's shoes in such a situation, as the principle of fairness and transparency would come to light, and I think it would be quite hard for them to argue against this.

You are also right that GDPR sets out principles of not retaining data for longer than is required (data protection by default), although all of these rights have to be balanced. If you could argue the deletion was not lawful, fair, or transparent, you would have a breach under Art 5(1).

The Art 20 right to portability would also be relevant here, around people's right to port a copy of their own data. Given the existence of these rights, a blanket "we nuked all your stuff" would deprive a person of reasonably exercising their rights, and I could envisage consequences for this.

It would be really interesting to see some of this get put to the test though - GDPR could become a way to force "human intervention" in some of these situations on the basis of not wanting exposure to unwanted legal risk.