The rapid technological development and increasing availability of smart mobile devices is encouraging the development of a new range of location-based services. These services allow clients to create a detailed overview of the habits and patterns of mobile device users and to build user profiles.
In April 2011 the Garante, Italy’s data protection authority, opened an inquiry into a new operating system developed for the iPhone and iPad, which was able to track the position and movements of users (or data subjects), recording the data on the device.
The Garante’s annual report for 2010, released in June 2011, sums up the results of an inquiry into software which can be downloaded and installed on smartphones and tablets in order to provide such devices with additional functions – for example, monitoring a user’s own personal banking operations, managing a client portfolio or sharing photos or videos. The Garante found that most users of such software were unaware of the risks related to the processing of their data, particularly the risk of third parties accessing or obtaining it. The Garante is examining the mechanisms used to inform data subjects of the purposes for which data is processed and the reasons for doing so, including internal policies, security measures and enforcement measures in the event of infringements of such policies or illicit data processing.
Data Protection Working Party’s opinion
On May 16 2011 the Article 29 Data Protection Working Party, the independent EU advisory body on data protection, issued Opinion 13/2011 on geolocation services on smart mobile devices. The opinion clarifies the legal framework applicable to geolocation services that are available on such devices, such as maps and navigation, geo-personalised services (including alerts to nearby points of interest), geo-tagging of online content and location-based advertising.
The working party advocates stricter guidelines and greater transparency for users to ensure that they understand when their phones are using geolocation services. Although the guidelines are not binding, the working party’s opinions are highly persuasive and are generally followed.
Legal framework
The opinion stresses that geolocation data is personal data. Therefore, companies offering geolocation services and applications on smart mobile devices used in the European Union must comply with the EU Data Protection Directive (95/46/EC).
The working party considers that a smartphone owner is identifiable as an individual because smartphones are closely linked to a specific person. The unique number of a smartphone, combined with geolocation data, could identify a home or place of business and thus, indirectly, the phone’s owner. The opinion also expresses concerns about geo-tagging applications that allow third parties to give location information without permission, citing it as a further reason to treat geolocation information as personal data. The EU E-privacy Directive (2002/58/EC) applies to the processing of base-station data by telecommunications operators, including the provision of WiFi hotspots.
Controllers of geolocation infrastructure (which operate databases that map WiFi access points and calculate the location of a smart mobile device), providers of geolocation applications (eg, a service that offers information about nearby shops) and developers of operating systems may qualify as data controllers if they determine the means and purposes of the data processing. If so, they must comply with the principles of the Data Protection Directive.
Recommendations
According to the opinion, the use of location data from smart mobile devices is conditional on the user’s prior informed consent. The following requirements should be applied:
• consent cannot be obtained through general terms and conditions;
• consent must be specific to the particular purpose for which data is being processed (eg, the profiling or behavioural targeting purposes of the data controller);
• if the purpose of the processing changes materially, the controller must seek new, specific consent;
• consent must be for a limited period and users must be reminded of such consent at least once a year;
• data subjects must be able to withdraw their consent easily, without negative consequences for their use of their device.
Location services must be switched off by default. A possible opt-out mechanism does not constitute an appropriate method of obtaining informed user consent.
The opinion states that particular care must be applied to data relating to employees and children. Employers may use such technology only if it is demonstrably necessary for a legitimate purpose, and if the same goals cannot be achieved by less intrusive means. In the case of children, their parents or guardians must exercise their judgement as to whether use of such an application is justified in specific circumstances.
Data controllers must provide users with a clear, comprehensive, understandable and easily accessible information notice. This must establish their identity as controllers and must inform users of:
• the purposes of the processing;
• the type of data to be processed;
• the duration of the processing;
• the rights of data subjects to access, rectify or cancel their data; and
• the right to withdraw consent.
The opinion states that the best practice for providers of geolocation applications is to structure an application so that it:
• clearly informs the user about the purposes for which it wants to use the data;
• asks for unambiguous consent for each potentially different purpose;
• allows the user to choose the level of geolocation (eg, country level, city level, post code/zip code level or as accurately as possible);
• shows an icon to warn the user that location services are switched on (once the function is activated); and
• allows the user to withdraw consent at any time, without having to exit the application, and to delete the location data stored on the device easily and permanently.
Data controllers should implement retention policies which ensure that geolocation data, or profiles derived from such data, are deleted when no longer needed. Unique identifiers (eg, Media Access Control addresses for WiFi access points) should be stored for a maximum of 24 hours, after which they should be deleted or anonymised.
Prior, informed consent is the first step in compliance for all parties involved in the development and provision of geolocation services in the European Union. However, reliance on consent is only one of the data protection requirements which must be fulfilled in order to make a processing lawful. In Italy, for example, processing operations concerning geolocation data must also be notified to the Garante pursuant to Article 37(1)(a) of the Data Protection
Geolocation services and privacy concerns
0
Share.