On 16 May 2011, the European Commission’s Article 29 Working Party released their latest Opinion on the status of geolocation data for the purposes of European privacy rules. Though not strictly binding on EEA Member States or businesses operating within Europe, the Working Party’s Opinions are highly influential and certainly set the scene for changes to come. This latest Opinion confirms the position taken by the European Data Protection Supervisor, that geolocation data should be considered ‘personal data’, and should therefore fall directly within the scope of the European Data Protection Directive and its national implementing rules in force in each EEA Member State. The revised European E-Privacy Directive is also relevant here, but applies only to the processing of base station data by telecom operators.
The Working Party propose that all geographic location data, including GPS, GSM and WiFi tracked data, as used in a wide variety of services such as mapping, geotagging, augmented reality and location targeted advertising, should be protected in the same as any other type of personal data under European law. Personal data is currently defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. Were geolocation data to be expressly included as personal data, the full range of collection, use and export restrictions under European law would apply.
In the view of the Working Party, geolocation data collected from mobile tracking devices and tracking functions must be considered personal data, as there is both a direct and an indirect link back to an identifiable individual, either via the name, contact and banking details commonly databased against every mobile device user (and any additional financial information collected when purchasing new software to run on those devices), or by combining the unique identifying number of the individual’s device with the various geolocation data collected (every single smart mobile device is branded with at least one unique identifying number).
By extending the scope of personal data to expressly include geolocation data, the net of European privacy rules will be cast over a wider range of information services and infrastructure providers. Such businesses will no longer be able to rely on the fact that they solely handle geolocation data (and not the owner databases etc. themselves) as a way to avoid the scope of European privacy rules. If the provider or developer of a geolocation services infrastructure or a tracking application or operating system is providing geolocation services to users in an EEA Member State, European privacy rules will be applicable to them, even where they themselves are located outside of Europe. The critical location here is the location of the smart mobile device using those geolocation services and software, rather than the location of the services infrastructure or services provider business and databases.
In practice, prior informed consent is likely to be the most reliable basis on which to collect and process an individual’s location data: consents hidden in general terms and conditions; opt-out consents; and tracking default settings will not be sufficient to provide valid consent here. In addition, a user must be provided with an easy way to withdraw their consent, and consent may need to be re-confirmed at regulator intervals, depending on how the user accesses the tracking service. The national laws of the various EEA Member States or their regulators may also impose additional limitations or requirements. For example:
- German law requires that telecommunication providers request consent from the users if they want to use location data generated by those users for any purpose other than the provision of the service. In addition, users have to be given the opportunity to block the transfer of location data for each individual call or message.
- The French CNIL has recently issued guidelines (on 5 May 2011) applicable to the collection of geolocation and other personal data from WiFi access points: the CNIL emphasized that users must be specifically informed of the nature of the data collected through the mobile device and of any transfers of such data to third parties. The CNIL also made clear that the user must, at all times, have the right to delete the geolocation data, whether stored on the mobile device or by a third party.