The Article 29 Working Party (Article 29 WP), an independent European advisory body on data protection and privacy, adopted on May 16 its “opinion 13/2011 on Geolocation services on smart mobile devices” to clarify the legal framework applicable to the three main different geolocation infrastructures, GPS, GSM base stations (antennas) , and WiFi. The opinion provides short, but clear explanations of these three technologies.
How personal data stored on smart mobile devices can be collected
The explanation on what is WiFi is particularly interesting to read, as it explains why WiFi access points can be used as a source of geolocation, and how their location can be calculated. That technology is not without privacy risks, as the MAC address (unique identifier) of a WiFi access point can be collected by broadly recording all WiFi frames transmitted by access points, “which can lead to the collection of data exchanged between access points and the devices connected to them” (p. 6).
Behavioral patterns
Geolocation service providers may be able “to gain an intimate overview of habits and patterns” of the owner of a smart mobile device, such as sleep patterns (when user does not use device), where user works (he drives every day around 9:00AM to the Acme Inc. building), health issues (all these visits to the hospital!), religious affiliation (regular visits to a place of worship), or even sex life (regular visitor of a certain pink store at the edge of town). Such pattern can then be made into profiles, which are of great interest for companies. Indeed, the Article 29 WP points out in the introduction of the document that, “[i]n general, the value of information increases when it is connected to a location,” and that all kinds of information may be connected to a location, including health or financial data (p.3).
European Legal Framework
The relevant legal framework is the Directive 95/46/EC, the data protection directive, because of its broad scope, that is, every case where personal data is being processed. Its article 2(a) defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
The Article 29 WP points out that there many available means to identify an individual, as people disclose more and more personal location data, whether it is done voluntarily or not, and thus it is easier now to “link a location or behavioural pattern to a specific individual” (p.10).
However, even if identification of an individual by combining the MAC address of a WIFi access point with its calculated location would require “unreasonable effort,” it does not preclude concluding that such data is personal. Therefore, “the data controller should treat all data about WiFi routers as personal data” (p.11). Looking beyond geolocation issues for a moment, could that mean that the WP29 would consider anonymized data as personal, even if de-anonymizing it would require “unreasonable effort”?
Directive 2002/58/EC, the e-privacy Directive, only applies to processing of base station data by telecom operators (p. 8). Indeed, its article 2(c) provides a definition of “location data” as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”
If a company provides “location services and applications based on a combination of base station, GPS and WiFi data,” it is an information society service company. Such company is explicitly excluded from the scope of the e-privacy directive, and“[t]he e-Privacy directive does not apply to the processing of location data by information society services, even when such processing is performed via a public electronic communication network” (p. 9).
Even though this opinion does not assess web 2.0 geotagging technology (p.4), networking sites “enabling the (further) processing of location data” have the “important responsibility” to decide which default settings they offer to their users.
User consent
Telecom operators need to obtain prior consent of the user before using base station data, and the user must be informed about the terms of data processing (p.14). Also, because of the sensitivity of location data, information society services companies also must obtain prior consent from their customers before processing such data, which must be given “freely” pursuant to article 2(h) of the data protection Directive. However, a default setting allowing such processing “should not be mistaken for freely given consent” (p.14).
Data subject rights
Data subjects have the right not only to access their location data, but also the profile based on this data:
Data subjects have a right to obtain from the different controllers access to the location data they have collected from their smart mobile devices, as well as information on the purposes of the processing and the recipients or categories of recipients to whom the data are disclosed. The information must be provided in a human readable format, that is, in geographical locations, instead of abstract numbers of for example base stations.
Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should be allowed to update, rectify or erase this information.(p.18)