Behavioural targeting was once again in the news when the “Article 29 Working Party” of all EU member state data privacy law enforcers issued an opinion on “Geolocation services on smart mobile devices.” Anna Williams reports on the unsurprisingly hardline position taken on consent.
Topic: Mobile marketing
Who: Article 29 Working Party
When: 16 May 2011
Where: European Union
Law stated as at: 1 June 2011
The Article 29 Working Party (the European committee made of up national data protection regulators from the 27 EU member states) recently published an opinion on geo-location services available via smart mobile devices. It's an opinion which has caught the attention of the legal and marketing professions alike and which could hint at how regulation and enforcement n this space could develop in the near future.
What is geo-location data?
Geo-location data refers to the geographic location of a person or an object. Such data can be obtained using smart mobile devices such as 3G mobile phones and satellite navigation devices through the use of either GSM base stations (which provide such data to mobile telecommunications operators), Global Positioning System data (which is transmitted by mobile devices that have on-board chipsets with GPS receivers), WiFi access points (which transmit a unique ID that can be detected by a mobile device) or proximity/personal area network data (most commonly provided through Bluetooth technologies). To one extent or another, each of these methods can detect the presence of a smart mobile device within a designated local area.
The ability to determine accurately the position and travel of a smart mobile device over a period of time has led to an increase in the availability of sophisticated smart mobile device applications, such as those that facilitate the geo-tagging of photographs to show exactly where an image was taken, those that enable a smart mobile device owner to locate their lost or stolen device, and services which monitor the location of children or employees to name a few. We have also become accustomed to a variety of mobile applications which enable the user to locate information on services, restaurants and transport in their current area – all of which utilise location data to some degree.
Current legal framework concerning the use of location data
To the extent that geo-location data can be used to identify a living individual (either by itself or when combined with other forms of data), it is capable of being considered "personal data" under section 1(1) of the Data Protection Act 1998 (the "DPA"). As with any other form of personal data, data controllers must therefore ensure that when processing such location data, they adhere to the data protection principles detailed in Schedule 1 to the DPA. Such data must be processed fairly and lawfully and must not be processed at all unless at least one of the conditions set out in Schedule 2 to the DPA is satisfied (for instance if the individual the data relates to has consented to its processing or the processing is necessary to perform a contract in place with that individual).
Regulation 14(2) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 also provides that:
"Location data relating to a user or subscriber of a public electronic communications network or a public electronic communications service may only be processed:
(a) where that user or subscriber cannot be identified from such data; or
(b) where necessary for the provision of a value added service, with the consent of that user or subscriber."
Before obtaining the user's or subscriber's consent to process their location data, the service provider is also required to provide the individual concerned with information regarding the types of location data that will be processed, the purpose for which the data shall be progressed, how long the data will be processed for and whether the data will be transmitted to any third party.
Under the current legal framework applicable to the use of location data, consent is therefore an important concept. There is no clear definition of what constitutes such required consent where location-based services are concerned but guidance from the UK Information Commissioner makes it clear such consent should be "very clear" when provided, both in terms of the permitted processing, the type of information to be processed and the purposes of the processing in question.
A summary of the Working Party's opinion on the use of location data
The Working Party focused on the fact geo-location services via smart mobile devices can provide a very intimate insight into a person's private life through their physical movements. The location of a smart mobile device and the address of a WiFi access point can easily be linked to a natural person who is then usually directly and indirectly identifiable from such data.
The Working Party was also concerned that smart mobile device owners are sometimes unaware that they are transmitting their location to third parties (or to whom they are transmitting such data). Another concern of the Working Party was that the consent provided for certain geo-location applications and the use of location data could often be invalid because the information provided by service providers to individuals about the key elements of the processing of such location data is often incomprehensible, outdated or otherwise inadequate.
For these reasons, the Working Party concluded that location data derived from smart mobile devices should always be treated as "personal data". The Working Party explains that the processing activities of most of these stakeholders should therefore be governed by the Data Protection Directive.
This means that insofar as they are "data controllers", different stakeholders which have access to and process geo-location data (including mobile network operators, controllers of geo-location infrastructure (in particular controllers of mapped WiFi access points) and application service providers to name just a few in the supply chain) should process such data in accordance with the existing legal framework where the processing of personal data is concerned.
Legitimate grounds for processing geo-location data
In the Working Party's opinion, the main legitimate ground for processing location data is prior and informed consent. In defining the conditions data controllers must meet to obtain valid consent to such processing, the Working Party rules out any method for obtaining consent that, in its view, includes the risk that consent may only be 'implied', without the user being aware of what processing could take place. In particular, the Working Party states:
- consent to the processing of location data cannot be obtained through the use of general terms and conditions;
- consent provided must be specific and must relate to each of the different purposes the location data is being processed for (including any general profiling or behavioural targeting purposes of the data controller);
- location services must be capable of being switched off and a possible opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent; and
- care must be exercised when obtaining consent for the processing of location data relating to employees and children.
Where employees are concerned, employers may only adopt geo-location technologies when it is demonstrably necessary for a legitimate purpose and the same goals cannot be achieved via less intrusive means. Where children are concerned, the Working Party is of the opinion that parents must judge whether the use of such a geo-location service application is justified in particular circumstances. As a minimum, parents should inform their children of the processing of their location data and, as soon as reasonably possible, allow them to participate in the decision as to whether such geo-location applications should be used.
The Working Party also recommends the scope of consent sought should be limited in terms of time and that providers of geo-location services should remind users at least once a year that they are processing their location data relating for specific purposes. In another recommendation, the Working Party suggests providers of geo-location services should develop technical means for obtaining consent which include settings of sufficient detail with regard to the precision of the location data to be collected. It is recommended that data subjects must be able to withdraw their consent in an easy way and that this should not lead to any adverse effects to their use of their mobile device.
On the subject of the mapping of WiFi access points, the Working Party agreed companies can have a legitimate interest in the collection and processing of data relating to WiFi access points for the specific purpose of offering geo-location services but the balance of interests between the rights of the data controller and the rights of data subjects requires that the data controller to offer the right to easily and permanently opt-out from their databases.
Finally, the Working Party also sought to reiterate the following points within their opinion:
- that information relating to geo-location services should be provided to subscribers and users in a clear and comprehensive fashion which is easily accessible and understandable to a broad, non-technical audience;
- that controllers of geo-location information from smart mobile devices should enable their customers to obtain access to their location data in a human-readable format. They should also allow for the rectification and erasure of such data without collecting excessive personal data for such purposes. The Working Party recommends such a process should be facilitated by the creation of secure online access to the data concerned;
- users should be asked to consent to every new use of their geo-location data; and
- personal data must not be kept for longer than is necessary for the purpose for which it was originally collected (meaning providers of geo-location applications or services should implement retention policies which ensure geo-location data and profiles derived from such data are deleted after a justified period of time).
Why this matters:
Although the opinions of the Working Party are not legally binding on data controllers, they are often followed by national data protection authorities as part of the enforcement of their national data protection regimes. It is therefore worth taking note of the Working Party's recommendations and thoughts, particularly given that the Working Party is made of up national data protection regulators from the 27 EU member states.
The Working Party's opinion also provides some useful guidance for the way in which the EU data protection framework could possibly be enforced across EU member states in the future where location data is concerned. Data controllers would be wise to therefore pick up on the approach taken by the Working Party where the concept of consent is concerned in relation to geo-location services. The Working Party has sought to set out clear requirements for the way in which consent may be obtained in an online environment so businesses will no longer be able to rely on methods that merely 'imply' a user's consent in some way without checking the user is actually aware of what it is he or she has actually signed up to.