According to press reports, German car giant Volkswagen has banned its employees from using the wildly popular smartphone app Pokémon GO during work hours. Reportedly, the company cited impaired attention and distraction from work as the primary grounds for the prohibition, but data security and privacy issues are supposedly involved as well. Volkswagen has not yet made an official statement on the ban.

This app in particular and augmented reality in general pose many legal questions, especially, in the field of privacy law. The most pressing privacy issue with Pokémon GO seems to be the constant tracking of geolocation data. By agreeing to the Pokémon GO Privacy Policy, the user allows Niantic, the company behind the app, to track the user’s “device location […] and some of that location information, along with [the] user name” any time he or she uses the app.

The Concept of Augmented Reality

The app is based on the concept of “augmented reality,” meaning that the real world environment is “augmented” with virtual elements. The app relies on the users’ GPS location data and images taken by their smartphones’ camera devices to let them catch virtual Pokémon monsters on a map overlaying their real surroundings. The real world is used as the setting for the chase.

Data Protection and Privacy Concerns

All gathered data is processed at Niantic’s headquarters in San Francisco, California, United States. While, according to the privacy policy, “information that can be used to identify or recognize [the user]” will, in principle, not be shared, there are still concerns in the Pokémon community regarding the extent to which third parties can access that information. The users’ tracking data could provide information not only on their residency or workplace but also, for example, on their preferred mode of transportation, walking speed and frequency of smartphone use. This information could, by itself or in combination, be considered personal data.

The rules on the collection, use and disclosure of personal data differ among jurisdictions. For example, pursuant to section 3 para. 1 of the German Federal Data Protection Act, personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual.” Within the territory of application of that act, the collection, processing and use of personal data is only permissible in rare prescribed circumstances (see section 4) or with the consent of the data subject. The requirements might be significantly lower in other countries.