Geolocation services: an international approach
Where is the nearest hospital? Is there an ATM around here? Questions such as this have become significantly less common in modern times thanks to the geolocation services available on almost all smart mobile devices. Geolocation services allow people to access information that is linked to the location of the smartphone. Therefore geolocation services require access to information concerning the location of the smart phone requesting the service. Such geographical position is often calculated by reference to the geographical coordinates of fixed elements surrounding the smart mobile device (e.g. WiFi access points, etc.) that have already been collected and stored in databases.
The processing of geographical information for the purposes of geolocation services is controversial. A contentious debate has begun as to whether such geographical information can be regarded as personal data or not. Those who believe that location data are personal data stress the possibility of combining the geographical information with other data (e.g. the unique identifier of the smartphone, information available in phone directories, etc) in order to track the identity of the individual. Those who disagree emphasize that the geographical information only identifies a device, not an individual, and that even if an individual could be identified from the geographical information, in general terms, such identification requires disproportionate efforts and cannot be carried out with the means likely to be used by the company operating the geolocation service or a third party.
If we focus on the European Union, this debate is mainly driven by Opinion 13/2011, on "Geolocation services on smart mobile devices", issued by Article 29 Data Protection Working Party ("WP29") last 16 May 2011. In a nutshell, the WP29 concludes that, as a general rule, geolocation information must be regarded as personal data and is therefore subject to the requirements of Directive 95/46/EC (in addition to Directive 2002/21/EC in the case of telecoms operators). It is interesting that WP29 distinguishes between the information concerning the position of the smart mobile devices and the information concerning the location of fixed elements (e.g. WiFi access points through the MAC address) that are used to obtain the geoposition of the
device. According to WP29, processing the real-time position of smart mobile devices is subject to the data subject opting-in, and giving its specific and informed consent (consents obtained as a result of general terms and conditions or through opt-out procedures are not valid). In the case of the information concerning the location of fixed elements, in particular MAC addresses of WiFi access points (SSIDs are regarded as excessive), the WP29 advocates applying the "legitimate interest" ground provided for in article 7(f) of Directive 95/46/EC (meaning consent is not required). However, the general public must be informed about the processing in an adequate way.
Even with this Opinion, the approach to this matter in the EU remains inconsistent. It is not in fact clear whether all the conclusions of the WP29 can be applied in all the EU Member States due to the different ways Member States have implemented Directive 95/46/EC. If we look beyond the EU too, we find opinion divided on the issue of processing geolocation data. This article provides an overview of different countries' perspectives as regards the data protection implications of geolocation services on smart mobile devices.
Article L 34-1 of the French Electronic Communication and Postal Code provides that operators may not, without the user's consent, use geolocation data for any purpose other than for the routing of the communication. The French data protection law of 1978 does not mention geolocation data, but the French data protection authority (the "CNIL") has been considering the use of geolocation services since 2005 and has issued a number of comments and recommendations.
One of the CNIL's first official statements regarding geolocation consisted of a recommendation issued in April 2010 relating to the implementation of geolocation devices by insurance companies and car manufacturers. This non-binding recommendation set out a number of principles regarding the terms of retention of data, the means of informing users and the possibility of users deactivating the device at will (except for "Pay As You Drive" services, as this would be contrary to the purpose of the agreement).
In May 2011, the CNIL also published an article in which it defined the rules which it considered to be applicable to geolocation and the collection of information from WiFi access points. The CNIL insisted on the idea that "the association of data allowing the identification of WiFi access points with geolocation data can allow the identification of a natural person directly or indirectly (for instance when its name appears in the SSID)" thus making it personal data according to French law.
Finally, it should be noted that the French Assemblée Nationale, published in July 2011, a non-binding report on the rights of individuals in the context of the digital revolution. In this report, it is suggested that the implementation of geolocation services should be subject to the prior authorization of the CNIL.
There is no specific guidance from the German Data Protection Authorities ("German Authorities") on geolocation services on smart mobile devices. However, the German Dusseldorf Circle (a data protection working party of the German Authorities) has established general principles on the use of smartphones, which also briefly touch on the use of location data, as follows:
- Transparency regarding any Data Disclosures: Users of smartphones must be informed of any disclosure and transfer of their personal data, such as location data, and about the exact purposes of the envisaged data uses.
- Means of Control: Users of smart mobile devices should be given the option to choose whether their data may be made available to an application, and, if so, what data may be transferred and to whom.
- Anonymous and Pseudonymized Uses: In general, users should be given the option of using their smartphones and the services available in an anonymous or pseudonymized form.
In Germany, specific legislation exists (based on Directive 2002/58/EC) concerning the use of location data from telecommunication networks and services (which, in principle, requires prior consent); however, in all other cases, the use of location data has to be assessed according to general data protection principles. It is likely that the German Authorities will follow the WP 29 Opinion 13/2011; however, it remains to be seen whether the requirement of consent will be interpreted as extensively by the German Authorities, in particular, in cases where the use of location data is necessary for the provision of a geolocation service which is expressly requested by the user and, thus, permission may be implied according to statute.
Hong Kong data protection legislation does not contain any specific provisions relating to geolocation services on smart mobile devices. In the absence of such regulations, privacy issues associated with geolocation services would be dealt with in accordance with the general data protection law.
Geolocation service providers are required to comply with the provisions of the Personal Data (Privacy) Ordinance to the extent that they collect and use personal data in connection with geolocation services.
In 2010 the Hong Kong Privacy Commissioner conducted a compliance check of Google's collection of MAC address and WiFi router names, as well as content of WiFi communications, in connection with its Street View geolocation service. The Privacy Commissioner's examination mainly focussed on whether the snippets of WiFi communication data obtained by Google amounted to personal data, and he did not comment on whether MAC addresses and WiFi router names constituted personal data under the Hong Kong legislation. It was found that no personally identifiable information had been collected as the WiFi communication data did not contain any meaningful details that would enable the identification of individuals.
There are amendments to the data protection legislation in the pipeline which are set to introduce stricter requirements in relation to the use of personal information for direct marketing. Under these amendments, if personal information obtained via geolocation services is to be used for marketing purposes, geolocation service providers would be required to comply with further requirements, such as to provide data subjects with an opportunity to opt-out of their personal data being used for direct marketing purposes.
Similarly, the Spanish Data Protection Agency ("SPDA") has not yet issued specific guidance on geolocation services on smart mobile devices. Geolocation has been mainly analyzed by the SDPA within the context of official requests submitted by companies or sanctioning proceedings as regards using geolocation tools to control employees' activities. In these cases, the debate has been principally focussed on the proportionality of geolocation as way to control employee's activities.
However, the Spanish position may vary in the coming months when the SDPA rules on certain pending cases involving the collection of MAC address and WiFi router names within the context of geolocation services. The decisions of the SDPA will probably clarify whether or not this information should be regarded as personal data under Spanish law.
As regards other conclusions set out in Opinion 13/2011, although it is likely that the SDPA will ultimately follow them (in particular regarding the qualification of geolocation data as personal data), some of their conclusions are not currently mandatory under the Spanish Data Protection Law (for example, the Opinion prohibits the use of opt-out mechanisms to get users' consent or to ask them for the renewal of their consent, whereas Spanish law currently permits this). Furthermore, although the WP29 advocates applying the "legitimate interest" exception in certain cases, as a result of improper implementation of Directive 95/46/EC this alternative is not currently available in Spain (although this may change in the future).
Therefore, for now, it seems that the most appropriate approach for geolocation providers to take in Spain is to follow the WP29 recommendations which are currently required by the Spanish data protection laws.
Recent federal court decisions and proposed legislation have focussed on the issues of (1) whether the government violates a defendant's Fourth Amendment rights by using this data for law enforcement purposes without a warrant, and (2) whether mobile companies must get consent before collecting or sharing consumers' geolocation data.
In the coming months, the Supreme Court will address the first issue when it rules on whether law enforcement bodies must obtain a warrant before using GPS devices to monitor vehicles.
On the second issue, there has been a flurry of proposed bills and hearings in Congress on consumer privacy and geolocational data in recent months. As a result of these hearings, several recent bills have been introduced addressing the privacy of geolocation data. Senator Al Franken (D-Minnesota) and Senator Richard Blumenthal (D-Connecticut) introduced the "Location Privacy Protection Act" (S. 1223), which focuses specifically on the collection of geolocation data by covered entities through mobile devices. The bill would prohibit entities that offer or provide services to certain mobile devices from collecting and disclosing a consumer's geolocation information, unless the company has obtained the consumer's express consent.
Senator Ron Wyden (D-Oregon) and Representative Jason Chaffetz (R-Utah) introduced the bipartisan "Geolocational Privacy and Surveillance Act," a proposed legal framework designed to give government agencies, commercial entities and private citizens clear guidelines for when and how geolocation information can be accessed and used.
The outcome of the Supreme Court's decision and legislative activity will ideally produce clearer guidelines for when and how geolocation information can be accessed and used by both commercial and law enforcement entities in the United States.