On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”). The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.
The Opinion addresses specific privacy concerns with regard to the main types of infrastructure used to provide geolocation services, namely GPS (satellite-based) technology, GSM (antenna-based) base stations and WiFi routers. Special attention is paid to services using WiFi access points and their unique identifiers (e.g., Medium Access Control (“MAC”) addresses).
The e-Privacy Directive Does Not Apply to Geolocation Services on Smart Mobile Devices
The Working Party takes the position that the processing of geolocation data by companies is mainly governed by the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”), which has been transposed into the laws of the EU Member States.
According to the Working Party, the EU E-Privacy Directive 2002/58/EC (“e-Privacy Directive”) is only relevant to geolocation data processing by telecommunications operators. Other companies that provide geolocation services and applications based on a combination of base station, GPS and WiFi data should be considered providers of “information society services” and, consequently, excluded from the scope of the e-Privacy Directive. Companies Offering Geolocation Services and Applications on Smart Mobile Devices Must Comply with the Data Protection Directive
The Opinion states that companies offering geolocation services and applications on smart mobile devices used in the EU should comply with the principles of the Data Protection Directive. Below are some of the key arguments and recommendations for compliance put forward by the Working Party.
- Geolocation data are personal data. Geolocation data constitute personal data even when they are derived from the combination of a unique MAC address and the location of a WiFi access point. The main rationale is that companies operating geolocation services on smart mobile devices can indirectly identify individuals, and this indirect identification is sufficient to qualify the information as personal data under Article 2 (a) of the Data Protection Directive. For example, it may be possible for a provider of geolocation applications and services to establish the precise location of a WiFi access point based on signal strength. Once the location of a WiFi access point has been established, providers may be able to link it to a particular user (for example, they can indentify the owner of the apartment or house where the access point is located).
- Multiple parties may be data controllers. Controllers of geolocation infrastructure (e.g., owners of databases with mapped WiFi access points), providers of geolocation applications and services (e.g., store locator tools, weather forecast applications) and developers of operating systems all may qualify as data controllers in certain circumstances, and therefore may need to comply with the principles of the Data Protection Directive.
- Prior opt-in consent is required in most cases. The Working Party has concluded that in most cases, geolocation data may only be processed with users’ prior consent. Consent must be specific, informed and freely given, and can be withdrawn at any time. The Working Party notes that opt-out mechanisms and geolocation services switched on by default usually are not sufficient to meet these requirements. In addition, the Working Party is in favor of requiring users to renew their consent at least once a year. The Working Party also provides guidance on particular issues raised with respect to obtaining the consent from employees and children.
- Users must be provided with proper notice. Data controllers must provide users with clear, comprehensive, understandable and easily accessible notice. Notice may be given in several different forms, but the ultimate goal should be to provide clear information to the users of geolocation applications and services. The Working Party emphasizes that the validity of consent is inextricably linked to the quality of the information provided about the services. It also encourages the various stakeholders involved in geolocation services to cooperate and develop best practices for providing appropriate notice to users.
- Data controllers must enable users to exercise their privacy rights. The various data controllers involved in the processing of geolocation data via smart mobile devices must enable individuals to access their data in a human readable format and rectify and delete data where appropriate. This also includes the right to access, rectify and erase any profiles that may be derived from personal data. The Working Party also encourages the creation of online platforms that provide users with secure access to their data.
- Geolocation data must be deleted as soon as possible. Data controllers must implement retention policies pursuant to which geolocation data, or profiles based on such data, are deleted or made anonymous as soon as they are no longer necessary for the purposes for which they were initially collected. Unique identifiers (such as MAC addresses) should only be stored for a maximum period of 24 hours, and should subsequently be deleted or anonymized.
View a copy of the Opinion.