Earlier this year reports surfaced in the press that iPhones and Android smartphones were periodically recording and storing users’ location data. It was suggested that the users’ location information was being stored locally on the phones and, in the case of iPhones, was automatically backed up to a user’s computer when they synced their phone with it. Tech-savvy users quickly realised that by simply accessing the relevant files on their phones, maps of their whereabouts could be quickly drawn up. Fears began to grow of unscrupulous individuals getting hold of phones and relatively easily determining the location of users’ homes, places of business and the schools their children attend. These fears resurfaced only last month when it was revealed that certain HTC handsets contained a flaw which allowed any mobile app to access the file containing a users’ location data (as well as email address lists and phone number logs). Public concern emanating from these revelations has prompted a response at EU level, clarifying the position of the law surrounding location data on smartphones.
The ‘location data’ referred to above is more accurately known as geo-location data, which is any data which refers to the geographical location of a person or object. This data is, of course, vital to popular apps like Foursquare and Facebook Places and enables us to geo-tag photographs taken on our smartphones. Geo-location data on mobiles can be obtained from either mobile phone antennae (base stations), handsets with inbuilt Global Positioning System (GPS) chips or when phones connect to WiFi access points.
Current legal position
Currently, the law surrounding the use and processing of one’s geo-location data is contained in two different pieces of legislation. Geo-location data, if used either alone, or in combination with other information, to identify a living person, is considered ‘personal data’ under the Data Protection Act 1998 (DPA). As such, data controllers may only process it if the DPA has been adhered to. Notable DPA imperatives include:
- Gaining the consent of the person to whom the data relates.
- Processing of the data when necessary to perform a contract with an individual.
- Processing when necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (E-Privacy Regulations) also specifically govern the processing of geo-location data. The E-Privacy Regulations state that telecommunications operators may only process customers’ geo-location data where either the user cannot be identified by such data or where it’s necessary for the provision of a value added service, with the consent of the user concerned. Before obtaining such consent, the operators must provide a user with information on the type of location data processed, the purposes and duration of the processing of the data and whether the data will be transmitted to a third party.
The EU opinion
Due to the confusing state of the law surrounding the processing of geo-location data and the recent bad press surrounding the processing of such data, the Article 29 Working Party (the “Working Party”), a group of data protection regulators from EU member states, recently decided to publish an opinion on the current state of the law, seeking to clarify the responsibilities of the network operators, app providers and social networking sites who control and process this data. Although the opinions of the Working Party are not binding, they are persuasive and may influence how the Information Commissioner enforces privacy and data protection laws in relation to smartphone geo-location data.
The Working Party felt that as one can always link a smartphone to an identifiable living person, geo-location data from smartphones should generally be considered to be personal data. As such, prior informed consent is the main legitimate ground for processing geo-location data and, erring on the side of caution, network operators, app providers and social networking sites should be obtaining it from their customers as standard. The Working Party provided some clarification as to the nature of such consent:
- It cannot be obtained by implied consent to general terms and conditions and should be specifically mentioned to users, who should then positively provide their consent.
- Consent should be obtained before the geo-location data is processed.
- Consent must be specific for the purposes for which the data is being processed.
- Location services on smartphones and apps should be switched off as a default. An opt-out mechanism is not adequate for obtaining user consent.
- Consent should be limited in terms of time and users should be periodically reminded that their location data is being processed.
Clearly, the Working Party’s rationale is to ensure that, in advance of processing geo-location data, network operators, app providers and social networking sites provide their users with easily digestible information on what that will entail and obtain their positive consent. Following this advice should mean a decrease in the recent spate of embarrassing stories in the press on the matter and should ensure that the relevant parties don’t incur hefty fines for non-compliance from the Information Commissioner.