Whether you are booking a taxi or searching nearby restaurants, location data is proving increasingly useful. Equally, however, location data is likely to identify the person using these services. Given how frequently location data is used, and in light of the associated risks, the Data Protection Commissioner (“DPC”) recently published a guidance note on the collection and processing of location data.
We examine what location data is, when data protection rules apply, and how service providers can comply with those rules.
What is location data?
Location data is created when technologies allow electronic devices, such as smartphones and tablets, to be easily located. This enables the person using such a device to easily access an array of services, from checking local weather to discovering what is showing at a nearby cinema.
If an electronic device is easily located, then, generally speaking, so is the person who uses it. Since a person’s movements could be analysed over a particular period of time, this information can become valuable. For example, service providers might seek to target people with specific advertisements. The DPC believes that this poses potentially serious risks to a person’s privacy.
Location data as personal data
If information is considered to be personal data, the collection and use of such information is regulated under the Data Protection Acts (the “Acts”). For location data to be considered personal data, it must:
- relate to a living person; and
- make it possible to identify the person.
In general, the DPC suggests that if location data relates to a living person, it is likely to constitute personal data.
If it is possible to infer information about a living person, then location data will be deemed to relate to them. The DPC suggests that information relating to a smartphone would “always” be considered as relating to a living person as the smartphone would usually be kept close to the user.
In terms of identifying the person, location data clearly identifies the person if it is linked with their name, contact details or a unique ID. However, the DPC states that, even without such linked information, the identity of a person might still be known due to the intimate nature of location data.
Sensitive personal data
Certain personal data, for example information relating to a person’s religious or political beliefs, their health or their sexual life, are considered sensitive personal data. Such data can only be processed when certain additional requirements are met under the Acts. Generally speaking, explicit consent is required.
According to the DPC, location data collected over a period of time could constitute sensitive personal data. This might arise if it is possible to discover any of these sensitive traits, such as by showing a person visiting a church or making repeat visits to a hospital. In this regard, the DPC suggests minimising both the frequency of collection of location data and the period for which such data is retained.
It is worth highlighting that, in some cases, additional rules apply to the collection and use of certain location data. The Privacy and Electronic Communications Regulations 2011 (“ePrivacy Regs”) include special rules for location data which has been generated from data processed in an electronic communications network, such as a public broadband network, or by an electronic communications service, such as a telco. As a result, GPS and certain Wi-Fi location data are not normally governed by the ePrivacy Regs.
Data protection compliance
If a service provider wants to collect or use location data, it must comply with the Acts. This includes obtaining and using the data fairly and lawfully and then deleting it after an appropriate period of time.
It is crucial that location data is obtained and used fairly. In short, this means being transparent with users about when and why their location data is collected and used. In particular, the DPC recommends:
clearly informing the user that location data will be collected; explaining what such data will be used for; describing when location data will be collected, such as during app usage or all the time; and using a “recognisable and visible indicator” when location data is being collected
In making these recommendations, the DPC highlighted that service providers should that ensure users, not just device owners, are made aware of the above.
In conjunction with the fair processing obligation, the DPC recommends obtaining the user’s consent for the collection and use of location data. By providing transparent information as described above, a user can make an informed decision to opt in or opt out. In addition, users should be informed of, and their consent sought for, any change or new or additional purposes their location data will be used for.
EU regulators take the view that consent for location data cannot be part of the general terms and conditions of a service. This means that service providers should specifically and separately draw attention to its collection.
Location data should not be retained longer than necessary for the purposes it was originally collected. The DPC highlights that deleting location data in a timely matter is particularly important. This is because a pattern of a person’s movements over time can reveal intimate details of their personal life. With this in mind, service providers should implement appropriate retention periods and seek to minimise the location data they hold.
Service providers should undertake a privacy impact assessment where they intended to collect and use location data. Compliance with the Acts should be central to the development of any such project. In addition to the above guidance, service providers should ensure that they minimise the frequency and granularity of location data they collect. Data minimisation, both from a collection and a retention standpoint, is crucial in the eyes of the DPC.