The growth of satellite navigation and mobile phone services over the past 20 years has created a new market for “location-based services” such as in-car satellite navigation systems. More recently, services such as ‘ChildLocate’ have been introduced, which locate children via their mobile phones (provided that they are not switched off) at the request of their parents. Services such as these make use of ‘location data’ to provide the information requested.
Location data is defined at Article 2 of the E-Privacy Directive (2002/58/EC) as “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.” The E-Privacy Directive expressly regulates the processing of personal data (including location data) in the electronic communications sector. It was intended by the European Parliament and Council to adapt the principles of the Data Protection Directive (95/46/EC) in order to provide specific rules for the telecommunications sector and to ensure adequate protection for the personal data of users of new technologies, such as the Internet and digital mobile telephone networks.
The general provisions of the Data Protection Directive are also very likely to apply to the processing of location data in addition to the E-Privacy Directive’s sector specific requirements. Location data may constitute “personal data” within the meaning of the Data Protection Directive to the extent that it ‘relates to’ an individual who is ‘identified or identifiable’. The individual in possession of the terminal equipment will almost always be identifiable. Even if a company mobile phone is available for use by a number of people, it will usually be possible to find out who had the handset at any given time. Whether or not the location data invariably ‘relates to’ an individual is a more difficult question, particularly following the Durant decision in the Court of Appeal.
However, since the EC Article 29 Working Party (the influential body set up under the Data Protection Directive and comprised of data protection regulators) is of the view that the provisions of the Data Protection Directive always apply to location data, any company wishing to process location data would be well advised to comply with data protection law, both in general and in relation to its sector specific provisions.
The Working Party has published its opinion on how the data protection principles established under the Directives apply to the processing of location data for the provision of value-added services. The Working Party opinion does not cover the use of location data by Member States when necessary, appropriate and proportionate in order to safeguard national security and for the prevention, investigation and prosecution of criminal offences (for example when UK authorities located a suspected London tube bomber by tracing his mobile phone) as such matters are outside the scope of the Directives (per Article 15 of the E-Privacy Directive and Article 13 of the Data Protection Directive).
The Working Party’s recommendations focus on informing data subjects, consent, storage of data and issues affecting security and transmission.
Informing Data Subjects
The party collecting location data should inform the individual to whom the data relates of various matters in accordance with its obligations under Article 10 of the Data Protection Directive and Articles 6 and 9 of the E-Privacy Directive, including the identity of the data controller (usually the service provider), the purposes for which the data will be processed and whether it will be sent to a third party for the purpose of providing the services. The individual should also be advised of his or her right to access and rectify the data held. The service provider may supply this information either in the general terms and conditions for the service or on each occasion that the service is used.
Consent
A potential obstacle for service providers is the requirement under Article 9 of the E-Privacy Directive that they obtain the consent of the relevant individual before processing that person’s location data (save where such data is processed for the purpose of conveying a communication on an electronic communications network or for the billing of that service). Such consent must be freely given, specific and informed. It follows that consent cannot be given tacitly as part of the general terms and conditions for provision of a location-based service. However, where a service is offered that involves the automatic location of the requesting individual (for example, obtaining numbers for local taxi firms by texting a specific number), calling or texting the relevant number may amount to consent, provided that the individual is fully informed of the processing of their data before doing so.
An individual may consent to being located on an ongoing basis. Where consent is given for ongoing location, the Working Party commented that, to ensure that the subscription has not been made without the relevant individual’s knowledge and the consent is not therefore invalid, the provider must send a message to the individual’s terminal (eg that person’s mobile phone) requesting confirmation of the subscription. Furthermore, the service provider should remind the individual regularly that he or she can be located at any time, giving an opportunity to withdraw that consent.
Even where valid consent has been given for the processing of location data, the individual concerned must be able at any time to withdraw that consent or, using a simple means and without charge, temporarily refuse the processing of his or her data.
Storage of data
Location data should be processed only “for the duration necessary for the provision of a value-added service”. The Working Party’s view is that location data should not be stored after the service has been provided unless it is needed for billing or interconnection payment purposes. No record may be kept of an individual’s location data unless it is anonymised.
Security and transmission
Given the potential sensitivity of location data, a service provider should put appropriate security measures in place and the data should not be transferred other than to third parties providing the relevant services.
General
The Working Party made some specific observations in relation to the location of individuals at the request of third parties (for example, parents locating their children or individuals locating their friends). In the case of parents locating children, the Working Party commented that service providers should put measures in place to confirm that the third party using the service to locate a child is the parent registered to use the service. In relation to all services which locate an individual’s mobile phone at the request of a third party, there is no way to verify that the person using the mobile phone at the time that the location request is made is the person who has consented to being located and not someone else to whom they have lent the phone.
Implications
So what does this mean for businesses? For businesses providing location-based services, it would be prudent to use the Working Party’s opinion as a guideline for handling location data in accordance with European data protection legislation. For businesses wishing to keep track of employees, the Working Party opined that location data should be processed only if the employer genuinely needs to do so to co-ordinate real-time operations or for security reasons. In any event, such data should not be collected outside working hours, and should be kept for no longer than two months and the employee should be informed if location systems are used.
Catherine Reed is an Associate at Bristows.