Regular readers will recall the curious case of Mr Spitz and his surprise at the amount of data his mobile phone company retained about his whereabouts, whilst Apple has recently come in for its fair share of opprobrium for collecting location information.
Against that backdrop it was interesting to read the recently published opinion of the (rather inelegantly named) ‘Article 29 Data Protection Working Party’ on ‘Geolocation services on smart mobile devices’. They conclude that generally specific opt-in user consent will be required to collect and use geolocation information for information society services. The Working Party’s opinions are not binding, but in practice are highly persuasive and tend to be followed.
The opinion starts by reviewing the various forms of geolocation data (GPS, base station information and Wi-Fi access points) and concluding that as mobile smartphone tend to be very personal devices, geolocation data will generally be personal data, and therefore subject to European Data Protection (privacy) rules. In some circumstances the data can also constitute sensitive personal data.
So far as the legal framework is concerned, the opinion distinguishes between:
- Communications Providers, who are already subject to specific rules relating to the processing of Location Data (as defined in the Privacy Directive); and
- Information Society Service Providers, who are not subject to the Privacy Directive, but whom are subject to general data protection rules. (It should be noted in this context that recitals to the Privacy Directive make clear that it specifies and particularises the application of general data protection rules to the telecoms sector).
The opinion focuses on how the general rules apply to information society service providers (see this prior opinion for the rules applicable to Communications Providers – in short, prior informed consent is required) and particularly homes in on the issue of user consent, coming to the not altogether surprising conclusion that prior informed consent of data subject is required before information society service providers can use geolocation data. The opinion also notes article 2(h) of the Data protection Directive and its requirement that consent must be freely given, specific and informed.
From this basis the opinion suggests that:
- consent cannot be obtained through general terms and conditions;
- default setting for location-based services should be ‘off’;
- consent must be specific, not general, to the purpose for which the data is being processed;
- even where consent is to an ongoing service there must be a continuous warning that geolocation is ‘on’;
- consent is regularly renewed – at least once a year; and
- user must have an easy ‘opt-out’ available at all times.
Returning to the interaction with data retention rules, as Information Society Service Providers are not subject to data retention requirements the opinion suggests that data is retained for no longer than is necessary to provide the service and suggest that even data anonymised using a unique device identifier is further anonymised after 24 hours.
Given the mess that various national privacy authorities have made implementing the recent requirement for cookie opt-ins, I hope that more thought is given to how this opinion will be implemented in practice.