This is not the European Commission telling operators what to do
– it is just an opinion on compliance from the EU's Article 29
Working Party on Data Protection. Such opinions are not binding;
but they are influential and the latest opinion will be of interest
to anyone operating in the market for location data services.
All location data relates back to an identifiable person – the
person driving the car or the owner of the mobile phone. So the
Working Party, which is an independent EU advisory body, is anxious
to ensure that the data processing is lawful. The focus of
its 11-page opinion is on commercial uses of data rather
than the retention and use of location data for national security
or law enforcement purposes.
The current rules are set out in the Data Protection Directive
of 1995 and the Directive on Privacy and Electronic Communications
of 2002. These provide, generally, that location data can
only be processed if the user or subscriber of a service that
relies on processing the data has consented to the
processing.
In its opinion, the Working Party does not consider issues
raised by the use of location data for national security or law
enforcement purposes, but instead highlights how it believes some
of the provisions of the Directives should be applied. In
particular it considers:
- The applicable national law – where the user
and the data controller (such as Vodafone) are in separate Member
States, the national applicable law will be that of the data
controller. If the data controller is based outside the EU,
location data can only be processed if the Data Protection
Directive requirements on the transfer of data to third countries
are fully met.
- Informing users – the data subjects must be
informed of matters such as the identity of the data controller,
the reason for the data processing, the type of data processed, how
it can be amended and the right to cancel the data. The information
should be clear, complete and comprehensive.
- Consent – this must be obtained freely and
should not be given as part of an acceptance of the general
conditions of the service. Operators should ensure that they can
verify and authenticate requests for location data made by third
parties offering a value-added service, and that they are sure that
the person to whom the location data relates is the same person who
has given consent.
- The right to withdraw – consent can be
withdrawn at any time and users must be able, easily and without
charge, to temporarily refuse the processing of location data. If
processing is ongoing, operators must regularly remind users that
the device they are using can be located.
- Storage time – storage of location data is
only permitted for the length of time necessary for providing the
service. It cannot be stored after that, except for billing and
payment purposes. If it is, it must be rendered anonymous.
- Security measures – the data must be held
securely and only passed on to the person providing a service. All
access should be logged.
Some services help parents to locate their
children by tracking a child's phone. The Working Party
took the view that such uses of location data may affect the mutual
trust between a parent and child, it may falsely reassure parents
that they know what their children are doing, and it may
acclimatise children to constant monitoring. But the Working Party
is not lobbying for a ban; rather, it calls for vigilance in this
type of use, and raised the question of whether a child can truly
consent to the use of the data.
Similarly, services that locate employees
raises questions about the boundary between private and working
life. How much monitoring is it acceptable to subject employees to?
The Working Party stresses that consent must be freely given, and
the processing must relate to a specific need on the part of the
company. The data should be kept for no longer than two months,
unless it is rendered anonymous.
The Opinion was published on 25th November 2005 but only became
available online in late-December.
