How to triangulate location data, privacy and profit

This is not the European Commission telling operators what to do – it is just an opinion on compliance from the EU's Article 29 Working Party on Data Protection. Such opinions are not binding; but they are influential and the latest opinion will be of interest to anyone operating in the market for location data services.

All location data relates back to an identifiable person – the person driving the car or the owner of the mobile phone. So the Working Party, which is an independent EU advisory body, is anxious to ensure that the data processing is lawful. The focus of its 11-page opinion is on commercial uses of data rather than the retention and use of location data for national security or law enforcement purposes.

The current rules are set out in the Data Protection Directive of 1995 and the Directive on Privacy and Electronic Communications of 2002. These provide, generally, that location data can only be processed if the user or subscriber of a service that relies on processing the data has consented to the processing.

In its opinion, the Working Party does not consider issues raised by the use of location data for national security or law enforcement purposes, but instead highlights how it believes some of the provisions of the Directives should be applied. In particular it considers:

• The applicable national law – where the user and the data controller (such as Vodafone) are in separate Member States, the national applicable law will be that of the data controller. If the data controller is based outside the EU, location data can only be processed if the Data Protection Directive requirements on the transfer of data to third countries are fully met.

• Informing users – the data subjects must be informed of matters such as the identity of the data controller, the reason for the data processing, the type of data processed, how it can be amended and the right to cancel the data. The information should be clear, complete and comprehensive.

• Consent – this must be obtained freely and should not be given as part of an acceptance of the general conditions of the service. Operators should ensure that they can verify and authenticate requests for location data made by third parties offering a value-added service, and that they are sure that the person to whom the location data relates is the same person who has given consent.

• The right to withdraw – consent can be withdrawn at any time and users must be able, easily and without charge, to temporarily refuse the processing of location data. If processing is ongoing, operators must regularly remind users that the device they are using can be located.

• Storage time – storage of location data is only permitted for the length of time necessary for providing the service. It cannot be stored after that, except for billing and payment purposes. If it is, it must be rendered anonymous.

• Security measures – the data must be held securely and only passed on to the person providing a service. All access should be logged.

Some services help parents to locate their children by tracking a child's phone. The Working Party took the view that such uses of location data may affect the mutual trust between a parent and child, it may falsely reassure parents that they know what their children are doing, and it may acclimatise children to constant monitoring. But the Working Party is not lobbying for a ban; rather, it calls for vigilance in this type of use, and raised the question of whether a child can truly consent to the use of the data.

Similarly, services that locate employees raises questions about the boundary between private and working life. How much monitoring is it acceptable to subject employees to? The Working Party stresses that consent must be freely given, and the processing must relate to a specific need on the part of the company. The data should be kept for no longer than two months, unless it is rendered anonymous.

The Opinion was published on 25th November 2005 but only became available online in late-December.