Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Location data should qualify as personal data, watchdogs say

Geolocation information on where a person has been should qualify as personal data and be protected by EU data protection laws, a European data protection group has said. It said that users should be asked to consent to every new use of the data.19 May 2011

The data should be classified as personal data because it can be used to identify people, the Article 29 Working Party said. The Working Party is a committee made of up national data protection regulators from the 27 EU member states.

The group has said in a published opinion that the EU Data Protection Directive's wording already qualified geolocation data for protection under the law. The Directive says that personal data is any information that can lead to someone being identified.

The Working Party said it was possible to identify someone using a device that stores geolocation data. Phone providers can build up a database of information about a person, such as their name, address and credit card details, or even the unique identification given to devices, and match it to regular patterns of location activity that the device records, the Working Party said.

"It is a fact that the location of a particular device can be calculated in a very precise way ... Such a location can point to a house or an employer. Especially with repeated observations, it is possible to identify the owner of the device," the Working Party said in its opinion (21-page / 131KB PDF) it has adopted.

Matching the unique address given to phones with the location of Wi-Fi access points can also lead to people being identified, the Working Party said.

"With the help of these resources, in many cases a small group of apartments or houses can be identified where the owner of the access point lives ... The data controller should treat all data about Wi-Fi routers as personal data," the Working Party said.

Companies that control the data, such as phone providers, need to obtain consent from device users before giving out geolocation data, the Working Party said. The group said that location services should be turned off on devices as a default; that consent notices should be easy to understand, and that companies should ask user consent each time a different organisation wants to use the information.

"Consent cannot be obtained through general terms and conditions," the Working Party opinion said.

"Consent must be specific, for the different purposes that data are being processed for, including for example profiling and or behavioural targeting purposes from the controller. If the purposes of the processing change in a material way, the controller must seek renewed specific consent," the Working Party said.

"By default, location services must be switched off. A possible opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent," the Working Party said.

The data protection group recommended that companies remind customers about their geolocation data every year and ask them if they want to continue consenting to it being used.

The Working Party said employers cannot consent to use of geolocation data about employees unless "demonstrably necessary for a legitimate purpose," its opinion said. Parents should decide whether they consent to companies using location tracking information stored on their children's devices, the Working Party said.

People should be able to withdraw consent to the use of their data easily without it impacting on the performance of their device, the Working Party said. It said that companies that offer geolocation services that match location data with device identifiers do have a legitimate right to use the data.

"The balance of interests between the rights of the controller and the rights of the data subjects requires that the controller offers the right to easily and permanently opt-out from the database, without demanding additional personal data," the Working Party said.

The location tracking data should be deleted within a "justified period of time" by providers of geolocation services and be deleted within a day by companies that process the information, the Working Party said.

Earlier this week a spokesman for Viviane Reding, Vice President of the European Commission, said the Commission was looking at how technology should shape an update to the Data Protection Directive later this year.

"The Commission is currently analysing all forms of new technology and we will take into consideration social network sites and the rise of data sharing like photos and the use of cloud computing and behavioural advertising when we reform the Data Protection Directive later this year," Matthew Newman, spokesman for Viviane Reding, Vice President of the European Commission said.

"The technology has moved on in leaps and bounds since the Directive came into force more than 15 years ago so what we want to do is see how people are using the technologies and how that relates to personal data to make sure that people's fundamental rights are protected," Newman said.