Understanding new guidance on data protection and geolocation services

The grouping of representatives from the data protection authorities in each European member state, known as the Article 29 Working Party, recently published an opinion on the use of geolocation services on smart mobile devices such as smartphones and tablets.

The opinion attempts to clarify how the European Data Protection Directive applies to geolocation data generated by mobile phone mast triangulation and the use of Wi-Fi access points and Global Positioning System (GPS) transponders, which can potentially track the movements of users.

This information may be used not just by the operators of mobile phone networks and third-party geolocation infrastructure services that "map" Wi-Fi access points, but also by apps used on mobile devices, so there are clearly control and privacy issues.

Notably, the opinion follows the Working Party's opinion on behavioural advertising cookies, with a strict line on the level of consent required from users to process such information. It also makes several surprising assumptions.

While the Working Party's opinion isn't binding law, it does provide guidance on how the data protection authorities think that the law should be interpreted. The opinion is therefore important for developers of mobile apps and web sites utilising geolocation functionality.

What does the opinion say?

First, the opinion states that geolocation data is personal data of the user.

Secondly, it states that if geolocation data is used by an app or web site, the app developer will be a controller for the purposes of data protection laws, and therefore the entity responsible for ensuring that the personal data is processed according to data protection laws.

Thirdly, the opinion states that the app developer will need user consent before geolocation data is collected and processed. The opinion sets out certain principles that should apply:

• Consent cannot be obtained through general terms and conditions.

• Consent must be specific – the user must be informed of the data being processed and how it will be used. If the purpose of the processing changes in a material way, renewed consent must be sought.

• Geolocation services must be switched off by default.

• Consent from employees and children causes particular difficulties. Employers can only require employees to use geolocation services where necessary for a legitimate purpose and there is no less intrusive means of achieving those purposes. For children, parents or guardians must be responsible for determining whether they should be used.

• Users should have an easy way of withdrawing consent.

Finally, on retention periods, the opinion states that geolocation data should be deleted after a "justified period of time" – in particular, unique numbers such as MAC addresses or a Unique Identifier being stored for no longer than 24 hours.

While the opinion clarifies some issues, it unfortunately makes several general assumptions on how geolocation services are used. Consequently, the opinion may confuse rather than clarify the law for applications developers.

Is it really personal data?

The first issue relates to the bold statement that all geolocation data is personal data. While unsurprising in relation to geolocation data that identifies the user, geolocation data is often used anonymously. In such circumstances, consent is arguably unnecessary as the controller of that data is never able to identify the device user.

Who is the data controller?

Secondly, there is an assumption that it is the app developer that will process all geolocation data sent by that app – another generalisation that misunderstands how many apps operate.

Often, an app will simply provide an interface to an unconnected third party's web site using that web site's publicly available application programming interfaces (APIs).

For example, some augmented reality apps use a Google Maps API to access and display local information. The app developer has no connection to Google.

In these apps, it is perfectly possible that the geolocation data will be sent straight from the user's device to the third party web site (in this case, Google Maps), without being processed or accessible by the app developer.

However, the opinion states that the data controller is the developer of that app. In the example above, this cannot be correct as that developer does not "determine the purposes for which... and the manner in which any personal data are... processed".

It is disappointing that this scenario is not properly considered, as it appears to require clearer guidance  – in particular, emphasising that the user needs to be informed where their data will be sent.

The issues raised here are in many ways similar to those currently exercising the ad server industry in relation to behavioural advertising cookies, and API providers may wish to consider how they resolve these challenges without stifling the innovation that making such APIs available undoubtedly encourages.

Consent

Finally, the Working Party's recommendations on consent will raise some eyebrows in the UK, where service providers often rely on the concept of implied consent.

At present, many apps will ask users to confirm their wish to use "location services", but the detail of how that information is used is set out in separate terms and conditions.

The Working Party considers this insufficient, and that the user must be given full information prior to activating geolocation functionality. This will require app designers to revisit how consent is obtained and how information is displayed.

This appears at odds with current practice and guidance for privacy policies – the UK Information Commissioner's view is that data controllers need not expressly highlight obvious and uncontroversial use of data. Many apps will process geolocation data as the user would expect. Unfortunately, the Working Party's opinion does not acknowledge this with a similar approach.

Conclusion

The Working Party's opinion is a forerunner to the forthcoming revised Data Protection Directive. While the opinion's aims are laudable, it must be hoped that the directive will be more pragmatic and clearer on how data protection laws apply to this fast-moving area of technology. For this to happen, it is essential that technology companies take an active part in the consultation.

Martin Sloan is an associate in the Technology, Information and Outsourcing Group at Brodies LLP