The Article 29 Working Party has published an Opinion on Geolocation services on smart mobile devices and taken a strong position on consent, stating that consent cannot be considered to be freely given through the mandatory acceptance of general terms and conditions or through opt-out possibilities. The Article 29 Working Party considers that due to the level of detailed personal data collected through geolocation services and the importance of obtaining informed consent, the default position should be that location services are ‘OFF’ and users “may granularly consent to the switching ‘ON’ of specific applications”.
Article 29 Working Party
The Article 29 Working Party is made up of representatives from the data protection authorities of each EU Member State. As such, its opinions do not have the force of law, but influence EU law and are considered best practice.
Geolocation services are services related to the location of a particular device. Typically they are used to report a user’s location to other users, e.g. tagging where a photograph was taken, and to associate real-world locations (such as restaurants) to a user’s location.
The Article 29 Working Party also raises some other, more concerning uses of geolocation technology, from behavioural advertising to monitoring of employees or children.
Geolocation data can be gathered in a number of way, such as through GSM base stations, GPS, WiFi and RFID (radio frequency identification) readers. This means that smart mobile devices can be tracked by all kinds of data controllers. The Working Party stated that “since smartphones and tablet computers are inextricably linked to their owner, the movement patterns of the device provide a very intimate insight into the private life of the owners”. One of the main risks is that the owners are not aware that their location is being transmitted or to whom it is being transmitted.
The Opinion has confirmed that as geolocation services on smart mobile devices are linked to natural persons, the geolocation data is personal data. Therefore, it falls within the remit of the Data Protection Directive.
Given the “sensitivity of the processing of (patterns of) location data”, in that smart mobile data reveal intimate details about the private life of their owner, the Working Party has stated that the most appropriate ground for legitimising processing of the data under the Data Protection Directive is by the user of the device giving prior, informed consent.
In order for consent to be informed, the user must consciously provide consent rather than it being implied without the user being fully aware (through default settings). The consent must be specific for particular purposes, meaning that information must be given about the processing and if the purposes change then further specific consent for the purpose of the processing must be obtained.
In any event, users should be reminded at least once a year that location data is being processed about them.
Users must be able to withdraw their consent in an easy way without any negative consequences for the use of their mobile device.
The Working Party’s finding will affect a range of different types of parties which use geolocation data, from network operators to application providers and social networking sites that provide location-based functionality for mobile devices.
What is clear is that currently the majority of these parties are failing to obtain valid, prior, informed consent as per the Working Party’s Opinion. Consent is normally obtained through general terms and conditions or a default opt-in. The Working Party has rejected both of these, claiming that consent must be specific, informed and limited in scope to be valid.
Interestingly, the Working Party also touch on monitoring of employee’s geolocation data, stating that such data should only be used if necessary for a legitimate purpose and if the goals cannot be achieved through the use of less intrusive means.
Processors of geolocation data should consider their provisions for obtaining consent and assess whether these are sufficient according to the Working Party criteria, as although this is not law, it is good practice.