Of ‘Mice and Men’ to ‘Maps and Machines’ – “Whatever in creation exists without my knowledge exists without my consent.”
Further to my post in March, the purpose of this sequel post is to continue considering two guidelines published by European regulators regarding the processing of geolocation data. I continue to delve into the cloudy legal relationship between location data and data protection, in particular focusing on the latest EU guidance regarding consent over its use. In a final post, to come shortly, I will look at recent guidance around when anonymisation efforts upon location data are deemed sufficiently acceptable in law to provide adequate protection for individuals’ rights in data.
To pick up the thread from my previous discussion, the reason why the on-going legal debate over the application of data protection obligations to location data is so topical relates to the fact that most people carry their mobile phone almost everywhere they go. And there is no obvious way to block your mobile device from emitting unique identifiers that allow your geo-position to be tracked! Plus, location data may be collected at any time (such as when app services continuously compile such data to provide mobile device users with real-time information about their surroundings) and potentially without users’ interaction or knowledge. In other words, location data are nowadays often collected and processed surreptitiously.
In support of recent research delineating concerns in this area, two reports have been published by UK privacy advocacy groups into mobile and Wi-Fi services’ location tracking activities. These are a report by Krowdthink, entitled “They know where you are”, and an Open Rights Group (ORG) report entitled “Cashing in on your mobile?” Both investigate privacy-threatening practices around the collection and exploitation of traffic and location data by UK telecoms providers; in particular, they allege that consumers are “unwittingly signing up to be location tracked 24/7” and “the highly sensitive data this generates is being used and sold on for commercial benefit.” Consequently, the two organisations have jointly launched a website called Opt Me Out Of Location “to encourage the British public to demand that mobile and Wi-Fi service providers are explicit about what they are asking their customers to opt into and provide clear choices for opting out”.
Of course, many organisations argue that a policy of not using location data collected from their customers without their opt-in consent (or, at least reliant upon their opting out of location tracking) is sufficient to protect their privacy and in compliance with data protection law. So, what have EU data protection regulators said about how they believe organisations should be acting to comply with existing data protection law when they rely upon consent as a legal basis for processing personally identifiable location data?
As a reminder, under the Data Protection Directive (Article 2(h)), consent must be a “freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. While consent is not defined in the UK Data Protection Act (DPA), in interpreting this provision the ICO explains in its Guide to Data Protection that “consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made”, p.102. Furthermore, the circumstances of each case must be examined carefully to decide whether valid consent has been given and the ICO endorses the view that there must be some active (not inferred) communication between the parties.
In its Wi-Fi Analytics Guidance published in February this year related to compliance with the DPA, the ICO recommends that Individuals should be given ample opportunity to view information about how their location data may be processed before it occurs, along with being given standard details (e.g. about the identity of the data controller, any third parties with whom the personal data may be shared, and data retention periods etc.). In particular, the ICO recommends that Wi-Fi network operators notify individuals about details surrounding location data collection through signage in Wi-Fi zones, on their websites and on Wi-Fi sign-up or portal pages (i.e. at the entrance to the data collection ‘area’). Furthermore, the ICO reiterates that data subjects should be given “simple and effective means” (“systems”) to control their personal data collection and processing, in which respect users should also be told upfront how control can be effected through device settings. The ICO then provide examples of what it deems effective control mechanisms (p.8).
The ICO’s guidance in this context bears similarities to guidance provided by the EU Article 29 Data Protection Working Party (WP) in its 2011 Opinion on Geo-location services on smart mobile devices. The Opinion goes further, however, in setting out more extensive guidance around the level of prior, informed and explicitly obtained consent that providers of public electronic communications services and information-society services must obtain before processing location data. In particular, the WP states that the validity of the consent obtained from users should be seen as inextricably linked to the quality of the information provided to them about geo-location services.
At a base level, such information must be clearly visible, comprehensive and understandable for a broad non-technical audience, as well as permanently and easily accessible. Consent cannot be obtained through general terms and conditions, but must be purpose-specific and time-restricted (the WP recommends that providers of geo-location services remind users at least once a year that they are processing location data relating to them for specific purposes). Additionally, if the purposes of the processing change in a material way, the controller must seek renewed specific consent. On the risk of secret monitoring, the WP considers it “essential that the device continuously warns that geolocation is ‘ON’, for example through a permanently visible icon” (p.15).
Thus, both sets of guidelines take a tough stance in setting high bars regarding the levels of informed consent that must be obtained from individuals who are subject to location-based services and the fact that the consent ‘transaction’ must not be implied. This marries well with the elevated concept of consent as defined in GDPR 2016/679 (see Article 4(11) – “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” and related provisions). In other words, a possible opt-out mechanism would not constitute an adequate mechanism to obtain informed user consent.
Most notably, both the ICO and the WP place focus upon the development of technical means for obtaining consent which include settings of sufficient detail with regard to the precision of location data. Of course, such control systems should not only allow location services to be switched off by default – and warn users when they are not switched off – but they also should enable data subjects to withdraw their consent in an easy-to-use manner and without any negative consequences for the use of their device. The WP specifically also recommends that the ability for data subjects to access, rectify and delete location data in a human-readable format should be facilitated by the creation of (secure) online access. Both guidance also carve out special reference to consent in the employer-employee relationship, where the level of data collection can be high.
In conclusion, as mentioned previously, although the opinions of the ICO and the WP are non-binding, these are important documents. By reminding location service providers of their compliance obligations, they should in theory help promote greater control for individuals over use of their personally identifiable geo-data. And regulator guidance clarifying obligations for obtaining informed consent are ones that data controllers – not just telecom providers, but also telecoms infrastructure operators, operating system developers, app providers, and social networking sites that embed location functionalities for mobile devices into their platforms – cannot afford to ignore (see my recent post about the impending date for data protection reform). In other words, there is a fine but sharp line in the law’s eyes to be drawn between knowing the location of customers to provide services (e.g. in order to enable connectivity to networks) with tracking their movements unfairly and surreptitiously for economic profit. Data protection law encourages operators to assess the risks around this line upfront (including in respect of non-obvious implications of service development, such as around adding geo-tagging functionality for online photo sharing or dating services), and look for ways to make it even easier for customers to manage and control how their data is used with their permission.
There are of course other mechanisms to track individuals, including through CCTV and Automated Number Plate Recognition (ANPR), which – while they do have the accuracy of, say, GPS tracking and are not reliant upon interconnection with mobile devices – also raise concerns. Arguably, many of the guidelines’ recommendations should also apply to these technologies when they are used to geo-locate people. [To note, while not considered here, provisions set out in the E-Privacy Directive may also apply to those who process geolocation data. In particular, Article 9 of that Directive sets out specific types of notice to be given to, and consent obtained, in advance of the processing of location data – i.e. “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service” (Article 2). In practice, these obligations apply to the processing of base-station data by telecom operators, whereas it is extrapolated that location data (Recital 14) “may refer to the latitude, longitude and altitude of the user’s terminal equipment, to the direction of travel, to the level of accuracy of the location information, to the identification of the network cell in which the terminal equipment is located at a certain point in time and to the time the location information was recorded”. Such data can only be used for value-added services (commonly known as location based services) with the aforementioned consent, unless the user cannot be identified from such data.].
Finally, of course, consent is not the only legal basis that can be relied upon under EU data protection law for processing personally identifiable location data (see my post here). For example, with regard to the mapping of Wi-Fi access points, the WP acknowledges that companies can have a legitimate interest in the necessary collection and processing of data relating to Wi-Fi access points for the specific purpose of offering geo-location services. However, it warns that the balance of interests between the rights of the controller and the rights of the data subjects requires that the controller offers the right to easily and permanently opt out from the database, without demanding additional personal data. In other words, in cases where the necessity can be adequately justified, the controller must always seek the least intrusive means. Similar considerations apply where employers sets up systems to continuously monitor employees – after all, the purpose of such monitoring is to not to track or monitor the whereabouts of employees unless this corresponds to a specific need n the part of the company which is connected to its activity. And it goes without staying that there should always be an ‘OFF’ button!