We have recently seen among EU institutions increased legislative activity aimed at strengthening the right to privacy of citizens. Two new EU regulations come to fore: General Data Protection Regulation (GDPR) and Regulation on Privacy and Electronic Communications (ePrivacy), which are to enter into force in May 2018. They will replace the long serving directives enacted in 1995 and 2002, that is in times when the Internet and new technologies were at the stage of early development. The necessity to update the regulations is obvious, as the hitherto standards no longer correspond to the latest technological and market trends.
The latest GIODO’s opinion
The above trend is matched by a recent speech of the Polish Inspector General for Personal Data Protection (GIODO) on the processing of and access to geolocation data, which summarizes the principles established so far in terms of locating persons (in particular in relation to the provision of services to them), as well as signaling changes that will happen in this area following amendments to EU regulations. The GIODO’s speech reminds the basics principles, including the following:
- geolocation data can only be processed for a specific purpose (thus they cannot be collected and used for no apparent reason, e.g. to keep them in stock);
- geolocation data should be processed only to the extent and for the period needed to achieve a given purpose (hence it is not permissible to permanently locate a user if it is evident that they only wished to be located once, e.g. for a single routing or to indicate the nearest point of interest);
- geolocation data should be kept confidential so that they are technically and organizationally protected and used exclusively by those entities that need them and to the extent necessary for the purpose of processing.
Whose responsibility is it?
The implementation of the above principles rests mainly with data controllers, who — in the case of geolocation data — can be various entities, depending on the purpose and context of the processing. This function can be performed by e.g. a telecommunications operator locating the user via base stations for the provision of telecommunication services and the so-called value added services (such businesses are subject to stricter requirements resulting from the ePrivacy Directive of 2002, as implemented in the Telecommunications Law in 2004). A controller may also be the owner of the mobile device’s operating system if such system collects geolocation data, for example in order to allow the user to find their device or even to update the time zone in its system settings. However, it seems that with the advances in technology and the progressive digitization of life mobile application administrators have been the unquestioned leaders in using location data to offer a variety of electronic services.
Locating in apps — is consent needed?
Among public institutions involved in personal data protection, a view dominates according to which due to “sensitivity” of the geolocation data, the primary grounds for processing them should be the user’s consent, the form of which should comply with the requirements stipulated in the regulations. However, it seems that in some cases it is not strictly necessary.
First, it should be noted that geolocation data is practically always personal data – regardless of whether they are collected along with other data or alone. This is due to the specificity of locating technologies (base stations, GPS, Wi-Fi), the precision of which varies from a few to several dozen meters. Apart from the situation where processing takes place in highly crowded places, each of the above technologies makes it easy to identify a located person.
On the other hand, personal data protection regulations will apply and the location consent will be needed if the application’s administrator controls or at least has access to such data. Therefore, if a mobile application does not use any of the resources of the application developer (e.g. it does not send them to the server or otherwise share them), and locating is based solely on the transmission of information between the mobile device and the location-based system (e.g. GPS) — which is not controlled by the app developer — it is assumed that the developer cannot gain the status of the data controller. However, given the fact that market practice is to develop applications that are as extensive as possible, with the greatest possible number of functionalities (from the user and application perspective), this type of application will not be commonplace.
In the end, it cannot be ruled out that geolocation data processing will take place on the basis other than the user’s consent. It is important to note that, in principle, the customer, when installing or running an application, concludes an agreement for the provision of an electronic service. In this regard, personal data protection regulations indicate that the legal basis for processing such data is not only the consent but also the fact that data processing is necessary for the performance of an agreement with the person to whom the data relate. Such a basis is however strongly limited to the criterion of “necessity,” as shown in the following hypothetical examples:
Example 1. Mobile application for the “X” Music Festival, which in addition to the schedule of the Festival, information about artists or a possibility to comment on the event, also provides the possibility to estimate the shortest route to a specific place in the Festival area.
Example 1 clearly shows that at the time of installing the mobile application it is not a given that the user wishes to use its location feature. Therefore, the application itself and accepting its regulations do not provide the basis for geolocation data processing, and consequently the requirement remains to obtain appropriate consent at the appropriate moment. In turn, the application from the second example seems to meet the criterion of “necessity” and entitles to the “contractual” grounds for processing. However, taking into account the “sensitive” approach of public institutions to the location issue, it is a good and desirable practice to consider asking the user for consent — in order to increase the user awareness of how the application works and how it is used.
Content of the location consent — regulations versus reality
Every smartphone user knows how the location consent in a mobile app looks like. It is one of the many mysterious and laconic approvals expressed during the application installation (among other permissions, such as access to contacts, displaying notifications, or changing the device’s system settings). Unfortunately, the format of such consent is enforced by the operating system, and app developers have very limited impact on its content (differing slightly between systems and versions). Furthermore, such consent may occasionally be provided by users in blanco in the operating system settings for all current and future installed applications.
The above described realities do not withstand the confrontation with legal requirements concerning the consent to personal data processing. The rules explicitly state that the consent cannot be implied or assumed (which undermines the possibility to effectively consent — through operating system settings — to all applications in advance and at once). Such “wholesale” consent should also be accompanied by a lot of information, in particular:
- Who is allowed to locate? (data of the personal data controller);
- What is the purpose of processing the location data? (for each purpose, separate consent should be given, hence it is not permitted to request single location consent for using an application feature, for example for statistical purposes, controller’s marketing purposes, or for optimizing an application);
- How can the user exercise their right to access and correct the data? (including: indication of how to revoke the consent and remove the previously collected data).
It is worth noting that EU regulations which come into force in 2018 will slightly alleviate the requirements for the consent to data processing — it will be possible to give consent in a conclusive way, for example through the configuration of the user’s device. On the other hand, new regulations will broaden the scope of information needed, including an indication of the processing period, contact details of the Data Protection Supervisor, or information about the right to bring a complaint to GIODO.
Also, it has to be remembered that the rules in force create specific requirements that must be considered when locating users by means of an application, such as a recommendation to display the appropriate icon in the application, or detailed instructions for creating a user profile based on the geolocation data. It cannot be ruled out that — due the GDPR entering into force — public institutions will provide further guidelines and restrictions of this type in the future. Therefore, mobile application administrators should not abstain from mandatory notifications displayed to the user by the operating system, which is a common practice nowadays. Such omissions can have serious consequences — especially as of in next year, when the new law will introduce very heavy financial penalties for the breach of personal data protection laws of up to 20 million euros.