The tracking of people’s location is becoming an increasingly useful tool for many businesses, whether they want to use it to connect customers with their special offers, monitor footfall, or provide other location-based services.
However, a snag is coming in the shape of the EU’s General Data Protection Regulation, which introduces much tougher rules around the collection and use of personal data. And location data can most certainly qualify as personal data, anytime it relates to an identifiable individual.
It’s not that European regulators haven’t cracked down on location-based data protection abuses before. In 2015, France’s CNIL censured the billboard giant JCDecaux for installing Wi-Fi boxes on their signs that captured the unique MAC addresses that identified passing smartphones – the firm wasn’t properly anonymizing the data, and it wasn’t getting people’s informed consent, either.
The Swedish “visitor flow” tracking outfit Bumbee Labs got into similar hot water with that country’s privacy watchdog around the same time, leading it to stop collecting MAC addresses.
But the GDPR is something else, partly because of the way in which it will harmonize law across EU countries, and partly because of the new obligations it will bring – starting with data protection impact assessments.
“Privacy has already been a consideration for our products and services for a long time. Therefore, the concepts of privacy by design and privacy by default are not new. However, the formal aspects of data protection impact assessments are new requirements that have to be integrated into the product development process,” said Philip Fabinger, global privacy counsel for HERE Technologies (the mapping division that Nokia sold to Audi, Daimler and BMW a few years back).
HERE may have a history of privacy by design — unsurprisingly, for a company based in Germany — but other companies don’t, and will have to change their ways.
Giulio Coraggio, a partner at DLA Piper’s Milan office, noted that the obligation to be “able to prove — following a data protection impact assessment — the implementation of adequate protections and safeguards for individuals’ rights” would “limit the ‘freedom’ of operation that providers of location tracking tools had enjoyed so far.
“This was more due to a kind of tolerance by the market of borderline solutions than a full assessment of privacy law compliance of their technologies,” Coraggio said.
The compliance aspects here can be quite finicky, depending on a service’s interdependencies. Witness the case of Runkeeper a couple years back: When the Norwegian Consumer Council made a formal complaint against the app provider over the fact that it continued sending users’ location data to third parties even when the app was not in use, the company said the culprit was a bug in the way Runkeeper was integrated with a third-party advertising service.
Technical snafus aside, it will generally be the case that two possible exceptions to the GDPR’s general data-processing ban will apply in the case of location data: consent and “legitimate interest.”
“Consent is often the applicable ground for making data processing legitimate when it comes to the processing of the locations of a smart mobile device. While today, in some cases opt-out is permissible, this will no longer suffice under the GDPR. A GDPR-compliant consent must be affirmative in nature,” said Fabinger.
Consent was, of course, a fundamental absence in those cases involving surreptitiously-recorded MAC addresses. It may be more applicable when someone has an app on their phone that explicitly uses or broadcasts location data in order to do whatever it does, but even then, there’s the issue of accurately telling people how the data will be used — and making sure that’s the only reason it is used.
“Retaining location data forever and obtaining a single privacy consent for multiple privacy purposes are practices already unacceptable under the current regime, but the GDPR obliges to give more detailed information on usage and retention of data to individuals and consent becomes even more specific,” said Coraggio.
Coraggio noted that legitimate interest (which some view as “the ‘Eldorado’ that might limit the impact of the burdensome GDPR obligations”) can indeed be used as the legal basis for direct marketing, with the GDPR having set no clear limits to its applicability. “The WP29 [working group of EU privacy regulators] did not provide major clarifications as part of its guidelines on profiling,” he added. “A specific assessment shall be done on a case-by-case basis, taking into account the expectations and advantages gained by individuals.”
Indeed, the GDPR is not clear on the definition of location data, nor does it give specific guidance for how to handle it, Fabinger said. He argued that this presents a “specific challenge in this domain.”
“Location data is not always personal data,” said Fabinger. “It highly depends on the context and the use case. The same data set can be privacy-neutral when used for asset tracking as part of logistics optimization services and privacy sensitive when used for tracking of a child or patients in a hospital.”
It’s worth noting that the EU’s proposed ePrivacy Regulation (currently being considered by the European Council before “trilogue” negotiations begin) does more specifically tackle the issue of location data, noting that its collection can sometimes introduce “high privacy risks,” particularly when individuals’ movements are being tracked over time by the monitoring of their Bluetooth or Wi-Fi connections.
“Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection,” the Commission proposal’s Recital 25 reads.
If this passes as proposed, Coraggio said, “a ‘revolution’ might happen [which] might represent a further limit to the current business model of location tracking providers.”
Would this be a bad thing for businesses? Not necessarily, the lawyer argued (although he also noted there was “no doubt that it will broaden the gap between the EU and the rest of the world on such technologies”).
“After a transitional period, those companies that will be able to adopt the right approach to privacy compliance will be able to gain a competitive advantage since their business customers will no longer accept [the use of] technologies which might potentially trigger the GDPR fines,” Coraggio said.
Ultimately, Fabinger claimed, the harmonization provided by the new laws within the EU will “facilitate the deployment of [HERE’s] global products and services.”
“While we currently have to spend time and money to comply with different and inconsistent national data protection requirements, the GDPR will replace the existing patchwork of national data protection laws by establishing an EU-wide harmonized and directly applicable law,” Fabinger said.
This article was originally published by The International Association of Privacy Professionals: Policy neutral, we are the world’s largest information privacy organization. You can connect with them on LinkedIn here, or follow them on Twitter down here:
Get the TNW newsletter
Get the most important tech news in your inbox each week.