On May 16, 2011, EU’s Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.
WP29 is comprised of representatives from the EU member states’ data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29’s mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29’s opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs.
Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion.
WP29 found that:
- With the help of geolocation technologies smart mobile devices can be tracked for purposes ranging from behavioral advertising to monitoring of children
- Because mobile devices are inextricably linked to their users, the travel patterns of the device provide a very intimate insight into the private life of the user, rendering the location data personal; specifically, "the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data."
- One of the main risks of location data processing is that the user is unaware that the device transmits the location data and to whom the information is provided
- There risk that the consent for certain applications to use location data is invalid because the information about the key elements of the processing is incomprehensible to the user, outdated or otherwise inadequate
- Because location data from smart mobile devices reveal intimate details about the private life of their users, the main applicable legitimate ground is prior informed consent
- Consent cannot be obtained through general terms and conditions; rather, consent must be specific for the different purposes that location data is collected, used or otherwise processed (e.g., profiling or behavioral targeting)
- If the purposes of the processing change in a material way, the data controller (i.e., the entity that determines the purposes and means of collecting, using or processing the data) must seek renewed specific consent of the individual
- By default, location services must be switched off
- An opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent
- With respect to employees, employers may only adopt this technology when it is demonstrably necessary for a legitimate business purpose and the same purpose cannot be achieved with less intrusive means
- With respect to children, parents must judge whether the use of location data is justified in specific circumstances
- The consent should be limited in time; users should be asked for consent at least once a year
- Users must be able to withdraw their consent in a very easy way, without any negative consequences for the use of their device
- With regard to the mapping of WiFi access points, companies can have a legitimate interest in the necessary collection and processing of the MAC addresses and calculated locations of WiFi access points for the specific purpose of offering geolocation services; the balance of interests between the rights of the data controller and the rights of the user requires an opportunity for the user to easily and permanently opt out from the database, without providing additional personal data
- Users must be provided with clear, comprehensive and understandable for a broad, non-technical audience notice of the collection, use or other processing of geolocation data; the notice must be permanently and easily accessible; the validity of the user’s consent is inextricably linked to the quality of the information about the data collection
- Third parties, such as browsers and social networking sites, have a key role to fulfill when it comes to the visibility and quality of the information about the processing of geolocation data
- Users have the right to access their location data in a human-readable format and to rectify and erase the data; users also have the right to access, rectify and erase profiles compiled based on their geolocation data
- Providers of geolocation applications or services should implement retention policies which ensure that geolocation data or profiles derived from such data are deleted after a justified period of time
- If the developer of the device’s operating system or a data controller of the geolocation infrastructure processes a unique number such as a MAC address or a UDID in relation to location data, the unique identification number may only be stored for a maximum period of 24 hours, for operational purposes
While the debate about mobile location data is in its infancy in the U.S. (see our blog post and Fox News interview), Europe has served up guidance that, it is fair to say, brings to life every nightmare of U.S. businesses working and innovating in this industry. It is important to keep in mind that WP29 recommendations are not the law. As with any WP29 opinion, businesses need to monitor how the DPA will implement the guidance, if at all. I suspect that Apple and Google will be the first to face pressure from European data protection authorities to comply with the guidance. We will monitor how any enforcement action will play out. For now, U.S. business entering mobile location marketplace in Europe should strive to implement the opinion’s requirements to the extent the requirements are feasible.