The European Union's Article 29 Data Protection Working Party has published its opinion concerning geolocation services on smart mobile devices.
Opinion 13/2011 aims to clarify the legal framework applicable to geolocation services that are available on and/or generated by smart mobile devices that can connect with the Internet and are equipped with location sensitive sensors such as GPS. This would include applications that provide mapping and navigation, geo-personalised services (including nearby points of interests), augmented reality, geotagging of content on the Internet, tracking the whereabouts of friends, child control and location based advertising. It also covers GPS, GSM base stations and WiFi infrastructure.
The document sets out the context, privacy risks and legal framework, and recommends geolocation data should be classified as personal data/personally identifiable information (PII), since it can be used to identify individuals. The document proceeds to set out obligations arising under data protection laws. Importantly it states that "consent cannot be obtained through general terms and conditions" and "by default, location services must be switched off". The need to delete such data within a justified period of time is also listed.
Meanwhile in the United States, there is a new proposal to update the somewhat out-of-date 1986 Federal Electronic Communications Privacy Act (ECPA). This would affect how law enforcement agencies can request and use geolocation data, to protect consumers' privacy. See a good further discussion of this topic by Stephen Gantz on Infosec Island.
It may be interesting to consider how this might also affect IP address data, since there can be precise mappings of IP addresses to some specific locations.
Data controllers and data processors who use any type of geolocation data should take note of these trends (and, in the United Kingdom, also read the ICO's recently published Data Sharing Code of Practice).
Posted on: 27 May 2011 at 11:21 hrs