Geolocation: Consent Bombshell from Article 29 WP

May 18, 2011

The Article 29 Working Party has published a new Opinion on Geolocation services on smart mobile devices, made on 16 May. It sets out the level of consent that it sees as being required and the nature of the data subject’s right to access any such data held by a data controller. It states for example that ‘consent cannot be obtained through general terms and conditions’, that the default position must be that location services are switched off and that withdrawal of consent must be made easy, ‘without any negative consequences’ for use of the device. Data subjects should be enabled to access the information in a format that is geographically comprehensible (ie not just reciting numeric references to base stations).

The Opinion is best summarised by its own concluding section: 

‘With the help of geolocation technologies such as base station data, GPS and mapped WiFi access points, smart mobile devices can be tracked by all kinds of controllers, for purposes ranging from behavioural advertising to monitoring of children.

Since smartphones and tablet computers are inextricably linked to their owner, the movement patterns of the devices provide a very intimate insight into the private life of the owners. One of the great risks is that the owners are unaware they transmit their location, and to whom. Another, related, risk is that the consent for certain applications to use their location data is invalid, because the information about the key elements of the processing is incomprehensible, outdated or otherwise inadequate.

There are different obligations for the different stakeholders, ranging from the developers of the operating systems to application providers and parties such as social networking sites that embed location functionalities for mobile devices in their platforms.

6.1 Legal framework

                        The EU legal framework for the use of geolocation data from smart mobile devices is primarily the data protection directive. Location data from smart mobile devices are personal data. The combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data.

                        In addition, the revised e-privacy directive 2002/58/EC only applies to the processing of base station data by telecom operators.


6.2 Controllers

                        Three types of controllers can be discerned. They are: controllers of geolocation infrastructure (in particular controllers of mapped WiFi access points); providers of geolocation applications and services and developers of the operating system of smart mobile devices.


6.3 Legitimate ground

                        Because location data from smart mobile devices reveal intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent.

                        Consent cannot be obtained through general terms and conditions.

                        Consent must be specific, for the different purposes that data are being processed for, including for example profiling and or behavioural targeting purposes from the controller. If the purposes of the processing change in a material way, the controller must seek renewed specific consent.

                        By default, location services must be switched off. A possible opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent.

                        Consent is problematic with regard to employees and children. With regard to employees, employers may only adopt this technology when it is demonstrably necessary for a legitimate purpose, and the same goals cannot be achieved with less intrusive means. With regard to children, parents must be judge whether the use of such an application is justified in specific circumstances. At the very least they must inform their children, and, as soon as reasonably possible, allow them to participate in the decision to use such an application.

                        The Working Party recommends limiting the scope of consent in terms of time and remind users at least once a year. The Working Party equally recommends sufficient granularity in the consent with regard to the precision of the location data.

                        Data subjects must be able to withdraw their consent in a very easy way, without any negative consequences for the use of their device.

• With regard to the mapping of WiFi access points, companies can have a legitimate interest in the necessary collection and processing of the MAC addresses and calculated locations of WiFi access points for the specific purpose of offering geolocation services. The balance of interests between the rights of the controller and the rights of the data subjects requires that the controller offers the right to easily and permanently opt-out from the database, without demanding additional personal data.

6.4 Information

                        Information must be clear, comprehensive, understandable for a broad, non-technical audience and permanently and easily accessible. The validity of consent is inextricably linked to the quality of the information about the service.

                        Third parties like browsers and social networking sites have a key role to fulfill when it comes to the visibility and quality of the information about the processing of geolocation data.  

6.5 Data subject rights

                        The different controllers of geolocation information from mobile devices should enable their customers to obtain access to their location data in a human readable format and allow for rectification and erasure without collecting excessive personal data.

                        Data subjects also have a right to access, rectify and erase possible profiles based on these location data.

                        The Working Party recommends the creation of (secure) online access.  

6.6 Retention periods

                        Providers of geolocation applications or services should implement retention policies which ensure that geolocation data, or profiles derived from such data, are deleted after a justified period of time.

                        If the developer of the operating system and/or controller of the geolocation infrastructure processes a unique number such as a MAC address or a UDID in relation to location data, the unique identification number may only be stored for a maximum period of 24 hours, for operational purposes.’