D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe INTRODUCTION

Location Based Services (LBS) do not only function in a technical and organisational context, but also in a legal context. Whereas the previous chapter sketched the various techniques and modes used in LBS systems, this chapter will give an overview of the relevant EU legislation on the processing of location data with regard to the provision of LBS.  

The relevant European legislative framework consists of several Directives that relate to the processing of personal data in general, the processing of personal data in the electronic communications sector, and provisions regarding obligations for data retention. The main difficulty with this European framework for LBS data lies with the legal definitions and qualification of different groups of data and the overlap that exists between these groups. Also the fact that the different directives are addressed to different parties and the technology-dependent applicability of the rules make the legal framework for location data a complex issue. In this chapter, we try to provide some clarity on the European legal framework, which will serve as a background to the four country reports given in the next chapters.  

First, this chapter will provide an insight into the different European Directives that are applicable to location data. The starting point is the general European Directive on the processing of personal data, followed by more specific directives concerning the processing of personal data in electronic communications and the Data Retention Directive. From these different directives, it becomes clear that a distinction needs to be made between personal data, traffic data, and location data. However, due to overlap, this distinction is not always easy to make as all kinds of combinations are possible, e.g., personal data can be location data as well. This leads to a complicated picture regarding the applicability of the regimes laid down in the directives with regard to the different kinds of data. This picture becomes even more complicated when assessing whether certain kinds of technologies used to process these data fit the definitions of communication services and networks as laid down in Directive 2002/58/EC. We give an elaborate description of the terminology in the relevant Directives in sections 4.2 and 4.3, with a first attempt to schematically represent the different legal regimes that apply to the various kinds of data (personal, traffic, and location data). In section 4.4, we then attempt to illustrate the applicability of the different directives to the various kinds of data and technologies, by schematically showing the different possible combinations of personal, traffic, and location data and giving tentative examples of these combinations. We hope that this first attempt to illustrate the complex legal framework can serve as a basis for future refining and extension, both theoretically and practically.

Section 4.5 discusses some further distinctions made within the European legal framework that are of relevance to the applicability of this framework as well as to its practical application. Mention is made of the difference between the processing of data within private and public relationships; the difference between subscribers and users in respect of consent; the difference between direct and indirect provision of services; and the difference between direct and indirect access to certain data. The last sections address two relationships in which specific rules apply or complications exist when traffic or location data are being processed. Section 4.6 concerns the processing of traffic and location data by law enforcement, and section 4.7 addresses the processing of these data within an employment relationship.