D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe PERSONAL DATA IN ELECTRONIC COMMUNICATIONS: DIRECTIVE 2002/58/EC

Personal data in electronic communications: Directive 2002/58/EC

For some sectors, the general Data Protection Directive may not provide sufficient legal protection, given specific vulnerabilities or particularities. For the sector of electronic communications, the EU has considered it necessary to supplement the general Data Protection Directive with a sector-specific data-protection directive, which was part of a larger set of directives regulating the electronic-communications sector (formerly known as the telecommunications sector). This is Directive 2002/58/EC.

1. 1. 1. Relation to 95/46/EC

Directive 95/46/EC must be viewed as the ‘lex generalis’ which is applicable to the processing of personal data unless a ‘lex specialis’ determines otherwise. Directive 2002/58/EC (hereinafter: E-Privacy Directive) can be considered to be such a ‘lex specialis’. This Directive offers a sector-specific regime with regard to privacy and electronic communications. This means that only those situations regarding processing of personal data that are not covered by the E-Privacy Directive fall within the scope of Directive 95/46/EC. However, from article 1 paragraph 2 it follows that the provisions of Directive 2002/58/EC particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons, such as businesses and foundations. According to article 1, paragraph 1, Directive 2002/58/EC:  

“harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community”.  

Moreover, article 2 explicitly states that the definitions of Directive 95/46/EC, as well as those of Directive 2002/21/EC concerning a common regulatory framework for electronic communications networks and services, shall apply regarding Directive 2002/58/EC. However, in addition to these directives, a definition is given of some specific personal data that are of great importance to LBS: ‘location data’ and ‘traffic data’.  

1. 1. 1. Location data, traffic data, and their relation to personal data

In article 2 of the E-Privacy Directive, definitions are given of traffic data and location data: 

“(b) ‘traffic data’ means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; 

(c) ‘location data’ means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.” 

Since traffic data include data on the geographical position of the terminal equipment at the beginning and at the end of a communication, e.g., a mobile phone call, some traffic data are location data.  

Conversely, many location data in the electronic-communications sector are traffic data, namely if they are processed for the purpose of the conveyance of a communication. This does not necessarily apply to all location data: it is not certain that location data of a mobile phone in stand-by mode can be considered to be processed ‘for the purpose of the conveyance of a communication’. On the one hand, the network processes the location of the mobile phone in stand-by mode so that it knows where it should transmit a potential communication to, and in that sense it could be considered to process the location for the purpose of conveying communications. On the other hand, it does not process the location data for the purpose of conveying a specific communication; it may well happen that there will be no communication at all in a stand-by session. The categorisation of ‘stand-by’ location data is therefore a fairly open issue that Member States have to decide upon when implementing the directive.

The Article 29 Working Party has paid attention to the relation between location data and personal data, claiming: “Since location data always relate to an identified or identifiable natural person, they are subject to the provisions on the protection of personal data laid down in Directive 95/46/EC”. We consider this too sweeping a statement, since ‘location data’ (i.e., indicating the location of a user’s terminal equipment) can relate to objects that are not linkable to individual natural persons (see below).

To illustrate the complex relation between personal data, location data and traffic data the following figure can provide some clarification.  

Figure . Venn diagram showing the relation between personal, traffic, and location data

1. Location data that are also personal and traffic data, e.g., the cell-ID of a mobile phone used for sending an SMS by an individual subscriber.  

2. Traffic data that are also personal data but not location data, e.g., the date and time of a call made by an individual with a GSM subscription.  

3. Personal and location data, but not traffic data, e.g., the address of a fixed telephone of an individual. 

4. Traffic and location data, but not personal data, e.g., the location of a public phone booth where someone made a call.  

5. Traffic data, but not personal or location data, e.g., the date and time when an Internet user accessed a business website using an anonymising service.  

6. Personal data, but not location or traffic data, e.g., the account number of an individual. 

7. Location data, but not personal or traffic data, e.g., the GPS location of a company car when the company has not registered the actual driver; in the context of electronic communications, possibly the location of a stand-by mobile company phone used by several employers is an example of this category. 

This is a schematic representation in which the size of the areas in the figure does not suggest anything about reality. Category 6, of course, is very large, whereas categories 4 and 7, if we follow the opinion of the Article 29 Working Party, are empty, since they consider all location data to be personal data. In our opinion, location data that are not personal data do exist, but this category is probably quite small. 

Before we move on to indicating which directives apply to which areas of our Venn diagram, we analyse in more detail the definitions of the various categories of data. 

1. 1. 1. Electronic communications and location technologies

Whether or not certain data are to be qualified as traffic data mainly depends on the question: what is to be understood by communication and electronic communications network? Besides the definition of electronic communications network, for the qualification of location data the definition of publicly available electronic communications service is also of importance. These definitions determine whether the data generated by the various technologies identified in chapter 3 can be considered traffic and/or location data.

The definitions of electronic-communications networks and services cannot be found in Directive 2002/58/EC, but are explained in article 2 of Directive 2002/21/EC.

“(a) electronic communications networks means transmission systems which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed and mobile terrestrial networks, networks used for radio and television broadcasting and cable television networks;

(c) electronic communications service means a service, normally provided for remuneration, which consists in the conveyance of signals on electronic communications networks. Services providing, or exercising editorial control over, content transmitted using electronic communications networks and services are excluded;

(d) public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services”. 

A definition of communication is given in article 2 (d) of Directive 2002/58/EC:  

“(d) ‘communication’ means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information”. 

The relevant question for study is whether the technologies described in chapter 3 fit these definitions. As described in the technical chapter, a division can be made between satellite-based positioning systems; sensor-based systems; other wireless technologies; cell-based mobile communication networks, and chip-card-based payment systems.

The table below provides insight into which technologies fall within the scope of Directive 2002/58/EC.

Table : Relation between LBS technologies and Directive 2002/58/EC

(1) With regard to Satellite-based positioning systems and Cell-based mobile communication networks in general, it can be stated that these are public, in a sense that they are available to the public at large. However, from a technical perspective it is possible, and in view of specific electronic communication services probably already effective, to restrict the access to these networks and services to such a confined group of users that ‘public availability’ no longer exists, leading to the consequence that Directive 2002/58/EC might no longer be applicable. The lack of clarification regarding the scope of the term ‘public’ is discussed under (3). 

(2) Whether sensor-based systems and chip-card-based payment systems fall within the scope of the definitions of communication networks and services is highly questionable. In our view, if the rationale behind Directives 2002/21/EC and 2002/58/EC is considered, as well as the recitals and provisions of these Directives, the conclusion should be that they are not aimed at such systems. The Directives seem to be aimed at intentional communications in which the content of the communication plays an important role. However, an analysis of the definitions of electronic communications networks and services as well as the definition of communication shows that they are very broad in scope, leaving room for application to sensor-based systems and chip-card-based systems. Even though the definition of communication applies to these systems, since signals are being transmitted by one of the technical means mentioned in the definition of electronic communications service, the person to whom the data relates has no influence regarding the communication. Therefore, we are of the opinion that it is fair to assume that it was not intended to bring these kinds of systems within the scope of the European legal framework regarding electronic communications. The difficulties with regard to the scope of the definitions of ‘electronic communications services’, and ‘to provide an electronic communications network’ are acknowledged by the Article 29 Working Party:  

“These definitions are still not very clear and both terms should be explained in more details in order to allow for a clear and unambiguous interpretation by data controllers and users alike. The unclear definitions give rise to several questions such as for instance ‘can a cyber café be considered as a provider of an electronic communications network’? Although such questions should be easy to answer, this is not always the case.”

Hopefully, if clarification of these definitions is taken up, the problems regarding applicability to sensor-based systems and chip-card based payment systems will be clarified as well. 

(3) In European legislation, there is no definition of what ‘public’ in the context of the European regulatory framework for electronic communications exactly means. The Article 29 Working Party has not given a clarification regarding the scope of the term ‘public’. However, in a recent opinion the Working Party emphasised:  

“The fact that provisions of the ePrivacy Directive only apply to provision of publicly available electronic communications services in public communication networks is regrettable because private networks are gaining an increasing importance in everyday life, with risks increasing accordingly, in particular because such networks are becoming more specific (e.g. monitoring employee behaviour by means of traffic data). Another development that calls for reconsideration of the scope of the Directive is the tendency of services to increasingly become a mixture of private and public ones.”

In this respect it is questionable whether the requirement of ‘public’ networks and services will be upheld in the future. Evidently, it would broaden the scope of the European legal framework regarding electronic communications to a large extent if this requirement is lifted. 

For the time being, some relevant criteria regarding the question whether or not a network or service should be considered ‘public’ can be: the rationale behind legislation; whether or not the network or service is explicitly labelled as ‘public’ by the legislator; the scope of the service provision: is it the provider’s intention to offer the service to anyone who requests this service?; standardisation, which suggest an intention of uniform and public accessibility; whether the network or service is oriented at a limited geographical area; and whether the network or service is specifically aimed or designed for a specific group of people.

(4) RFID, WiFi and Bluetooth are fairly general technologies that transmit data in a wireless way. As such, they fall within the very wide definition of electronic communications network, since they concern a transmission system to convey signals by electromagnetic means. Often, applications using RFID, WiFi and Bluetooth will also conform to the definition of electronic communications service, if the application can be considered a service. In most cases, these technologies are embedded in some sort of system that can be considered a service, if we go by the general meaning of this term.

1. 1. 1. Processing of traffic data

The main provisions in Directive 2002/58/EC regarding the processing of traffic data and location data concern articles 5, 6 and 9. 

Article 5 concerns the confidentiality of communications and the related traffic data. In this article it is stated that in essence the communications and related traffic data by means of a public communications network and publicly available electronic communications services are confidential. Member States are required to implement this provision into national legislation. In particular, eavesdropping, wiretapping, storage or other kinds of interception or surveillance of communications, by persons other than users, is prohibited without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).  

Article 6 of the E-Privacy Directive lays down the ground rule for the processing of traffic data ‘relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service’. These data must be erased or made anonymous as soon as they are no longer needed for the purpose of the transmission of a communication. Under certain conditions an exception to this rule is made for traffic data that are necessary for the purposes of subscriber billing and interconnection payments as well as for traffic data for the purpose of marketing electronic communications services or for the provision of value-added services. However, certain conditions apply to these exceptions: the duration of the processing must be restricted to what is necessary to perform the task or service; the subscriber or user must be informed of the types of traffic data which are processed and of the duration of such processing; and, the processing is only allowed by persons acting under the authority of providers of the public communications networks and publicly available electronic communications services. Besides these specific exceptions, the general exception clause of article 15 also needs to be taken into account. This article will be discussed in section 4.3.6.

As described in section 4.3.2, traffic data can, in several instances, be considered to be personal data. If so, the regime set out here supplements the rules laid down by Directive 95/46/EC, meaning that the rights and obligations laid down in this directive also need to be taken into account when processing the ‘personal traffic data’. 

So, in addition to the specific rules laid down in Directive 2002/58/EC, the general provisions regarding the processing of personal data, such as the obligation to inform as laid down in articles 10 and 11 and the rights to access and to object as described in the articles 12 and 14, are applicable to personal traffic data.  

1. 1. 1. Processing of (non-traffic) location data

Article 9 of Directive 2002/58/EC concerns the processing of location data other than traffic data. As described before, location data usually can be qualified as personal data. So, for these data the obligations and rights laid down in directive 95/46/EC apply besides the specific provision in the E-Privacy Directive. For location data that are not personal data, e.g., relating to telecommunications subscriptions by legal persons, only Directive 2002/58/EC applies.  

Article 9 states that location data other than traffic data ‘relating to users or subscribers of public communications networks or publicly available electronic communications services’ may only be processed if the data are made anonymous, or with the consent of the users or subscribers of the service to the extent and for the duration necessary for the provision of a value added service. Paragraph 2 of this article states that, if there is consent of the users, there has to remain the ability for the user to refuse the processing temporarily. This provision makes clear that, for the processing of location data, it is required that there is a value added service that cannot be provided without this processing. In addition, the processing has to be limited to the duration necessary to provide this service. So, with regard to location data other than traffic data, unnecessary processing is prohibited, unless the derogation of article 15 applies to the situation.

1. 1. 1. Article 15: exceptions for national security and law enforcement

As already mentioned in the articles 5, 6, and 9, article 15 provides for some exceptions to the general rules: 

“Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.”

This article mainly relates to the use of traffic and location data by public authorities for purposes of safeguarding national security and law enforcement. It allows Member States to pass legislation to allow access of public authorities to such data and to mandate data retention, without consent of data subjects. For data retention, there is a specific directive, which we describe in the next section.  

Whereas Directive 2002/58/EC prescribes consent of the data subject or a legally authorised situation as mentioned above, Directive 95/46/EC also offers a weighing of the relevant interests to justify processing of personal data (art. 7(f)). The absence of this ground in Directive 2002/58/EC means that this option does not apply to location data or traffic data generated solely because of electronic communications. Therefore, in private relationships, only consent remains as a legal ground for the processing of these data. According to the definition in article 2(f), ‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC. The data subject himself therefore has to give the prior informed consent. In a workplace environment, there can be an exception to this, see section 4.7. 

1. 1. 1. Data Retention: Directive 2006/24/EC

Directive 2006/24/EC (hereinafter: Data Retention Directive) regulates the mandatory storage of traffic data (cf. art. 15 of the E-Privacy Directive). These data need to be stored by service and network providers in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. The Directive only concerns traffic data; the content of the messages is excluded from the obligation of data retention. Traditionally, such a regulation in the field of law enforcement falls outside of the competence of Directives (an instrument in the First Pillar of the EU which deals with the internal market); however, data retention closely relates to the functioning of the common market, and the diverging rules of Member States on data retention, which ‘vary considerably’ (consideration 5), form an obstacle to the internal market for electronic communications (consideration 6).  

This directive pertains to traffic data, location data, and ‘the related data necessary to identify the subscriber or user’. Definitions are the same as those of Directives 95/46/EC, 2002/21/EC and 2002/58/EC (art. 2 para. 1). According to article 4, these data must be retained ‘to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned.’ The data to be retained are specified in article 5 of the Directive, which distinguishes between fixed and mobile telephony on the one hand, and Internet e-mail and Internet telephony on the other. The obligation includes unsuccessful call attempts, i.e., where a telecommunications connection was made but the call was not answered by the recipient, if such data are stored or logged by the provider (art. 5 para. 2). 

For this study, particularly the data in art. 5 para. 1 under (f) are relevant:  

“data necessary to identify the location of mobile communication equipment: 

(1) the location label (Cell ID) at the start of the communication; 

(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.” 

The required duration of storage is at least six months with a maximum of two years (art. 6). The exact period of storage is to be decided upon by each and every Member State in its implementation. The maximum period may even be extended, for a limited period, for Member States ‘facing particular circumstances that warrant an extension’ (art. 12).  

The Data Retention Directive must be transposed in Member States by 15 September 2007, with a possible postponement for Internet data until 15 March 2009 (art. 15).