D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe WHICH DIRECTIVES APPLY TO WHICH KINDS OF DATA?

In the previous section, we sketched the complex relationship between personal data, traffic data, and location data as well as the directives and provisions that apply to these data. Generally, the E-Privacy Directive takes precedence over the Data Protection Directive, but the latter, general, directive supplements the protection of traffic and location data when they are not covered by specific provisions in the sectoral directive. Within the E-Privacy Directive, different regimes apply to traffic data and to location data that are not traffic data. The picture is compounded by the fact that the E-Privacy Directive provisions only apply to public communications. Traffic and location data generated by private networks or in private services are not covered by articles 5, 6 and 9; if they relate to individuals, however, the general Data Protection Directive applies. This leads to a very complex picture of applicability of legal provisions to the various kinds of data. We tentatively represent this in , which may serve as a working tool for further analysis.

Figure . Diagram showing the applicability of Directives to data

In , yellow indicates applicability of articles 5 and 6 of the E-Privacy Directive, red indicates that article 9 of this directive applies. Blue indicates the scope of the general Data Protection Directive. The purple (red + blue) and the green (yellow + blue) part show that for some data, the specific provisions of the E-Privacy Directive as well as the general Data Protection Directive apply. As can be seen, and is furthermore explained below, this is only the case in public networks or services (indicated with an ‘A’).

‘A’ denotes that the data are generated in public networks or services, ‘B’ that they are generated in private networks or otherwise fall outside the scope of the E-Privacy Directive, for instance because they do not relate to electronic communications at all.  

1. The category of traffic data that are also location and personal data, is divided in two subcategories. 

   1. For data generated in public networks or services, articles 5 and 6 of the E-Privacy Directive apply, indicating requirements such as confidentiality, the legal grounds for processing, storing, and erasure. Other requirements from the Data Protection Directive also apply, when they relate to personal data and are not specifically covered by the E-Privacy Directive, such as several aspects of data quality and data security (art. 6 and 17 Data Protection Directive).  

   2. For other data, i.e., those generated in private networks or services, only the general Data Protection Directive applies. 

2. The category of personal and traffic, non-location data is divided in two subcategories. 

   1. The same as category 1a. 

   2. The same as category 1b. 

3. The category of location and personal, non-traffic, data is divided in two subcategories. 

   1. To data generated in public networks or services, art. 9 of the E-Privacy Directive applies, as well as other requirements from the general Data Protection Directive not covered by the E-Privacy Directive. 

   2. To other data, only the general Data Protection Directive applies.  

4. The category of traffic and location but non-personal data, e.g., relating to business subscriptions, is divided in two subcategories. 

   1. To data generated in public networks or services, only articles 5 and 6 of the E-Privacy Directive apply.  

   2. Other data are not covered by any legal data-protection instrument. 

5. The category of traffic, non-location, non-personal data is divided in two subcategories. 

   1. The same as category 4a. 

   2. The same as category 4b. 

6. To personal data which are not traffic or location data, only the Data Protection Privacy Directive applies. 

7. The category of location, non-traffic, and non-personal data is divided in two subcategories. 

   1. To data generated in public networks or services, only article 9 of the E-Privacy Directive applies. 

   2. Other data are not covered by any legal data-protection instrument. 

1. 1. 1. Checklist

From the foregoing it can be concluded that providers of LBS have to ask a lot of questions before they can determine what regime is applicable to the data they are processing in order to provide the LBS. To help providers asking the right questions, we provide a checklist of the relevant questions that need to be answered in order to establish the applicable legal regime. 

1. Are the data to be processed ‘personal data’? (see art. 2(a) of Directive 95/46/EC) 

2. Are the data to be processed ‘traffic data’? (see art. 2(b) of Directive 2002/58/EC) 

3. Are the data to be processed ‘location data’? (see art. 2(c) of Directive 2002/58/EC) 

4. Do the data relate to users or subscribers of public communications networks or publicly available electronic communications services? (see art. 6 and 9 of Directive 2002/58/EC and art. 2 (a), (c) and (d) of Directive 2002/21/EC) 

5. Is one of the exceptions applicable? (see article 13 of Directive 95/46/EC and article 15 of Directive 2002/58/EC).