Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- D11.1: Mobility and Identity.
- D11.2: Mobility and LBS.
- D11.3: Economic aspects of mobility and identity.
- D11.4: Workshop on Mobility and Identity.
- D11.5: The legal framework for location-based services in Europe.
- D11.12: Mobile Marketing in the Perspective of Identity, Privacy and Transparency.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.6: Survey on Mobile Identity
The deliverable in hand provides the results of an explorative survey on the
control model for identity related data in location-based services (LBS)
presented in FIDIS deliverable D11.2.
The survey was performed to explore the influence of LBS characteristics (pull
vs. push based, indirect vs. direct profile creation) on the perceived amount of
control participants have about the disclosure of their identity.
Four scenarios, each reflected a different aspect of the control model, have been
designed and tested.
The legal framework in practice
After the clarification of the European legal framework regarding the processing of personal data, traffic data and location data, this section will elaborate upon some relevant distinctions and problems that exist with regard to applying these Directives in practice. As described before, the processing of location data occurs in the context of providing Location Based Services. In the described directives, no definition is given of a Location Based Service. However, in article 2(g) of the E-Privacy Directive, a value-added service is defined as:
“any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof.”
Location Based Services are a subset of Value-Added Services. They could be defined as:
“any service which requires the processing of locational traffic data or location data that are not traffic data etc.”
As a result, the legal framework regarding value-added services is also applicable to Location Based Services.
As already mentioned, LBS can be public as well as private in nature, and can be used by public and private parties as well. The provision of these services can be either direct or indirect by nature, and also the access to the data generated when providing LBS can be accessed directly as well as indirectly. Besides these distinctions, this section will also provide insight into the problems that can arise in hierarchical relationships, as one of the main grounds for the processing of location data is consent. In this respect, it is also of interest to highlight the problem of who should consent to the processing of certain data: the user, the subscriber, or both?
From the description of the European legal framework it becomes clear that there is a big difference in the exceptions regarding the processing of location data for private parties and public parties. Because of these differences, a distinction between the two is made throughout this study. At the end of this chapter, two specific relationships will be discussed more elaborately as some specific legislation and problems relate to them. In section 4.6, the access to traffic and location data by law enforcement will be described, while section 4.7 will give an insight into the processing of traffic and location data by employers.
In private relationships, commercial interests, such as the provision of value-added services, are one of the main reasons for generating location data. However, also the safety of children and elderly people can be mentioned as private interests to process location data. The localisation of elderly people and children is a sound example of relationships in which the subscriber to the service is not the same person as the one who is being located. The same holds true for employment relationships, in which the employer will often be the subscriber to a service, while his employees will be the ones to be located. This difference is of importance in relation to the question who should consent to the processing of certain data, the subscriber or the user?
Contrary to the processing of personal data on the basis of Directive 95/46/EC in which article 7 provides several legal grounds, such as a weighing of the interests (article 7 (f)), section 4.3 made clear that the processing of traffic data and location data heavily depends upon consent. Article 2 (f) of the E-Privacy Directive states: “consent by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC”. Article 2 (h) of this directive defines ‘the data subject’s consent’ as meaning: “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
From the definition in the E-Privacy Directive it becomes clear that consent must be given by either the subscriber, the user or both. In article 2(a) of Directive 2002/58/EC a definition is given of a ‘user’: “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service”. A definition of a subscriber cannot be found in this Directive. However, article 2(k) of Directive 2002/21/EC defines ‘subscriber’ as: “any natural person or legal entity who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services.”
First, the relevance of the distinction between user and subscriber relates to the fact that subscribers can be legal persons as well as natural persons. This means that the scope of Directive 2002/58/EC is broader then the scope of Directive 95/46/EC, which is aimed at natural persons. Second, this distinction is relevant as the data being processed in order to provide value-added services do not necessarily have to relate to the subscriber to the service, but they can also relate to a user. For example, within a family a father can have a subscription to a service that locates the mobile phone of his children. In this situation the father is the subscriber, while the children are being the users. Also within an employment relationship, the employer – being a legal or a natural person – can be the subscriber to a service locating company vehicles in order to avoid traffic jams. However, not the employer, but the employees are the users of this service when driving the company vehicle. A third relevant issue regarding the distinction between subscriber and user relates to article 6(2) of the E-Privacy Directive which concerns an exception to process traffic data necessary for the purposes of subscriber billing and interconnection payments. Processing of these data is allowed, but only with regard to subscribers of a service, not regarding its users.
Recital 31 of the E-Privacy Directive gives an insight into the question from whom consent should be obtained:
“Whether the consent to be obtained for the processing of personal data with a view to providing a particular value added service should be that of the user or of the subscriber, will depend on the data to be processed and on the type of service to be provided and on whether it is technically, procedurally and contractually possible to distinguish the individual using an electronic communications service from the legal or natural person having subscribed to it.”
On the basis of the definition of consent as laid down in the Data Protection Directive, as a general rule, the data subject has to give his or her consent. This implies that in the case of a subscriber using a location based service in order to track and trace users of certain equipment such as a phone or a GPS-equipped vehicle, consent needs to be given by both the subscriber as well as the user. The Working Party takes the view that, when a service is offered to private individuals, consent must be obtained from the person to whom the data refer, i.e., the user of the terminal equipment. With regard to providers of value-added services, the Article 29 Working Party has explicitly stated that they must take appropriate measures to ensure that the person to whom the location data relate is the same as the person who has given consent.
From the definition of consent, as well as from articles 6 and 9 of the E-Privacy Directive, it becomes clear that consent can only be given on the basis of complete and accurate information. The Article 29 Working Party takes the view that information should be provided by the party collecting the location data for processing, i.e., by the provider of the value-added service or, where the provider is not in direct contact with the data subject, by the electronic communications operator.
Information does not only need to be given at the time that consent is obtained, but subscribers should be kept informed on a regular basis whenever a service requires on-going processing of location data. Information should not only be given about the fact that terminal equipment is being located, but also a reminder should be given of the possibility to withdraw consent at any given time. This follows from the articles 6(3) and 9(1) of Directive 2002/58/EC that explicitly require that the users (or subscribers) have to be “given the possibility to withdraw their consent for the processing of traffic data at any time.” Article 9(2) states that
“for the processing of location data other than traffic data, the user or subscriber must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.”
This requirement might raise problems in relation to new communication technologies. At this moment, there are already cell phones available that can be traced on their transmission signals, even when they are turned off. In this situation, it is questionable if a user can be excluded from localisation.
In case a subscriber is using the service to track and trace other users, it is fair to assume that the duty to inform the user will be on the subscriber. To a certain extent, this can be found in Recital 17 of Directive 2002/58/EC. This recital mentions that consent means the same as consent in Directive 95/46/EC. Furthermore, it says: “Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes”. The wishes of the user are the main objective, implying that at least there has to be knowledge by the user so he is able to express his wishes to the subscriber.
The way in which consent should be given, is also a question open to discussion. With regard to the processing of location data the Article 29 Working Party has stated that the definition of consent as described in Directive 95/46/EC explicitly excludes consent being given as part of the acceptance of general terms and conditions for the electronic communications service offered. However, depending on the type of service offered, consent may relate to a specific operation or may constitute agreement to being located on an on-going basis.
The problems that exist regarding consent in hierarchical relationships will be further elaborated upon in section 4.7 concerning employment relationships.
The first services offered on the basis of location data involved requests from subscribers or users regarding the availability of certain facilities near to them, for example the nearest hospital. Nowadays, value-added services are also provided the other way around, on the request of a third party. For example a restaurant that wants to send commercial text messages to nearby mobile phones, hoping to attract customers. In this example, the restaurant will probably make use of the services provided by an electronic communications operator. This means that at the request of a third party, location data needs to be processed by another third party, concerning certain nearby individuals. This difference is also described by the Article 29 Working Party:
“A value-added service based on location data can be provided either directly by the electronic communications operator (the individual concerned contacts the operator, who then provides the service on the basis of the location data obtained from his system) or via a third party (the individual concerned contacts a third party, who then provides the service on the basis of the location data obtained from the operator)”.
In other words, direct provision of services means that the data subject connects to the operator who provides the value-added service based on location data from his own system, whereas indirect provision means that the user connects to a third party who provides the service based on location data obtained from the operator. In this case, the provider of the service needs to obtain consent from the subscriber or the user. The service provider requests to receive the location data from the other operator. Of course, this request is not necessary in the case the terminal equipment produces the location data.
If the provider of a value added service has direct access to the location data of users, further transfer of data is not necessary to provide the service. This is the case in two-party structures, using, for example, RFID. The provider, who owns the RFID Reader, can provide his services on the basis of location data gathered by his own system. This means that a user has to give his prior informed consent to the provider with regard to the use of his location data.
As described in the previous section, a request for disclosure of location data can also be done by a service provider to a mobile operator in case of a three-party structure. In these structures, such as Cell-ID, a third party provides a network that generates the location data. The user of a service gives his prior informed consent to the provider of the service. This provider has to receive location data from the network provider. In these situations, consent to use location data in order to provide a value-added service also needs to involve consent to transfer the location data from one provider to the other. The communications operator is only allowed to provide the location data if the service provider has the consent of the subscriber and/or the user to process his traffic and location data.
In relation to this, the definition of ‘processing’ can be important. In European Member States, ‘processing’ is interpreted in different ways. Some Member States include mere transfer of data in processing, while others do not. This means that for the transfer of location data from a mobile operator to a provider of a value-added service, not all Member States require consent of the data subject.
In case a provider of value-added services needs to request location data from an electronic communications operator, the Article 29 Working Party stresses the need for the operator to verify and authenticate such requests for access to location data. It is also suggested that the data are provided by the operator in such a way that the service provider cannot identify the customer (e.g., by using an alias).
17 / 47 |