Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- D11.1: Mobility and Identity.
- D11.2: Mobility and LBS.
- D11.3: Economic aspects of mobility and identity.
- D11.4: Workshop on Mobility and Identity.
- D11.5: The legal framework for location-based services in Europe.
- D11.12: Mobile Marketing in the Perspective of Identity, Privacy and Transparency.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.6: Survey on Mobile Identity
The deliverable in hand provides the results of an explorative survey on the
control model for identity related data in location-based services (LBS)
presented in FIDIS deliverable D11.2.
The survey was performed to explore the influence of LBS characteristics (pull
vs. push based, indirect vs. direct profile creation) on the perceived amount of
control participants have about the disclosure of their identity.
Four scenarios, each reflected a different aspect of the control model, have been
designed and tested.
As mentioned above, all personal data processing should comply with the general obligations established by the Data protection Act. The Electronic Communications Act will only apply to location data processing when the data originate from a public electronic communications network. We will then analyse the provisions of data protection legislation regarding the processing of location data and how they should be complemented with the provisions of the Electronic Communications Act. Moreover, we will refer to the law proposal modifying the Electronic Communications Act for ensuring a better protection of private life in Location Based Services or the services based on the location data of mobile phones (hereafter law proposal to amend the Electronic Communications Act), which has already been drafted in order to adapt the Electronic Communications Act to Location Based Services. This law proposal aims at solving the specific issues of Location Based Services, whose purposes consist in locating a third party’s terminal equipment, with regard to consent and information of the subscriber and the user.
The processing of location data should comply with requirements regarding the purposes and proportionality of processing, as well as consent, information provision, and rights of the subscribers and users of the services. In this section, we discuss these requirements in some detail.
According to Art. 4-2° of the Data Protection Act, personal data should be collected for specific, explicit and legitimate purposes. This means that the processing of personal data should be based on a legitimate interest of the controller. This will raise specific issues in the field of the processing of location data of workers by the employer (see infra 5.4.1).
Moreover, the data collected should be adequate, relevant and reasonable according to the purposes. This means that the data collected should be proportionate to the purpose of the processing and should not exceed what is strictly necessary. This provision will be especially important with regard to the processing of location data, where the devices which collect the data usually provide more information than necessary for the provision of the service.
The Data Protection Act compels the controller to inform the data subject of his name and address, the purposes of the processing, the recipients or categories of recipients of the data, the existence of a right to object and of the existence of the rights of the data subject (Art. 9).
Article 122 §3 of the Electronic Communications Act introduced a specific obligation of information provision for the processing of location data in the field of electronic communications. It stipulates that Mobile Networks Operators should inform the subscriber or, when appropriate, the final user, before he gives his consent, of the kind of data to be processed, the specific objectives and duration of the processing, the eventual third parties the data that will be transferred, and about the possibility of withdrawing their consent at any moment, definitely or temporarily (Art. 123-1°). According to the preparatory works, the Operators will not have to inform all the users when the subscriber is a legal person, for practical reasons. In these cases, the burden to be put upon the Operator appeared to be disproportionate.
The law proposal to amend the Electronic Communications Act intends to extend this obligation of information to the user of the terminal equipment. It is foreseen that the Operator will be obliged to inform before the subscription to the service both the subscriber and the user, when they are different persons. This modification echoes the opinion of the Belgian Data Protection Authority raising the problem of the consent given by legal persons (in most of the cases, the employer). The ePrivacy Directive which the Electronic Communications Act transposes into Belgian legislation, is intended to apply to both users and subscribers and therefore the recipients of the obligations set up to the Telecommunication Operator will depend on who the data are related to. According to this principle, Belgian Law could not exclude one of these data subjects from the application of the provisions because of practical reasons.
Moreover, the law proposal compels the Operator to send an information message warning upon the activation of the service for each localisation request. This obligation would ensure that the user is informed of these requests and thus of the processing of location data and enable him to withdraw consent.
The Data Protection Act lists several grounds on which the data processing can be justified. Even if consent will generally be the most common option, the controller is allowed to process the data without prior consent of the data subject when he can rely, for instance, on a legitimate interest, provided that this interest outweighs the fundamental rights and freedoms of the data subject (Art. 5).
In the field of electronic communications, prior to the processing, the Operator should collect the consent of the subscriber or, when appropriate, of the end user. Article 122§3 of the Electronic Communications Act gives a definition of consent which literally reproduces the definition given by the Data Protection Act: consent is any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
The law proposal to amend the Electronic Communications Act intends to extend this obligation and to compel the Operator to obtain the consent of both the subscriber and the user. Moreover, this law proposal tries to solve the issue of the services of localisation of minors. The Preamble refers to the issues identified by the Working Party 29. The fear of criminal offences and the emergence of a nomadic way of living could lead parents to use this service for their own reassurance. They introduce the use of mobile phones as part of a family contract: more freedom of communication for the children against the possibility to be localised by the parents. However, this need of the parents should be limited by the right to privacy of the child as mentioned in the Convention on the Rights of the Child. The use of these services could hinder the establishment of a relationship based on mutual trust between the parents and their children and could have a negative impact on the course of the children to gain their autonomy. Moreover, such services could mislead the parents into believing the illusion that they control the activities of their children, when in fact the mobile phone only indicates where this device is and thus supposedly where the child is, but not what he is doing. Finally, the widespread use of these services could accustom the children to be constantly controlled and thus to grow into individuals, who do not consider being monitored as intrusive. Thus, the legitimacy of the processing is doubtful. The law proposal to amend the Electronic Communications Act introduces a specific provision relative to minors above eleven years old, which compels the Operators to obtain their consent before the provision of the service.
The Operator should further offer the subscribers or end users the possibility to withdraw their consent easily, without any charge, definitively or temporarily (Art. 123-4 of the Electronic Communications Act). The modification law proposal extends the obligation compelling the Operator to offer this possibility to both the subscribers and the end users.
However, an exception is foreseen for the needs of provision of emergency services. A Royal Decree, after the Privacy Commission has given its opinion, should specify the procedure according to which Operators should override the temporary or definitive withdrawal of the consent of the user at the request of emergency services willing to answer an emergency call (Art. 123-5 of the Electronic Communications Act). This cancellation is free of charge. This decree has not yet been published.
Besides the obligations stated in the Data Protection Act to controllers (proportionality, finality, data minimisation principle), the Electronic Communications Act has incorporated some of them for the processing of location or traffic data by Telecommunication Operators. According to Article 122-4, the location or traffic data can only be processed and stored for the provision of a location or traffic data based service, respectively. These services are the ones which imply the processing of traffic or location data above those strictly necessary for the conveyance of the communication or billing of the service (Art. 2. 8° and 9° Electronic Communications Act).
Moreover, it introduces specific provisions in order to define the persons who can access and process the data. The processing of traffic data, apart from the need of conveyance of a communication, can only be carried out by the persons in charge of the billing process or the traffic management, the processing of the information requests from the clients, the fraud detection, marketing of own services of the Operator or the provision of traffic data based services. However, location data could be processed by any person under the authority of the Operator or the third party which have to provide the location data for the service (Art. 123-4).
Finally, it should be mentioned that, as in processing of any kind of personal data, location data processing should comply with the security measures necessary to guarantee the confidentiality of the processing (Article 16§4 of the Data Protection Act). The Belgian Data Protection Authority has issued ten general principles that every controller should respect in order to comply with the general obligation of confidentiality.
Moreover, the controller should ensure the rights of the individual: right of access, data rectification, and erasure of the data. As already mentioned, the subscriber and the user of a location based service have the right to object to the processing, at any time and without any charge, definitively or temporarily.
22 / 47 |