D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe INTRODUCTION

Introduction

During the last few years, increasing location data processing with mainly commercial purposes has raised new concerns in the data protection field. Not only is the right to privacy at stake but also the freedom of movement in an anonymous way.  

The enhancement of Location Based Services technologies through the development of electronic communications technologies, as for instance the use of triangulation techniques which combine GPS with GSM, as well as the drop in costs, have made Location Based Services more affordable and accessible to a large audience. Also, the development of smart cards has fostered their use in commercial applications, as for instance through the implementation of e-tickets for public transport. As a consequence, these services have spread and the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), is receiving each day more complaints and applications for consultations regarding the processing of location data. This has led the CNIL to initiate a reflection on these new issues, through its successive opinions.

Before describing the existing legal framework in France, a definition of location data needs to be provided. French legislation only provides a definition of location data in the context of electronic communications where it means “data allowing the localisation of the user’s terminal equipment” (Art. L.34-1.IV of the Post and Electronic Communications Code). As a consequence, the location data will always refer to terminal equipments which should be linked to their owner (the subscriber) or their user in order to get their location: the localisation of the individual is thus indirect, except in the case where the device is embedded in the human body, like an RFID chip. However, this definition does not specify which kind of data it refers to. We should look at Directive 2002/58/EC in order to obtain a more precise definition. Recital 14 of the Directive states that location data may refer to the latitude, longitude and altitude of the user’s terminal equipment, to the direction of travel, to the level of accuracy of the location information, to the identification of the network cell in which the terminal equipment is located at a certain point in time and to the time the location information was recorded. It thus includes a large range of data which are able to provide a vast amount of information relative to the position and movements of the user.

Out of the context of public networks of electronic communications, location data will refer to the data indicating where a person is at a certain moment. These data can originate from the use of smart cards as in the case of e-ticket applications, but also from private networks of communications or from taking pictures by traffic control devices.  

The nature of the Location Based Services provided through public electronic communications networks has evolved from services focused on the provision of information to the individual, e.g. finding the closest restaurant or chemist to the position of the user either through GPS or GSM, to most sophisticated services based on a continuous use of location data, e.g. navigational assistance. Nowadays, the type of services offered has moved one step forward allowing the localisation of individuals not only at their own request but also on request of third parties (WP29, WP115: 4). As a consequence, the nature of these services has moved from localisation actively requested to localisation passively experienced (Gasse D., 2005 CNIL Annual Report: 45). From the perspective of data protection rules, the key issue has moved from the need to define the conditions in which data shall be stored, to the concern of the legitimacy of the processing (WP29, WP115:4).

The first generation of Location Based Services, based on the previous request of the user, has developed in France principally for the purposes of vehicle localisation, gaming and information services. In the first case, the location can be required either for the provision of assistance to drivers in case of emergency (accident, breakdown, malaise, etc.) or theft. The device can be activated manually or automatically after a crash or a call from the owner informing that his car had been stolen.  

The second generation of services offered allows the subscriber to locate the device on demand, even if the device is used by a third person. This kind of service presents higher risks with regard to fundamental rights as it empowers the subscriber to localise the user upon request. In France, this evolution is raising several concerns, not only regarding privacy but also with regard to the freedom of movement in an anonymous way. In the field of privacy, a definition of the limits between the right to privacy and other competing interests, as for instance the right of the employer to control his employees and to organise the company, needs to be found. Regarding the freedom of movement in an anonymous way, safeguards need to be implemented, as long as these new technologies and services could place the individual under constant surveillance. This appears especially worrying in the field of the surveillance of children by parents as it could lead the children to get used to being tracked and watched. The application and interpretation of data protection rules will play a key role in defining the level of intrusion and surveillance tolerated, with regards to these fundamental rights.  

In this category, we can find, for instance, services of “free” localisation of the vehicle, which enable the owner to know every moment where his car is, the itinerary followed, the speed, etc. Employers can use these services in order to control the use of the car by the employee, with the purpose of improving costs, the organisation, or the effective working hours of its employees. Insurance companies intended to implement this processing in order to control the driver’s behaviour, offering in compensation a reduction of the policy rate. Finally, it is important to mention the development of the location systems of GSM and other mobile devices used mainly either by groups of friends in order to localise each other, or by parents to watch out for their children.

The use of Location Based Services is expected to evolve towards the development of technologies supporting the services. The use of Internet tools in relation to GPS and GSM devices will open a new field of business possibilities. The spread of WiFi access points will open the way to services that allow sending to the user adequate and relevant content according to his position. Marketing can find a new life in the development of Location Based Services, e.g., storekeepers will be able to send customised offers to the subscribers located in the shop area. On the other hand, the electronic bracelet is being implemented, not only for safety purposes, for the resocialisation of offenders, or as an alternative to overpopulated jails, but also for medical purposes, e.g. for the surveillance of Alzheimer patients. Some areas are defined in order to warn the subscriber, usually through SMS, when the user enters them. These bracelets are already sold in drug stores and in the sales points of the Telecommunication providers.  

The first sections below will be dedicated to the general legal framework applying to location data processing, either for the processing of these data by public authorities or by private bodies. The following chapter will present the main processing of location data in France, both in the Public and the private sector, and how a balance has been found in each case. This will give a general overview of how the privacy right and the freedom of movement in an anonymous way are protected against the implementation of intrusive location data processing.