D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe LEGAL FRAMEWORK: GENERAL PRINCIPLES

Legal framework: general principles

All personal data processing should comply with the provisions of the Data Protection Act. However, when the location data are originated from a public electronic communications network, supplementary safeguards have been introduced by Article L.34-1 of the Posts and Electronic Communications Code, which transposes Directive 2002/58/EC. These safeguards are mainly focused on the consent and information of the subscriber and the user of the service.

These rules, in the context of processing of location data, will not only protect the privacy of the user but also the freedom of movement in an anonymous way. However, they set up a series of principles that remain formulated in broad terms. Their modalities of application will be defined by the CNIL and the jurisprudence, which have the difficult task to find a balance between the compelling interests of each situation. 

 The CNIL is defining a set of specific rules for the processing of location data through its opinions. It distinguishes depending on the purposes: the guarantees required will not be the same in the context of the data processing related to private or professional life. The CNIL is thus drawing the thin line that processing should not cross in order to remain compliant with the legislation and “fundamental-right friendly”.

In this chapter we will describe how French legislation applies to location data processing. In each case, we will first explain the general rule applying to all processing of location data, and when appropriate, specify the particular rules established by the Code of Posts and Electronic Communications. The principles have been divided in three main groups: principles related to data quality (1), consent (2), and confidentiality and rights of data subjects (3). 

1. 1. 1. Data quality

         1. Purpose specification, purpose limitation and proportionality

The French Data Protection Act requires the data to be obtained for specified, explicit and legitimate purposes, and subsequently not to be processed in a manner that is not compatible with those purposes (Article 6). The legitimacy and thus the proportionality, i.e. whether the use of location data is proportionate to the objectives foreseen, of the purposes should be evaluated depending on the nature of the activity of the controller, or of its competences if it is a Public Authority. Besides, the gradual use of data for purposes other than those for which it was collected (commonly known as function creep) is criminally punished by reclusion and by a fine up to 300,000 euros.

This principle poses a first limit to the expansion of location data processing, as long as the processing will need to find a justification in the activity developed by the controller. Taking into consideration the highly-intrusive nature of location based processing into privacy and the freedom of movement in an anonymous way, especially when they serve the purpose of locating third parties, the CNIL will verify that the processing is really necessary regarding the purpose and that it can not be reached by other means less intrusive or more “fundamental rights-friendly”. For instance, the High District Court of Paris annulled the authorisation given for the processing of biometric data for purposes of controlling the employee’s working hours. This technique could not be justified by the need to control working hours, as long as a badge system could be as efficient as the one based on biometric data. This example illustrates that the concept of finality works in French Law as a basic guide-rail with regard to the protection of fundamental liberties and rights.

1. 1. 1. 1. Data minimisation principle

The data to be processed should be adequate, relevant and not excessive in relation with the purpose of the processing (Article 6-3° of the Data Protection Act). The data minimisation principle acts here as a second barrier in order to limit the collection of data which would not be strictly necessary for the provision of the service. The processing of location data could lead to the archiving of every user’s movements, providing an important source of information for profiling and an important risk for individual liberties. This principle will play an important role in the definition of which location data appear necessary for the provision of the service. 

1. 1. 1. 1. Conservation of the data

Finally, the data should not be stored for a period longer than it is strictly necessary for the purposes for which they were obtained and processed. These periods will usually be linked to a limitation-of-legal-proceeding period issued from the processing, i.e., the period during which the liability of the controller can be challenged. However, this principle is strictly applied and should be explicitly grounded on a legal provision. For instance, when location data are processed for the provision of a location based service by a Telecommunication Operator, they can be stored up to one year, the period during which the user can contest the invoice. After this period, the location data should be automatically deleted or made anonymous.  

1. 1. 1. Consent

         1. Prior consent

The Data Protection Act admits several grounds for the processing of personal data. The main one will rely on the consent of the data subject (article 7). However, Art. 7 admits derogation to this principle and for instance, the processing can be run without the consent of the data subject when the processing is based on the pursuit of the data controller’s or the data recipient’s legitimate interest, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject. This ground will play a significant role for the monitoring of employees. This means for instance that the location data processing of the employee’s vehicle does not require, for its legitimacy, the previous consent of the worker, whenever it responds to a legitimate interest of the employer, and is compatible with the freedoms and liberties of the employee. The difficult interpretation of this provision is realised by the CNIL.

As mentioned above, when location data are originated within a public network of electronic communications, Article L.34-1 of the Posts and Electronic Communications Code requires Telecommunication Operator to obtain the prior consent of the subscriber for the processing. Operators which foresee to offer their own services on the basis of traffic data should obtain his express consent. In the later case, the consent can only be given for a limited period which can not exceed the one required for the provision or marketing of the service. 

Art. L34-1.IV of the Post and Electronic Communication Code introduces an exception to this rule, relative to emergency calls in order to facilitate the provision of assistance. In this case, the mere fact of calling an emergency service implies to consent to the processing of the location data. The consent will be valid until the end of the assistance or rescue operation and with this sole purpose. 

1. 1. 1. 1. Information provision

In order for the consent to be valid, it should be informed. Despite the fact that the French Data Protection Act does not provide a definition of “consent”, it introduces the obligation of prior information to the processing which will play a key role in the validity of the consent given, as it guarantees an enlightened, free and specific consent. Art. 32 of the Data Protection Act compels the controller to inform the data subjects of its identity, of the purposes of the processing, whether replies to the questions are compulsory or optional, the possible consequences for him of the absence of a reply, the recipients or categories of recipients of the data, its rights of access, rectification, deletion and objection, when applicable, the intended transfer of personal data to State that is not a Member State of the European Community. 

Article L.34-1.IV of the Posts and Communication Code set up a specific rule regarding the information to be provided. The subscriber should be informed before the processing of the data processed, the duration and purpose of the processing, and of the transfers of the data to third party service providers. This information should also be provided to the user in order to enable him to exercise his right to object to the localisation. 

1. 1. 1. 1. Right to object

Article 38 of the Data Protection Act acknowledges a right to object to the data subject. This right is conditioned to the existence of legitimate reasons, unless where the processing satisfies a legal obligation or where an explicit provision of the decision that authorises the processing excludes the application of these provisions. The controller is entitled to evaluate the legitimacy of the request and to deny it. In case of denial, the competent Court will resolve the legal dispute.  

Article L.34-1.IV of the Post and Electronic Communication Code provides the subscriber with a right to object to the processing of their location data, at any time and free of cost (except from the costs linked to the communication of the withdrawal, e.g. the cost of the SMS), without having to justify their withdrawal. This article also acknowledges a specific right to the user of the service, when he is a different person from the subscriber, to suspend the consent given by the subscriber, i.e. to deactivate the localisation device. 

1. 1. 1. Confidentiality and rights of the data subject

Finally, it should be mentioned that, as in processing of any kind of personal data, location data processing should comply with the security measures in order to guarantee the confidentiality of the processing (Article 34 of the Data protection Act). These measures should be both physical and logical and should be adapted to the nature of the data processed and to the risks offered by the processing. The infringement of this provision is punished by up to 5 years in prison and a fine of up to 300,000 euros (Art. 226-17 of the Penal Code).  

Moreover, the controller should ensure the respect of the rights of the individual: right of access, of rectification and of erasing of the data. As already mentioned, the subscriber and the user of a Location Based Service have special rights to object to the processing at any time and free of cost (except from the costs linked to the communication of the withdrawal, e.g. the cost of the SMS).