D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe LEGAL FRAMEWORK FOR PROCESSING LOCATION DATA BY PRIVATE PARTIES

Legal framework for processing location data by private parties

Most of the location data processing by private parties is taking place in the field of public electronic communications networks through the use of Location Based Services. These processing will thus fall under the provisions of both the Code of Posts and Electronic communications and the Data Protection Act. Specific issues rise regarding the localisation of the user of the localisation device, e.g. a mobile phone, by the subscriber of the service. Even if the service provider should rely on the previous consent of the subscriber, it is not compelled by the legislation to obtain the previous consent of the user as well. However, the processing of the user’s location data by the subscriber does have to be legitimated by one of the grounds listed by Art. 7 of the Data Protection Act. The difficulties come from the fact that this article allows the processing of personal data without the previous consent of the user in some specific cases. The CNIL and the jurisprudence have the difficult task to balance these competing interests and modulated the application of the rules respectful of the fundamental rights of the data subject.  

Three different cases dealt with by the CNIL will be mentioned in order to get a better comprehension of the delicate equilibrium established between freedoms and the use of Localisation Based Services in France. The first one refers to the processing of location data in the context of a labour relationship, when the employer’s right to organise the work activity and the production process comes into collision with the employee’s fundamental rights, such as privacy and the freedom of movement in an anonymous way. The second one refers to a case where the CNIL considered that the free consent of the data subject could not be guaranteed and thus denied the possibility of legitimating the processing on this basis. Finally, the problems raised by the control of minors by their parents through the possibility given by Mobile Operators to localise mobile phones will be presented.  

1. 1. 1. Surveillance of employees

The processing of worker’s personal data should respect not only the principles set up by data protection legislation and of Art. L.34-1 of the Code of Posts and Electronic Communications but also some specific guarantees established by Labour Law. These provisions form a complex network of obligations that the employer has to comply with: 

1. Labour Law will apply to the possibility and conditions of employees’ monitoring

2. The Data Protection Act will apply to the processing of the employees’ location data by the employer

3. The Post and Electronic Communication Code will apply to the relation between the Operator and the employer which will imply the acknowledgment of some rights to the employee who is using the device.

The use of localisation devices by the employer could be foreseen from the need of surveillance of the employees to improving work organisation through the optimisation of routes, as is the case for taxi companies. The legitimate interest of the employer and the fundamental rights of the employee will thus have to be carefully balanced.  

1. 1. 1. 1. General principles from labour law

Three general principles deriving from Labour Law apply to the processing of employee’s personal data (CNIL, Cybersurveillance sur les lieux de travail, 2004:8): Proportionality, transparency and previous consultation of the representation of workers.  

Proportionality 

Article L120-2 of the Labour Code stipulates that: “No one can restrict personal rights and individual and collective freedoms whenever they are not justified by the nature of the task which should be accomplished, nor proportionate to the purpose.” The control of the effective implementation of this principle will be dealt with by the Courts. This allows an ex-post control of the restrictions implemented by the employer to the rights and liberties of the worker, being part of the definition of the borders of private life in the workspace.  

Transparency 

Article L121-8 of the Labour Code introduces an obligation of information prior to the processing of the personal data of both workers and candidates collected by a device. This principle echoes back the obligation of previous information made by the Data Protection Act.  

Collective Consultation 

Article L432-2 of the Labour Code creates the obligation of information and consultation of the Works Council, prior to any project of introduction of new technologies when they may have consequences on the working conditions. Moreover, Article L432-2-1 stipulates that the Works Council should be consulted, before the decision of implementing in the company any technique of control of the working activity. The violation of this obligation constitutes a hindrance [délit d’entrave] (Article L438-1 of the Labour Code). The texts applying to civil service established a similar obligation of information and consultation.

1. 1. 1. 1. Data protection obligations in the Data Protection Act and the Posts and Electronic Communications Code

The CNIL has issued some general guidelines since the year 2002 regarding the cyber-surveillance of workers, defining the rules which should apply to this specific context. The cyber-surveillance aims at controlling the physical presence of the worker but also his precise location. Nowadays, the processing of location data allows the surveillance of the employer to go one step further and to control the movement of the employee inside or outside the workspace.

In response to the vast development of the location data processing by employers with purposes of improving the production process or of controlling the working hours, the CNIL issued a series of documents, defining the rights and obligations of controllers. First of all, a recommendation was adopted on the implementation of devices for the localisation of vehicles used by the employee of a public or private body, based on the results of a vast consultation of public authorities, professional organisations, trade unions and location based service providers conducted during 2005. It has been followed by a simplified norm of declaration. This means that the data processing which is respecting the guidelines provided by the norm of simplification is not expected to harm privacy or other fundamental rights (Article 23 of the Data Protection Act) and could benefit from a simplification of the administrative procedure for the declaration. Some general guidelines have also been issued for the controllers.

The CNIL recommendation only applies to the processing derived from the monitoring of professional vehicles used by the employees for the needs of their professional activity in public and private bodies. It does not apply to the chronotypographs of persons and goods transport drivers. Such processing is mainly based on the use of the technology GSM/GPS which permits the display on a map of the exact position of a vehicle (CNIL, 2005 Annual Report: 83). Therefore, it allows a close control of the activity of the worker. These rules could be extended to the use of other localisation devices by employees for their working activity, such as for instance, the use of mobile phones.

The main issue, which had led the CNIL to publish this recommendation, rests in the difficult balance between the right to privacy and the right of the employer to organise and control the working activity. Moreover, the use of location devices could intrude into the private life of the worker and makes more difficult the separation between professional and private life. Finally, the processing of location data could give information to the employer which goes beyond what is strictly necessary for the purpose of the processing. The data minimisation principle will act here as a specific safeguard. 

Finality and legitimacy 

According to the finality principle, the use of location data shall respond to a specific need linked to the employer’s activity. The respect of this principle should avoid a disproportionate control upon employees (CNIL, 2005 Annual Report: 83). As mentioned above, the location data processing, in order to be legitimate, should also comply with Article L.120-2 of the Labour Code and not be restrictive with regard to the rights and freedoms of individuals whenever they are not justified by the nature of the function, nor proportionate to the purpose.

On this basis, the recommendation defines a list of purposes considered as legitimate and justified: 

1. Improvement of security of individuals or goods carried 

2. Improvement of the assignment of means to provide services in different places 

3. Improvement of the production process, through a better assignment of resources (e.g., the possibility of sending the closer vehicle to a specific place where the service has to be provided, such as with taxis), or indirectly for the analysis of the itineraries (e.g., analysis of time needed to achieve an activity) 

4. Follow-up and billing of services linked to the use of the vehicle, e.g. intervention in the road network, collection of rubbish, etc. 

5. The control of working hours, when it can not be achieved by other means. The processing of location data cannot be justified when the employee is free to organise its work. 

Information and consent: deactivation of the device 

Art. L.34.1 of the Code of Posts and Electronic Communications compel the Telecommunication Operator to obtain the previous and informed consent of the subscriber. When the subscriber is not the person who will use the device, this article recognises a right to suspend the consent given by the subscriber, i.e. deactivate the localisation device. This means that although the consent of the user is not required, he should be informed of the processing in the terms specified by this article in order to be able to suspend the consent given. In the specific case of a labour relationship, the employee is using a localisation device placed by the employer who will subscribe to the service. Therefore, only the consent of the employer is required prior to the activation of the service. However, the employer should inform the user, i.e. the employee, of the existence of the processing in the terms of Art. L.34-1.IV and of its right to deactivate the device. Here, a difficult balance should be made in order to define when the employer can compel its employees to keep the device activated and thus allows him to process the location data. This processing should be legitimated by one of the grounds listed by Art. 7 of the Data protection Act. However, as consent cannot be freely given in this situation, because of the imbalance which characterizes the labour relationship, the CNIL compel the employer to legitimate the processing on the grounds mentioned above.  

Moreover, the processing of location data in the field of workspace raises two questions: the level of control an employee can be subject to, and the borders between private and professional life. The limits established by consent in the general data protection system are shaded in the workspace area, as long as the employer has his own legitimate interests to these processing.  

Therefore, even if such data processing could be legitimate, they can never lead to a permanent surveillance of the employee, and thus cannot be justified out of working hours. This interpretation will be of particular importance in the case of profession which require the worker to change place of work, as for instance, medical visitors, commercial agents, etc. As a consequence, employees should have the possibility of deactivating the service out of their working hours when they are allowed to use the vehicle for private purposes. Employees with a trade union mandate should not be monitored when they act in the frame of the exercise of their mandate.  

Data quality 

Regarding the data collected, location data processing is providing significant quantity of information, not always relevant to the purposes. For instance, the devices put in a vehicle with the purpose of localisation could provide information relative to the kilometres made, the speed average, the maximum and minimum speed, and even the way of driving. The processing of these data could lead into the recognition of offences and thus cannot be carried out by private bodies. Article 9 of the French Data Protection Act stipulates that the processing of personal data relating to offences, convictions and security measures may take place only by: the courts, public authorities and legal entities that manage public services, within the framework of their legal remit; the representatives of the law for the strict needs of the exercise of the functions granted to them by the law; the legal persons mentioned in Articles L321-1 and L331-1 of the Intellectual Property Code, acting by virtue of the rights that they administer or on behalf of victims of infringements of the rights provided for in Books I, II and III of the same Code, and for the purposes of ensuring the defence of these rights. 

Confidentiality 

The persons who can access the data should be limited to the sole persons who need it for the accomplishment of their activity (e.g., persons in charge of the planning or coordination process, persons in charge of security of the transport and shipment of persons and goods, or the human resources head). Besides, relevant security measures required to guarantee the confidentiality of the data should be implemented. At least, the individual access to the data should be protected by a UserID and a password, regularly renewed, or by any other means of identification.  

Retention of the data 

Regarding the storage period of the data, the CNIL considers that a period of two months is not excessive. However, the data can be preserved for longer periods for historic purposes or for optimising the organisation, or to prove the services provided, whenever it is not possible to prove it by other means. Moreover, the data can be preserved up to one year in case the service is being challenged. In other cases, the controller shall refer to the existing legal provision, e.g. in case of the control of working hours through location based systems. Only the data related to the working hours should be stored for a period of up to five years, while the location data should be erased. 

1. 1. 1. Processing of location data by Insurance Companies

The following case illustrates another situation where consent is not considered as sufficient grounds for the processing of location data, in the context of localisation of third parties, i.e. where the subscriber and the user are two different persons.  

An Insurance Company submitted to the CNIL a project of a new insurance policy aimed at young drivers and based on the processing of the speed of the vehicle and hours of driving. In the new policy, the driver agrees not to drive during the nights of Saturdays, Sundays and bank holidays between 2 a.m. and 6 a.m. and to be monitored in order to ensure he respects his contractual obligations, in exchange for a reduction in price. He agrees that the Insurance Company processes his data relative to location, speed, type of road, hours and driving duration. The data would be sent through a device placed into the car every two minutes. The insurance policy would include an assistance service in case of accident, breakdown and theft. 

This processing has not been authorised by the CNIL, on the ground that monitoring all the driver’s movements does not comply with the legal requirement of proportionality, as long as it is exclusively implemented for the ensuring the respect of the contractual obligations of the driver. Besides, the CNIL considers that the systematic collection of vehicle location data with the purpose of modulating insurance rates harms the freedom of movement in an anonymous way in an unjustified manner.

Moreover, in this specific case, this processing could fall under the prohibition of Article 9 of Data Protection Act as it could lead to recording data related to offences. As mentioned above, such processing should be authorised by the CNIL (Article 25-3 Data protection Act) and cannot take place by Insurance Companies.  

This example illustrates the fact that consent does not constitute by itself a legitimate ground to justify all processing of location data. The processing of these personal data has important implications for the right to have a private life but also for the freedom of movement in an anonymous way. 

1. 1. 1. Processing of minors’ location data

Another problematic case raised by Location Based Services is the localisation of minors by their parents. Once again, the legitimacy of the processing and the grounds the parents should use to be able to access to the location data of their children is raising a number of important issues. In this case, the Mobile Operator provides to the subscriber, i.e. the parents, each time he requests it, the location of the mobile phone, i.e. of the minor. This service raises the problem of the application of data protection rules to minors, and in particular whether minors should give their consent to the processing or the parental authority is sufficient to legitimise the processing.  

In France, no specific legislation regarding the localisation of children has been enacted. Therefore, the rules set up by Art. L.34-1 of the Code of Post and Electronic Communications applies to this kind of processing. The minors, who in this case are the user, have a right to object to the processing as users of the services, and should be informed before the processing takes place. The CNIL required that the service providers obtain the previous consent of the child, who has to authorise the first subscription through SMS, and they inform the child of each request of localisation. Moreover, it usually requires the Service Providers to inform users about the risks of an abusive use of the service (D. Gasse, Proteccion de datos personales y geolocalizacion, 2006). 

In 2002, after the approval of Directive 2002/58/EC, the CNIL had launched a public consultation, in order to get feedback from citizens, as the problem is broader than a strict application of data protection rules and implies considerations related to education. The working assumption was that this system should be discussed as long as it might not be the most adequate for educating minors. The principle of parental authority could not always justify the collection of the consent of the child.  

The results of the public consultation shows that 85% of the parents think this service is more or less legitimate, on the basis of an improvement of the security of the child. Only 20% of the parents are opposed to this processing, while 57% thinks it is completely legitimate. Some of the parents highlight the risk of “responsibility depreciation” (deresponsabilisation) of the parents, while many think that this processing can be justified by their general obligation of control derived from the parental authority, or consider it is a just compensation for the payment of the communication of the child.

According to the survey, the control would mainly affect minors between 13 and 16 years (high school). Above 16 years, the children gain more autonomy from their parents who do not feel the need to localise them anymore. The question of autonomy and trust in the parent-children relationship is the main argument of parents opposed to this processing. 

Regarding the consent of the minor, 45% consider that it constitutes an appropriate guarantee, 38% think that the child is not really free, and 18% does not even think they should need to ask their child for their agreement.  

No action from the CNIL has been taken so far, nor is any expected.