D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe INTRODUCTION

Introduction

Only a few years ago services which take into account the location of the user were expected to find wide use within a short timeframe as technologies for determining the geographic location of cell phones and other mobile devices have become increasingly available. A survey carried out in 2003 by the registered association of German Internet enterprises (eco) came to the result that the success of Location Based Services (LBS) would determine the future of mobile business. 76% of the interviewed experts considered LBS a key factor for the success of mobile business and forecasted a breakthrough of Location Based Services in 2005. However, the German market for Location Based Services has not expanded as predicted by providers of such services. By now all German mobile network operators offer Location Based Services. Still, a breakthrough of LBS in mobile networks is expected as the use of sophisticated mobile devices such as smart phones, fast UMTS data transmission in combination with more exact location technologies using satellite positioning technology like GPS, A-GPS or from 2008 Europe’s Galileo has increased. Slow WAP transmission, poor accuracy of location data resulting from GSM positioning using cell-ID and rather poor graphic displays of mobile devices allowing only the presentation of LBS results as text, belong to the past.

The variety of Location Based Services is broad. Services available in Germany include navigation, community-services like buddy tracking, services enabling the positioning of a cell-phone in case of an emergency or upon a differently motivated request, automatic payment services or fleet management. Also, electronic bracelets for elderly disoriented persons are offered allowing carers to position the cared-for person using GSM accuracy. Furthermore, a GPS tracking service for children is also available.

Location information of data subjects using mobile devices is very sensitive with regards to privacy as it may enable the tracking of data subjects. Location data can also enable social and behavioural profiling. It is possible to distinguish between proactive and reactive Location Based Services. For proactive LBS the user is continuously tracked in order to recognise events relevant for the LBS. This could for example be a target reaching a point of interest or a specific threshold value. For a reactive location based service the user of the mobile device requests a service based on his location and on actual demand. In this case the user initiates a limited tracking of his current position at the moment he requests a service. With regards to transparency and obtaining the data subject’s distinct consent for a positioning process, reactive LBS require a conscious action triggering or approving localisation and therefore reduces the possibility of unobserved tracking of a person.

The Federal Data Protection Commissioner (BfDI) has on several occasions addressed privacy concerns with regards to LBS. Tracking services allow secret surveillance without the data subject’s knowledge and security mechanisms like a confirmation SMS requesting the tracking can be circumvented without the data subject being aware simply by using the cell phone for a couple of unnoticed minutes. The Commissioner stated that he was currently debating with the Federal Ministry of Justice to introduce a provision which would turn secret positioning of individuals into a criminal offence. Furthermore, he voiced concerns with regards to recent developments in the insurance sector. Insurance companies have tested “pay as you drive” car insurance. Cars are equipped with an “on board unit” (OBU) which uses GPS to collect detailed information on actual driving behaviour (roads used, time of driving, travelled kilometres) and GPRS to transmit this information to a service provider. The service provider automatically analyses this information to assess the level of risk associated with the specific route taken at the specific time, also taking into account who drove the car (e.g. the owners child who just got his licence or a skilled driver who in 30 years has not had even one accident). Commissioner Schaar, who currently heads the Art. 29 data protection working party, said he would bring this issue to the attention of the working party as the technology bears risks to the privacy not only of the car owner but also of other people who drive the car. Pay as you drive enables a constant surveillance and the BfDI stressed his apprehension that the comprehensive driving data could be linked with other data for further profiling or be accessed by law enforcement authorities. Schaar warns uncontrollable databases may be established.

Private parties wanting to access location data of third parties (like employees) which was collected by telecommunications service or location based service providers will not find specific regulations in place covering this case. The general provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the Telecommunications Act are thus applicable.

This section will look into the access to location data by public parties (law enforcement authorities) and private parties (employers). A definition of location data is laid down in the Telecommunications Act, which transposed Directive 2002/58/EC. The provisions transposing Directive 2002/58/EC will be described in detail. These regulations are not the only provisions referring to the location of an individual in German law. An overview of additional laws will be given. Furthermore, the provisions applicable to the provision of Location Based Services will be presented.