D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe LEGAL FRAMEWORK: GENERAL PRINCIPLES

Legal framework: general principles

1. Collection, processing and use of personal data

German data protection law is regulated in the Federal Data Protection Act, the Data Protection Acts of the German states and regulations in specific fields of law.  

Scope of the federal Data Protection Act

The Data Protection Acts of the German states are applicable if the controller is a public body of the respective state. The Federal Data Protection Act is applicable if the controller is a public body of the Federation or a private body.

The Federal Data Protection Act was passed in 1977. Germany did not transpose Directive 1995/46/EC within the set period of three years. On 23 May 2001 the Federal Data Protection Act was modified to implement the directive into German law. Of the sixteen German states only Hesse and Brandenburg kept the date for transposing the Data Protection Directive into national state law. This report will focus on the regulations laid down in the Federal Data Protection Act, as Location Based Services are provided by private bodies and the legal requirements for the provision of LBS are to be found in the Federal Data Protection Act, the Telecommunications Act and the Telemedia Act.

As a general rule, the collection and processing of data identifying an individual or relating to an identifiable person in Germany requires a statutory basis or the consent of the data subject. Without these the collection and processing is illegal. A definition of personal data is laid down in Article 3 paragraph 1 BDSG: “Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject)”. If data allows determining the location of a natural person at a specific point in time, this information is personal data. The collection, processing and use of location data must comply with the provisions laid down in the Federal Data Protection Act, if no specific regulation for a specific kind of location data is applicable. 

Generally, the Federal Data Protection Act is ruled out if a specific law is in place regulating a field of law. The following figure presents the general relation of provisions covering the use of personal data in German law. 

Figure : Order of application of legal bases

The Federal Data Protection Act provides general rules on the collection, processing and use of personal data. 

General privacy principles

General privacy principles as laid down in the OECD Guidelines, Convention 108 and the Data Protection Directive have been transposed into German law and are regulated in the federal and state data protection acts. These principles include the purpose binding principle, the proportionality principle, transparency of processing and furthermore obligations with regards to the quality and security of data. 

According to Article 27 and 28 BDSG private parties may collect and process data only compliant to a previously defined purpose. This purpose must be legitimate, that means it must be covered by existing legal requirements or the data subject’s consent, Article 4 paragraph 1 BDSG. The data collected and processed must be necessary to achieve the previously defined purpose and the intrusion to the right to personal self-determination shall not be excessive in relation to the pursued purpose. The data subject shall be aware of his data being processed. In order to achieve this transparency, several measures are installed. As a general rule, data must be collected from the data subject to cause awareness, Art. 4 paragraph 2 BDSG. Upon collection information must be provided by the controller as to the identity of the controller, the purposes of collection, processing and use and the categories of recipients, Art. 4 paragraph 3 BDSG. The data subject’s consent (Art. 4a BDSG) to data collection, processing and use shall be effective only when it is based on the data subject’s free decision. The consent must be an informed consent. This means the data subject shall be informed of the purpose of collection, processing or use and of the consequences of withholding consent. Consent shall be given in writing unless special circumstances warrant any other form. Finally, the data subject shall be notified if his personal data is stored for the first time without his knowledge, Art. 33 BDSG. Several rights of the data subject shall ensure the quality of data. The data subject may request information on stored data concerning him, including any reference in them to their origin and recipient, the purpose of storage and recipients or categories of recipients, Art. 34 BDSG. This right to obtain information is required to then be able to exercise the right to correction of incorrect data, erasure of data if their storage is inadmissible, or the blocking of data, Art. 35 BDSG. Finally, controllers must ensure the security of data by technical and organisational measures as set out in the annex to Article 9 BDSG. 

After giving an overview of the provisions of the transposition of Directive 2002/58/EC by means of modifying the Telecommunications Act, a description of the legal requirements for Location Based Services will follow. 

1. 1. 1. Transposition of Directive 2002/58/EC

The most distinct definition of location data is laid down in the Telecommunications Act. Directive 2002/58/EC on privacy and communications was transposed into national law by means of a modification of the Telecommunications Act passed on 26 June 2004. Germany did not keep the fixed period for transposition laid down in Article 17 of the Directive which required a transposition before 31 October 2003. The changes in the Telecommunications Act were subject to extensive parliamentary debate in the mediation committee of the Upper and the Lower House of Parliament. In Articles 91 to 107 the modified Telecommunications Act now contains a new part regulating data protection in the communications sector.

The provisions of the Telecommunications Act (TKG) apply if personal data of telecommunications subscribers and users is collected or used by companies or persons providing telecommunication services on a commercial basis. The Telecommunications Act applies in place of the Federal Data Protection Act, being the specific regulation with regards to the processing of personal data in the electronic communications sector. The Federal Data Protection Act supplements the Telecommunications Act if the latter does not conclusively cover a case. The right to obtain information as well as the right to correction of incorrect data, erasure of data if their storage is inadmissible, or the blocking of data is based on the BDSG also in the context of processing of data of telecommunications subscribers. 

1. 1. 1. 1. Customer data, traffic data or location data

The provisions of the TKG differentiate between three types of personal data usually collected and used for the provision of telecommunications services. Customer data is defined as the data of a subscriber collected for the purpose of establishing, framing the contents of, modifying or terminating a contract for telecommunications services, Art. 3 lit. 3 TKG. Traffic data means data collected, processed or used in the provision of a telecommunications service, Art. 3 lit. 30 TKG. And location data means any data collected or used in a telecommunications network, indicating the geographic position of the terminal equipment of an end-user of a publicly available telecommunications service, Art. 3 lit. 19 TKG. Furthermore, the Telecommunications Act provides a definition of a location based service: ‘Value added service means a service which requires the collection and use of traffic data or location data beyond that which is necessary for the transmission or billing of a communication’, Art. 3 lit. 5 TKG. 

The collection and use of customer data is regulated in Art. 95 TKG.  

Customer data comprises  

1. name and address of subscriber,  

2. banking information and  

3. the kind of contracted service.  

The focus of this report is on an analysis of the collection and use of location data. By means of the customer data collected the geographic location of terminal equipment can be linked to a natural person. 

The collection and use of traffic data is regulated in Art. 96 TKG. This provision transposes Art. 2 lit b) of the Directive on privacy and electronic communications.  

Traffic data comprises 

1. the calling telephone number, 

2. the numbers dialled or other identification of the lines in question, 

3. the location data, if mobile handsets are used,  

4. the beginning and end of a connection, 

5. the telecommunications service used by the user, 

6. the termination points of fixed connections, the beginning and end of their use, 

7. any other traffic data required for set up and maintenance of the telecommunications service and for billing purposes. 

The retention period for traffic data is regulated in Art. 96 paragraph 2 TKG. According to this provision traffic data may be used after the termination of a connection only where required to set up a further connection or for the purpose of  

1. charging and billing,  

2. itemised billing,  

3. detection, location and elimination of faults and malfunctions in telecommunications systems, 

4. information on incoming calls. 

If none of the listed exemptions apply, traffic data currently are to be erased by the service provider without undue delay following termination of the connection. Transposing Directive 2006/24/EC on data retention will substantially extend this retention period. Germany has chosen to introduce the shortest retention period possible and will require a six-month retention of traffic data. The Federal Ministry of Justice issued an unofficial draft for a transposition law.

The collection and use of location data is regulated in Art. 98TKG. This provision was introduced in the cause of harmonisation of TKG with Directive 2002/58/EC. Prior to 2004 no regulation on location data and value added services existed in German law and the legal subsumption bared difficulties. Location data relating to users of telecommunications services may be processed only when they have been made anonymous or with the consent of the subscriber to the extent and duration necessary for the provision of value added services. The subscriber is obliged to inform his co-users of all such given consent. Consent may be withdrawn at any time. Currently, location data may only be stored to the duration necessary for the provision of the LBS.  

The Cell-ID is considered a location date, which at the same time is necessary for the conveyance of the service and is thus also regarded a traffic date. Location data not required to establish a connection with the mobile handset but collected for other purposes is considered location data, too. It is possible to differentiate between location related traffic data and precise location data.

1. 1. 1. 1. Requirements for information provision and consent by electronic means

When concluding a contract, service providers shall inform their subscribers of the nature, extent, place and purpose of the collection and use of their personal data in such a way that the subscribes are given notice, in a readily comprehensible form, of the basic data processing facts, Art. 93 TKG. This duty to provide information includes information on which kind of location data is processed, the purpose of processing and the retention period. If, for the provision of a location based service it is necessary to transmit personal data to third parties, this information shall be provided, too.

The service-provider may use subscriber-related traffic data used by the provider of a publicly available telecommunications service for the provision of value added services for the duration necessary only where the data subject has given his consent to such use, Art. 98 TKG. While Art. 4a BDSG as a general rule requires a written consent of the data subject, the Telecommunications Act lays down a specific provision for consent by electronic means in Art. 94 TKG. According to this provision consent may also be given electronically where the service provider ensures that: 

1. the subscriber or user has given his consent deliberately and unequivocally, 

2. consent is recorded, 

3. the subscriber or user can access his declaration of consent at any time, and 

4. the subscriber or user can withdraw his consent at any time with effect for the future. 

The Telecommunications Act differentiates between a subscriber of a telecommunications service and user of telecommunications services. According to Art. 3 lit. 20 TKG subscriber means a natural person or a legal entity who or which is party to a contract with a provider of telecommunications services for the supply of such services. User means a natural person using a telecommunications service for private or business purposes, without necessarily having subscribed to that service. The child or husband using the mother’s or wife’s cell-phone is therefore a user with regards to TKG provisions.  

Consent to use of location data not anonymised can be given only by the subscriber, Art. 98 paragraph 1 TKG. The subscriber shall inform his co-users of all such given consent. This regulation contradicts Art. 6 paragraph 3 and Art. 9 paragraph 1 of Directive 2002/58/EC that require consent of subscriber and user. Reasons given for this derogation of Directive 2002/58/EC are telecommunications service providers’ lack of awareness of users other than the subscriber and impossibility to link location data to other individuals than the subscriber whose customer data was collected upon subscription. 

1. 1. 1. 1. Billing

While Art. 96 TKG regulates which data may be collected as traffic data at all, Art. 97 TKG lays down the requirements for their further use for billing purposes. Service providers may use traffic data only to the extent that the data are required to charge and bill their subscribers. Currently, traffic data not necessary for billing must be erased following termination of the communication. 

1. 1. 1. Legal Requirements for Location Based Services

Location information of data subjects using mobile devices is very sensitive with regards to privacy as they allow positioning of the cell phone user at any given time. The service provider is enabled to address its customer personalised and with regards to his local surrounding. Location data can be aligned and utilised for creation of extensive and meaningful customer profiles, allowing conclusions with regards to relations and habits of the data subject as well as prediction of future behaviour. 

At least three parties are involved in the provision of a network based LBS using GSM localisation:  

1. the content provider who offers the content of the LBS,  

2. the telecommunications service provider, 

3. the user. 

As described before, the legal requirements for the personal data of telecommunications service subscribers and users are laid down in the Telecommunications Act and the Federal Data Protection Act. For the provision of a LBS a third Act must be considered in addition. Since March 2007 the content of a ‘telemedia service’ must comply with the Telemedia Act. Telemedia services are all electronic information or communication services which are not telecommunications services. The content of a LBS is regarded a telemedia service as it exceeds common telecommunications services like voice communication, sms and provides new, multimedia content. The following figure exemplifies the relation between the parties involved in the provision of LBS.

Figure : Parties involved in network-based reactive LBS provision

While a three-sided relation is common, the telecommunications service provider can also be providing the content of the LBS. The relation is then two-sided. The above figure illustrates that a content provider can only create a profile for one section of all services requested by the user. It is the telecommunications service provider who could link information on all services used and all location data processed.  

Table : Overview of use of location data and applicable law

The content provider has to comply with the provisions set out in the TMG and the telecommunications provider must comply with the regulations of the TKG. TKG and TMG cover different obligations and rights for the user, content provider and telecommunications service provider. It is therefore necessary to examine compliance separately for the content provider and the telecommunications provider. The transmission of location data from the telecommunications service provider (TSP) to the content provider (CP) usually is within the scope of the Telecommunications Act, while the use of location data to provide the LBS is covered by TMG.

1. 1. 1. 1. Collection of location data for conveyance of communication

The collection of location data initially is conducted by the telecommunications service provider to convey communication and in this context is location related traffic data. Art. 96 paragraph 1 lit.1 and 5 TKG allows collection of location data (in this case the Cell-ID) as it is necessary for set up or maintenance of the telecommunications connection. At this point, there is no relation of the location data to the latter use for LBS provision. The later use for LBS provision follows a new purpose. 

1. 1. 1. 1. Transmission of location data

The legitimacy principle applies if personal data collected for a specific purpose is to be used for a new purpose. The use for a new purpose is permissible only if a statutory basis allows the specific further use. The further use of location data for LBS provision is not permitted by Art. 96 paragraph 1 TKG as this provision requires erasing by the service provider without undue delay following termination of the connection. Location data is not covered by the exemptions in paragraph 2 which allow longer retention. The obligation to delete location related traffic data immediately after termination of the connection does not apply if further retention or use can be based on a different legal basis. In this context Art. 98 TKG allows the use of location data that is not anonymised if the data subject consented to this use. This consent may not only cover location related traffic data but also precise location data.  

1. 1. 1. 1. Use of location data for provision of LBS

The content provider may use location data for the provision of a LBS only if use is covered by a statutory basis or the data subject has consented. Articles 11 to 15 TMG lay down regulations for the use of personal data in the context of telemedia service provision.  

The Telemedia Act differentiates between customer data (Art. 14 TMG), data concerning the service provision (Art. 15 TMG) and billing data (Art. 15 paragraph 4 TMG). Customer data comprises 

1. name, 

2. address, 

3. customer reference number, 

4. profile data (hobbies, taste, preferences). 

Data concerning service provision comprises 

1. profile data when used for provision of specific service, 

2. location data. 

Billing data comprises 

1. bank details. 

The content provider shall use personal data only if necessary to enable use of the telemedia service, Art. 15 TMG. Provision of LBS must be covered by the purpose of the contract. LBS provision is possible only if data on the location of the data subject is processed. The data subject’s consent to the further use of location data for LBS provision is thus not required by the TMG. The LBS request can only be met if location data is processed. The TMG (Art. 13 TMG) however obliges the content provider to inform the data subject at the beginning of the LBS use as to 

1. kind of data collected and used, 

2. scope of data collected and used, 

3. purpose of data collection and use. 

As consent is obligatory at the stage of collection of location data by the telecommunications provider, the lack of a second obligation to obtain consent for the content provider does not lever out the right to informational self-determination.  

On a European level a distinction between telecommunication services and telemedia services does not exist. The German legal requirements for the collection and use of location data for the provision of LBS does meet the requirements set out in Art. 9 paragraph 1 of the Directive on privacy and electronic communications as it requires consent at the early stage of data collection.