D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe LEGAL FRAMEWORK: GENERAL PRINCIPLES

Legal framework: general principles

In the Netherlands the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens, hereinafter: PDPA) is the general law regarding processing of personal data. Similar to the European Privacy Directive (95/46/EC), of which the PDPA is the Dutch implementation, this law applies to all cases except when they are superseded by specific provisions from other laws. One such case concerns the specific provisions for traffic and location data. The provisions of this Directive are implemented in the Dutch Telecommunications Act (Telecommunicatiewet, hereineafter: DTA), as adapted by Directive 2002/58/EC.

For the applicability of these acts, the distinction between telecommunications traffic data and location data is of importance. In this report, the focus is on Location Based Services and, thus, location data. However, it should be noticed that some traffic data are also location data. A further distinction has to be made between location data or traffic data which are necessary for billing purposes and interconnection services, and those that are not, because these are excepted from the general rule that processing is only permitted on the basis of consent. (Article 11.5a (2) and 11.5a (3) DTA).

The PDPA is the general law that applies to processing of personal data. If there is a legal ground for the processing of personal data, the PDPA prescribes certain conditions that have to be taken into account. Personal data shall be processed in accordance with the law and in a proper and careful manner (art. 6) and personal data shall be collected for specific, explicitly defined and legitimate purposes (art. 7). These are general conditions that have to be fulfilled if there is a legal ground for the processing. In addition article 9 restricts the processing to the purposes for which the personal data have been obtained, and the data shall not be stored for any longer than is necessary for achieving these purposes (art. 10 (1)). 

The first question that arises is what “personal data” are. The PDPA gives a definition in art. 1(a): 

“a. ‘personal data’ shall mean: any information relating to an identified or identifiable natural person”. 

This definition is the same as in the Data Protection Directive (95/46/EC). However, the scope of “identifiable” remains a difficult issue and needs to be judged on a case to case basis. The Explanatory Memorandum at the PDPA gives guidelines on how to assess whether or not a person is identifiable. There are two main factors that have to be taken into account: the kind of data and the ability of the controller to accomplish the identification. With respect to the kind of data reference is made to art. 2 (a) of Directive 95/46/EC. This provision mentions “factors specific to [the] physical, physiological, mental, economic, cultural or social identity” of the data subject. Furthermore, there is a distinction between directly and indirectly identifying data. ‘Directly’ means that the data are that unique to a particular person that, in general, with certainty or to a large extent of probability, this person can be identified. ‘Indirectly’ means that, under certain circumstances, data can be related to a specific person. This result may also be achieved with comparison or connection of data.

The second main factor is the ability of the controller to accomplish the identification. To judge this factor there are no absolute measurements. Guideline is to look at all the tools or devices that may reasonably be assumed to be available to the controller or any other person to accomplish the identification. This means that the ability depends on the function of the controller. For example, a policeman who has access to several (inter)national databases and who has specific legal competences to retain certain data will have more tools to identify a person than a civilian has.

Because of this second factor, it should be noted that technological development may have the consequence that certain data which are not considered to be personal data now, can be personal data in the future. New devices may offer the possibility to make the connection to a natural person. For this report, it is of importance that location data and traffic data can be personal data, as is shown in the general legal chapter (section 4.4). 

1. 1. 1. Processing of location data for the provision of Location Based Services

With regard to the processing of location data for the provision of Location Based Services the Telecommunications Act is applicable. In this Act the provisions regarding traffic data and location data of Directive 2002/58/EC are implemented. Article 6 of the Directive is implemented in article 11.5 of the Telecommunications Act and article 9 of the Directive in article 11.5a of the Telecommunications Act. These provisions cover processing of location data and traffic data by providers of public communications networks or publicly available electronic communications services.

Article 15 of the Directive is implemented in article 11.13 of the Telecommunications Act. The Explanatory Memorandum on the implementation of the Directive in the Telecommunications Act mentions the derogations on the scope of rights and duties of some provisions of the Directive. In this respect also article 5 of the Directive is mentioned on the confidentiality of the communications. However, the same Explanatory Memorandum states, with regard to article 5, that further research is needed and that the article will not be implemented so far. At this moment there is no implementation of article 5 in the Telecommunications Act. However, this does not imply that there is no regulation on the confidentiality of communications in the Netherlands. Article 13 of the Dutch Constitution (Grondwet) provides a general right on confidentiality of communications.

1. 1. 1. 1. Purpose specification and proportionality

According to article 11(1) of the PDPA, personal data shall only be processed where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive. In addition, article 7 states that personal data shall be collected for specific, explicitly defined and legitimate purposes. With a focus on location data, these purposes can be found in the Telecommunications Act. Processing is allowed for billing purposes and for the provision of value added services. For other purposes processing is only allowed after the data are being made anonymous or with consent of the subscriber or user. (11.5a (1) and (3) DTA) The Dutch definition of ‘consent’ can be found in article 1(i) of the Dutch Personal Data Protection Act and is exactly similar to the definition in article 2(h) of Directive 95/46/EC.

1. 1. 1. 1. Processing for billing purposes

Providers of public electronic communications networks have the opportunity to process traffic data of subscribers for billing purposes. Article 11.5(2) of the Telecommunications Act states that: 

“The provider may process traffic data necessary for the purpose of subscriber billing, including drafting a bill for a subscriber or a person who has legally bound himself to the provider to pay the bill, or for the purpose of interconnection payment. The processing of traffic data is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.” 

This provision is the implementation of article 6(2) of Directive 2002/58/EC with some information added. The added information is the explanation that subscriber billing includes drafting bills for subscribers and for other persons who legally bound themselves to pay the bill. In fact, this only seems to be an example that is covered by the term “billing purposes” in the Directive. The Dutch provision does not seem to have a different scope than is prescribed by the Directive.