Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- D11.1: Mobility and Identity.
- D11.2: Mobility and LBS.
- D11.3: Economic aspects of mobility and identity.
- D11.4: Workshop on Mobility and Identity.
- D11.5: The legal framework for location-based services in Europe.
- D11.12: Mobile Marketing in the Perspective of Identity, Privacy and Transparency.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.6: Survey on Mobile Identity
The deliverable in hand provides the results of an explorative survey on the
control model for identity related data in location-based services (LBS)
presented in FIDIS deliverable D11.2.
The survey was performed to explore the influence of LBS characteristics (pull
vs. push based, indirect vs. direct profile creation) on the perceived amount of
control participants have about the disclosure of their identity.
Four scenarios, each reflected a different aspect of the control model, have been
designed and tested.
Legal framework for processing location data by private parties
For the provision of value-added services access to location data by private parties can be allowed as already discussed in the general legal chapter. In section 8.4.1 the use of location data in an employer-employee relationship within the Netherlands will be discussed. Section 8.4.2 gives some brief examples of other applications in the Netherlands in private relationships.
As described in the general legal chapter privacy and processing of personal data in an employment relationship leads to specific questions. How do the privacy legislations apply in a working sphere? Can an employee trust on privacy during working time, when using devices from his employer? Or if he uses a car from his employer with a GPS system built in, can he reasonably expect that his employer will not use the location data in order to control work efficiency? And are there important differences between a working sphere and requests for location information from other private parties, not being an employer?
In an employee employer relationship it can be justifiable for an employer to check e-mail and internet use of his employees. The Dutch Data Protection Authority has published a report, “Working well in networks”, in which guidelines are provided on how to check e-mail of individual employees. It states that logging can be used, but should be restricted to traffic data as much as possible. By using traffic data (sender, receiver, date, time and destination) it is possible to forward messages to the right department or person. Further details and content of the communication are, in general, not necessary and should be avoided. Furthermore, it is recommended that traffic data are only processed and stored as long as necessary for the aim of processing.
In the Netherlands there is a lot of case law concerning Internet and e-mail monitoring and camera surveillance in the workplace. So far, there are only few cases concerning localisation of employees. However, from the few cases, it can be concluded that the same reasoning will apply as is the case with regard to internet, email and camera surveillance. At least there has to be knowledge by the employee that he can be monitored or watched. In a recent case the court considered that monitoring employees with cameras is permitted and that the use of hidden cameras is permitted in certain circumstances on the condition that the employees are being informed about this possibility on forehand.
In a recent case the Court considered it to be lawful that an employer compared daily working reports of an employee with the print out of the GPS system. Because of the big discrepancy between these both documents, the employer was allowed to terminate the employment contract. In another case, a GPS provider had to disclose GPS data from a car that had been involved in an accident to enable the police to verify the speed of the car at the moment of the crash. However interesting, this case was not specifically related to a private relationship.
In general, the problem remains that article 11.5a (3) of the Telecommunications Act requires necessity of the processing of location data to provide a value added service. In the occasion of mere monitoring of employees, there is in fact no value added service, so in general this way of monitoring is prohibited, unless there is a prior informed consent of the individual data subject (11.5a (1) DTA). To obtain prior informed consent of each data subject individually might be difficult. For larger companies, a remedy for this problem is offered in the Dutch Works Council Act. According to article 27 of this Act, the employer needs the works council’s consent when he intends to implement, alter or withdraw rules on the processing of employees’ personal data. However, the fact that certain employees or the Works Council have agreed with (camera) surveillance does not imply that the surveillance cannot be unlawful against employees. It can only be an indication that the employer has a justified interest in the surveillance. In addition, it should be noted that the agreement of the Works Council does not replace the individual consent of the employees.
In the above the starting point was that the location data had to be obtained from a third party, the provider. However, it is also possible that data are generated by internal systems which are directly accessible for employers. In this context examples are access verification systems based on RFID or biometrics or chip card systems for internal use.
If the employer has immediate access to location data the question arises if the use of these data is allowed and, if so, under which circumstances. In general the same rules apply as to the data collected by third parties. The use of data, directly available or not, implies processing of these data. That means that there has to be a legitimate ground for the processing like set out above.
In the Netherlands there is an obligation to register data processing with the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, hereinafter: CBP) or with a special privacy officer for an organisation or branch. In general, this also counts for data of employees. However, some standard processing is excluded from this obligation. Most personnel and salary administrations and some employee monitoring systems fall into the exclusion. The Exemptions Decree (Vrijstellingsbesluit) gives the situations and requirements for the exemption. Only if all requirements are met, processing is exempted from the duty to register. The decision whether or not to register lies with the employer himself, in accordance with the Works Council. However, the Dutch Data Protection Authority supervises the system of registration.
As mentioned in the general legal chapter, it is questionable whether internal systems, which are directly accessible for employers without the involvement of a third party, fall within the scope of directive 2002/58/EC as these systems may not qualify as ‘public’. In the Netherlands the requirement of ‘public’ has been implemented into the Telecommunications Act, meaning that also in the Dutch legal system the articles 11.5 and 11.5a DTA do not apply to non-public communications networks and services. As the term ‘public’ is not defined, it is unclear which communication techniques fall within the scope of these articles.
Some branches have adopted Codes of Conduct with regard to processing of personal data. Companies with their activities in one of these branches can be subject to these Codes of Conduct. These codes can contain specific clauses regarding the processing of personal data of employees.
With regard to location data and GPS the Dutch government proposed a legal obligation for tracking and tracing of transport of fertilizers in the Meststoffenwet (Fertilizations Act). For the sake of environmental protection the proposed system would allow monitoring of amounts and volumes of fertilizers that are transported. The CBP has stated that there was no discussion that the execution and enforcement of the Fertilizers Act, and the orders in pursuance of the Act, regarded for a substantial part the processing of personal data, and, thus, the PDPA should be applied.
The CBP concluded that the use of a GPS system to track fertilizers transport leads to a detailed administration which will be used to check the transports and volumes. However, these data are connected to natural persons. In this respect, the proposed obligations imply an infringement of the personal privacy for which the necessity has not been clarified properly.
In 2006, the Minister of Agriculture, Nature and Quality of Food, decided in the evaluation of the Fertilizations Act that he would make an exception to the obligation for GPS monitoring. However, this decision was based on economical considerations; the costs to imply the systems were too high, so it was difficult for the Netherlands to compete with other countries.
However, it can be concluded that if tracking and tracing of transports with GPS raises privacy concerns with the CBP, tracking and tracing of persons as such (e.g. employees) will certainly raise main concerns.
Another technology interesting to mention is Bluetooth. In the Netherlands there have been some uses of Bluetooth for advertisement purposes. Some companies used Bluetooth to send promotional messages and movies to passers-by. People who had the Bluetooth function on their cell phone turned on received the messages. There is discussion if this type of advertising can be considered to be spam. In the Netherlands, the OPTA (Independent Mail and Telecommunications Authority) has to enforce the spam prohibition and to supervise the telecommunications sector. This means that, with regard to telecommunications, in the Netherlands two authorities, CBP and OPTA, are involved to supervise processing of data.
Also in this discussion the definition of public telecommunications networks is important. For now, the OPTA considered advertisements transmitted through bluetooth not to fall within the scope of the definition of spam, because the messages were sent to anyone who passed by, regardless of them being a subscriber to the service or not. However, they call on all people who received unsolicited messages to complain.
A quite similar discussion counts for WiFi. WiFi can be considered to be an electronic communications network and an electronic communications service. However, questions arise in relation to the term ‘public’. The WiFi technology in fact provides only a connection, as a mere transfer point, between a service provider and a user. It is only the technology of a wireless connection. The public service lies not in this system, but with the original service provider, such as an ISP. As a result, the WiFi services are not subject to the Telecommunications Act and its related obligations, such as registration with the OPTA and wiretapping facilities. These obligations count for the fixed service provider. However, it is not as clear as it seems to be. The boundary between a public and a non-public electronic communications network lies in the access to the network, not in the service behind it. If the provider of a WiFi network requires registration of its users and works with login codes, the service is not public; not every passer-by can use the network. This implies that a service which is immediately accessible, without registration, should be considered to be public. In this respect, WiFi might be subject to the Telecommunications Act, depending on the circumstances.
With regard to RFID there is also discussion in the Netherlands. Similar to WiFi it can be argued that the Telecommunications Act does not apply, because of the absence of subscribers. In general, individual companies will use RFID for several purposes and the consumer, confronted with RFID, is the ‘subject’ and does not use the technology actively.
However, the CBP takes a different approach to RFID. In a report completely devoted to the RFID technology it states that it cannot be judged yet if the existing legal framework for the protection of privacy is sufficient for the risks of RFID technology. The rules only apply if the data concerned can be labelled personal data, which depends on the use of RFID. Depending on the circumstances this use might imply processing of personal data.
42 / 47 |