Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- D11.1: Mobility and Identity.
- D11.2: Mobility and LBS.
- D11.3: Economic aspects of mobility and identity.
- D11.4: Workshop on Mobility and Identity.
- D11.5: The legal framework for location-based services in Europe.
- D11.12: Mobile Marketing in the Perspective of Identity, Privacy and Transparency.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.6: Survey on Mobile Identity
The deliverable in hand provides the results of an explorative survey on the
control model for identity related data in location-based services (LBS)
presented in FIDIS deliverable D11.2.
The survey was performed to explore the influence of LBS characteristics (pull
vs. push based, indirect vs. direct profile creation) on the perceived amount of
control participants have about the disclosure of their identity.
Four scenarios, each reflected a different aspect of the control model, have been
designed and tested.
The European legal framework
From the fourth chapter it becomes clear that the current legal framework regarding the processing of (personal) location and traffic data is very complex, leading to the conclusion that protection of privacy might not be as thorough as it should be.
The main difficulty regarding the European legal framework concerning location data lies with the legal definition and qualification of different groups of data, the overlap that exists between these groups, and the different legal regimes applicable to the different groups of data. The rules regarding the processing of personal data as laid down in Directive 95/46/EC are particularised and complemented with the rules regarding location data and traffic data as laid down in Directive 2002/58/EC. This leaves room for all kinds of combinations between personal, location and traffic data. The different directives lay down different regimes for the processing of the different kinds of data. They are addressed to different parties; they differ in scope; and they contain obscurities with regard to certain definitions. Therefore, it is fair to say that a very complex legal framework for the processing of (personal) location and traffic data is created. Even though the Article 29 Working Party tries to clarify certain issues regarding this complex legal system, still important questions remain. Moreover, it sometimes is questionable whether the opinions of the Article 29 Group are correct, especially in view of the current technological possibilities. For example, with regard to the relation between location data and personal data, the Group claims: “Since location data always relate to an identified or identifiable natural person, they are subject to the provisions on the protection of personal data laid down in Directive 95/46/EC”. We consider this too sweeping a statement, since ‘location data’ in the sense of Directive 2002/58/EC (i.e., indicating the location of a user’s terminal equipment) can relate to objects that are not linkable to individual natural persons.
The picture described above becomes even more complicated when assessing whether certain kinds of technologies used to process (personal) location and traffic data fit the definitions of communication services and communication networks as laid down in Directive 2002/58/EC. From the definitions used within this directive it becomes clear that applicability of the rules is to a large extent technology-dependent.
Whether or not certain data are to be qualified as traffic data mainly depends on the question what is to be understood by communication and electronic communications network as defined in article 2 of Directive 2002/21/EC. Besides the definition of electronic communications network, for the qualification of location data the requirement of public availability of the electronic communications service is also of importance. A definition of what is to be considered a communication is given in article 2 (d) of Directive 2002/58/EC. These definitions determine whether the data generated by the various technologies identified in the general technical chapter can be considered traffic and/or location data.
The reason why it is important to be able to determine what data are being processed, relates to the differences that exist with regard to the circumstances under which processing is allowed from a legal perspective. With regard to traffic data the articles 5 and 6 of Directive 2002/58/EC are relevant, prescribing confidentiality, erasure and anonymisation. For location data, other than traffic data, article 9 of Directive 2002/58/EC states that these data may only be processed if the data are made anonymous, or with the consent of the users or subscribers.
The general rules as laid down in Directive 95/46/EC apply to location and traffic data when these data also qualify as personal data. One of the main differences between Directive 95/46/EC and Directive 2002/58/EC relates to the grounds on which processing is allowed. Article 7 of the general Data Protection Directive provides several grounds for the legal processing of personal data. The specific privacy directive only allows processing of location data, and the processing of traffic data for marketing electronic communications services or for the provision of value added services, on the basis of consent.
In principle, the sectoral E-Privacy Directive takes precedence over the general Data Protection Directive. However, the general Directive supplements the protection of traffic and location data when they are not covered by specific provisions in the sectoral Directive. The picture is compounded by the fact that the E-Privacy Directive provisions only apply to public communications. Articles 5, 6 and 9 of Directive 2002/58/EC do not cover traffic and location data generated by private networks or in private services. However, if the data can be qualified as personal data and relates to natural persons, the general Data Protection Directive applies.
This demonstrates that many questions need to be answered before it can be determined whether or not what kind of legal regime is applicable to the processing of (personal) location or traffic data:
Are the data to be processed ‘personal data’? (see art. 2(a) of Directive 95/46/EC)
Are the data to be processed ‘traffic data’? (see art. 2(b) of Directive 2002/58/EC)
Are the data to be processed ‘location data’? (see art. 2(c) of Directive 2002/58/EC)
Do the data relate to users or subscribers of public communications networks or publicly available electronic communications services? (see art. 6 and 9 of Directive 2002/58/EC and art. 2 (a), (c) and (d) of Directive 2002/21/EC)
Is one of the exceptions applicable? (see article 13 of Directive 95/46/EC and article 15 of Directive 2002/58/EC).
In this respect, without being exhaustive, some remaining questions will be described that are illustrative for the complexity of the legal framework and the problems this creates for its practical applicability. In our view, these issues should definitely be clarified at a European level in order to create a legal framework that provides sufficient guarantees for the protection of human rights in the case of the provision of LBS.
First, it is not certain that location data of a mobile phone in stand-by mode is also needed to be considered traffic data, as it is not clear whether they can be considered to be processed ‘for the purpose of the conveyance of a communication’ as is required by the definition of traffic data as laid down in article 2(b) of Directive 2002/58/EC. In stand-by-mode the phone does not process the location data for the purpose of conveying a specific communication; it may well happen that there will be no communication at all. The categorisation of ‘stand-by’ location data is therefore a fairly open issue that Member States have to decide upon when implementing the directive. As the European Legal Framework does not provide guidelines in this respect, Member States might take a different approach towards these kinds of location data.
A second problem relates to the criteria of ‘public availability’. Satellite-based positioning systems and cell-based mobile communication networks in general will be public, in a sense that they are available to the public at large. However, from a technical perspective it is possible, and in view of specific electronic communication services probably already effective, to restrict the access to these networks and services to such a confined group of users that ‘public availability’ no longer exists, leading to the consequence that Directive 2002/58/EC might no longer be applicable. Also with regard to RFID, WiFi and Bluetooth, a clarification is necessary. As such, these technologies fall within the very wide definition of electronic communications network, since they concern a transmission system to convey signals by electromagnetic means. Often, applications using RFID, WiFi and Bluetooth will also conform to the definition of electronic communications service, if the application can be considered a service. In most cases, these technologies are embedded in some sort of system that can be considered a service, if we go by the general meaning of this term. However, it is questionable whether these technologies need to be perceived as public. On the one hand they are open to everyone who is in its vicinity, but from a geographical perspective the necessity to be in the vicinity of the technical device constitutes a large restriction to the notion of public availability. Whether or not the requirement of public availability will be upheld in the future is questionable as the Article 29 Working Group already pointed at the increasing importance of private networks and the desirability to bring these within the scope of the legal framework as well. This is an important issue as such, as it makes it possible to withdraw LBS from the legal framework by using private means of communications. For example this can be the case with regard to localisation systems used by large businesses in order to track and trace their employees. Because private systems deployed by the employer probably will not qualify as ‘public’ communication or communications service within a ‘public’ communications network, the E-privacy Directive might not be applicable.
A third problem to be mentioned relates to the difference in rationale and scope of Directive 2002/58/EC, leading to the question whether sensor-based systems and chip-card-based payment systems fall within the scope of the definitions of communication networks and services. In our view, on the basis of the rationale behind Directives 2002/21/EC and 2002/58/EC, as well as the recitals and provisions of these Directives, the conclusion should be that they are not aimed at such systems. The Directives seem to be aimed at intentional communications in which the content of the communication plays an important role. However, an analysis of the definitions of electronic communications networks and services as well as the definition of communication shows that they are very broad in scope, leaving room for application to sensor-based systems and chip-card-based systems.
A final group of problems relate to the obscurities and problems that exist regarding consent as the sole ground for the processing of location data. Not only is it problematic how to give consent (unambiguously? in writing?) and whether it can be given freely (e.g. in the case of a hierarchical relationship), but it is also unclear who should obtain consent from whom. Here, the difference between two- or three-party structures is important, as well as the distinction between user and subscriber to a service.
In a three-party structure, such as Cell-ID, a third party provides a network that generates the location data. The user of a service gives his prior informed consent to the provider of the service. This provider has to receive location data from the network provider. In these situations, consent to use location data in order to provide a value-added service also needs to involve consent to transfer the location data from one provider to the other. However, it is not completely clear within these structures if, and if so who, should obtain consent from users, the persons whose data are in effect being processed by the system. Recital 31 of the E-Privacy Directive does give some insight into this issue, but certainly does not provide a clear answer for each and every situation:
“Whether the consent to be obtained for the processing of personal data with a view to providing a particular value added service should be that of the user or of the subscriber, will depend on the data to be processed and on the type of service to be provided and on whether it is technically, procedurally and contractually possible to distinguish the individual using an electronic communications service from the legal or natural person having subscribed to it.”
On the basis of the definition of consent as laid down in the Data Protection Directive, as well as on the basis of the opinion of the Article 29 Working Group, we are of the opinion that in case of a subscriber using a location based service in order to track and trace users, consent needs to be given by both the subscriber as well as the user. This should be made explicit within the legal framework. In this respect it is advisable to also clarify the information duties, in a sense that in case a subscriber is using a service to track and trace other users, the duty to inform the user will be on the subscriber.
Directive 2006/24/EC (hereinafter: Data Retention Directive) regulates the mandatory storage of traffic data. The Directive excludes the content of messages from the obligation of data retention. In view of Location Based Services, particularly the data mentioned in article 5 paragraph 1 under (f) is relevant:
“data necessary to identify the location of mobile communication equipment:
(1) the location label (Cell ID) at the start of the communication;
(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.”
Even though this Directive is introduced to harmonise the obligation of data retention, the margin of discretion left to the Member States is too large to achieve this aim. On the basis of article 6, the required duration of storage is at least six months with a maximum of two years. Another problem is embedded in article 4 which states that data shall only be provided to competent national authorities: “Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law.” This does not provide guidance for national law on the conditions under which law enforcement agencies can access location data, however.
As described in chapter 4, no specific European legislation exists in view of the processing of data within employment relationships. The general rules as laid down in Directives 95/46/EC and 2002/58/EC are applicable within the boundaries of these directives. However, the Article 29 Working Party has already on several occasions drawn attention to the specific problems that arise with regard to the processing of personal data within employment relationships. One of them being the question as to whether consent by employees to surveillance by employers can be freely given.
Other points of interests raised by the Article 29 Working Party relate to the requirement that processing of location data on employees must correspond to a specific need on the part of the company which is connected to its activity; the fact that the purpose of the processing may not be achievable by less intrusive means; the requirement that equipment should offer the possibility to switch the location function of, as employer’s should not collect location data relating to an employee outside working hours; the statement that a reasonable retention period should not supersede two months; the requirement that employers should take adequate measures to restrict and secure access to location data; and the issue of properly informing employees about the possibility) to be monitored.
45 / 47 |