D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe IMPLEMENTATION OF THE LEGAL FRAMEWORK WITHIN MEMBER STATES

Implementation of the legal framework within Member States

1. Introduction

From the country chapters it becomes clear that most of the problems described above also exist within the Member States as a result of implementation laws that resemble the European Legal Framework to a large extent. This holds true not only for the general obligations and rights, but also for the exceptions to the general rules. 

Also with regard to the LBS that are provided within the different Member States discussed, it can be concluded that they are very similar in kind. In this respect, mention can be made of services enabling the positioning of a cell-phone in case of an emergency; automatic payment services; traffic and fleet management; direct marketing services; tracking services for children, vehicles and employees; and electronic bracelets for elderly persons and convicted felons. Within Germany and France initiatives of car insurance companies to track and trace their users in order to provide them with an insurance completely suited to their driving habits have encountered concerns from the data protection authority, leading to a prohibition of this system in France. 

1. 1. 1. General legal framework

In all the countries described, the legal framework is implemented within general laws regarding data protection, telecommunications and electronic communications. Some striking issues regarding the implementation will be mentioned in this subsection, without being exhaustive.  

In Germany, besides the Data Protection Act and the Telecommunications Act, also the Telemedia Act (TMG) is of importance. This act concerns telemedia services which are defined as all electronic information or communication services which are not telecommunications services. The content of a LBS is regarded a telemedia service as it exceeds common telecommunications services like voice communication, SMS and provides new, multimedia content. The existence of these two separate laws has as a consequence that content providers in Germany have to comply with the provisions set out in the Telemedia Act, and telecommunications providers must comply with the regulations of the Telecommunications Act. The transmission of location data from the telecommunications service provider (TSP) to the content provider (CP) usually is within the scope of the Telecommunications Act, while the use of location data to provide the LBS is covered by the TMG.  

In the Netherlands, the provisions regarding traffic data and location data are implemented within the Telecommunications Act and resemble the E-privacy Directive to a large extent, with the exception that article 5 is not implemented. The explanatory memorandum of the Dutch Telecommunications Act stipulates in this respect that further research is needed and that the article will not be implemented so far. However, this does not imply that there is no regulation on the confidentiality of communications in the Netherlands. Article 13 of the Dutch Constitution (Grondwet) provides a general right on confidentiality of communications.

In Belgium, the Electronic Communications Act was introduced in 2005. This Act complements the general rules provided by the Data Protection Act. At this moment, two law proposals are pending to adjust the provisions of the Electronic Communications Act in order to solve the specific issues related to Location Based Services.  

In France, all personal data processing should comply with the provisions of the Data Protection Act. However, when location data are originated from a public electronic communications network, supplementary safeguards have been introduced by Article L.34-1 of the Posts and Electronic Communications Code, which transposes Directive 2002/58/EC. French legislation only provides a definition of location data in the context of electronic communications where it means “data allowing the localisation of the user’s terminal equipment”. However, this definition does not specify which kind of data it refers to.

1. 1. 1. Law enforcement and employment relationships

All the Member States discussed have specific rules within their Criminal Proceedings Act regarding the use of and access to location and traffic data by law enforcement authorities. Even though there are differences with regard to the persons who have the authority to use and access location data, as well as regarding the scope of the provisions, in general it is possible for law enforcement to request and access traffic as well as location data in all the countries discussed.  

In general, there are no specific rules for the processing of location and traffic data within private relationships. However, in all the Member States described, the general rules as laid down in the implementation rules do apply to private relationships, such as employment relationships. Moreover, national data protection authorities as well as national courts have given some insights regarding the way in which the processing of (personal) location and traffic data within employment relationships should be dealt with.

In all the Member States, Labour Law provides a specific obligation requiring involvement of the company’s works council or the trade union when technical equipment aiming at monitoring employees is being installed. However, consent of the trade union or the works council cannot be a substitute for the individual, free, specific and informed consent of the employee. 

In France, Labour Law also contains two provisions in respect of protection of employees’ fundamental rights. One concerns the principal of proportionality, the other the principal of transparency. The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés, CNIL) has issued some general guidelines since the year 2002 regarding the cyber-surveillance of workers, defining the rules which should apply to this specific context. In response to the vast development of the location data processing by employers with purposes of improving the production process or of controlling the working hours, the CNIL issued a series of documents, defining the rights and obligations of controllers.

1. 1. 1. Remaining questions and their national counterparts

As already mentioned, the country chapters show that the questions that remain at the European level regarding the legal framework on the processing of (personal) location and traffic data, also exist to a large extent at the national levels. Due to the obscurities in definitions, the overlap and the scope, it is hard to apply the legal framework in practice, leaving too much room for national legislators, data protection authorities, and national courts to fill in the blanks. Some issues are dealt with at the national level by one of the parties mentioned, while other problems are even worse at the national level because of incorrect or incomplete implementation laws or problematic interpretations of the provisions copied from the directives. 

In all the Member States, the data protection and telecommunications authorities provide clarification with regard to the legal framework for the provision of LBS. This is often on the basis of complaints, as mentioned in the report on France, CNIL is receiving each day more complaints and applications for consultations regarding the processing of location data. However, data protection authorities are free to initiate general opinions on their own authority. Again reference can be made to the country chapter on France to illustrate another problem in this respect, namely the non binding character of the opinions of Data Protection Authorities and the uncertainty this leaves from the perspective of legal certainty. For example in France the approval of the Act for the fight against terrorism has shown that the opinion of the CNIL was not always followed and some provisions of the law relative to the systems of surveillance considered harmful by the CNIL, have been validated by the Constitutional Council anyway.

In the Netherlands, it might even be harder to clarify the implemented rules, because two authorities mingle in the discussion regarding the provision of LBS: On the one hand the Data Protection Authority (CBP) and on the other hand the authority supervising the Telecommunications Act (OPTA). From their different perspectives and aims, it could be that conflicting interests would lead to conflicting legal interpretations. Therefore it is of the utmost importance that these protection authorities consult each other. 

1. 1. 1. Some illustrative examples

National interpretations and solutions can not only be problematic at the national level, but can also cause discrepancies between the Member States which can be harmful in view of cross border provision of Location Based Services and cross border protection of fundamental rights such as privacy. In this respect, as an illustration and example, some differences within the described Member States will be shortly mentioned.  

In Germany problems can arise regarding consent. As a general rule, the Data Protection Act requires a written consent of the data subject, while the Telecommunications Act lays down a specific provision for consent by electronic means. Consent to use location data that is not anonymized can in Germany only be given by the subscriber. The subscriber shall inform his co-users of all such given consent. This regulation contradicts Art. 6 paragraph 3 and Art. 9 paragraph 1 of Directive 2002/58/EC that require consent of subscribers and users. Reasons given for this derogation of Directive 2002/58/EC are telecommunications service providers’ lack of awareness of users other than the subscriber and impossibility to link location data to other individuals than the subscriber whose customer data was collected upon subscription.  

In France, Article L.34-1.IV of the Post and Electronic Communication Code can be mentioned. This article acknowledges a specific right to the user of the service, when he is a different person from the subscriber, to suspend the consent given by the subscriber, i.e. to deactivate the localisation device. However, even if the service provider should rely on the previous consent of the subscriber, it is not compelled by the legislation to obtain the previous consent of the user as well.  

One of the Belgian Law Proposals tries to solve the issue of who should consent to whom, by obliging the operator of a mobile network to inform, before the subscription to the service, both the subscriber and the user, when they are different persons. It is also intended to compel the operator to obtain the consent of both the subscriber and the user.  

Another problem area that remains at the national level relates to the restriction of applicability of the legal framework to public parties and networks of communications. In Germany, the Telecommuncations Act and the Telemedia Act apply only to generating and use of location data by telecommunications service provider and telemedia service providers. If a private party wants to generate or use location data of a third party, a statutory basis is required. As no specific law applies the regulations of the Federal Data Protection Act must be complied with.

In France, the same problem exists as the examples of the use of e-tickets in Public Transport; the taking of automatic pictures of cars when their drivers infringe the Traffic Code; and the use of e-bracelets for offenders show. None of these examples imply the use of a public network of communications and thus Art. L.34.1 of the Code of Posts and Electronic Communications will not be applicable. However, as most of the location data processing by private parties is taking place in the field of public electronic communications networks through the use of Location Based Services. These processing will thus fall under the provisions of both the Code of Posts and Electronic communications and the Data Protection Act. 

The lack of clarity concerning certain definitions such as public communications networks and services makes it hard to apply the rules to specific techniques, as it is not always clear whether these techniques are, or are not covered by the legal rules. In the Netherlands several discussions have arisen, for example regarding the question whether RFID and WiFi fall within the scope of the Telecommunications Act. Because of the absence of subscribers to these systems, it is argued that they do not.

Illustrative in this respect is the opinion of OPTA that considered advertisements transmitted through Bluetooth not to fall within the scope of the definition of spam, because the messages were sent to anyone who passed by, regardless of them being a subscriber to the service or not. However, this might not be the explanation OPTA prefers, as they call on all people who received unsolicited messages to complain. 

1. 1. 1. Data retention

With regard to data retention the different Member States have made a different use of the large margin of appreciation offered by Directive 2006/24/EC. Germany has chosen to introduce the shortest retention period possible and will require six-month retention of traffic data. In Belgium a decree still needs to be issued that will specify the data to be retained; the conditions under which providers will need to register and retain the data; as well as the exact retention period. In the Netherlands a draft Bill to implement Directive 2006/24/EC was published in January 2007. Art. 13.4 of the Telecommunications Act will be extended to require all telecommunication providers to store the traffic data as designated in an Order in Council for a period of 18 months. Not only the location of the cell of origin and the cell of receipt of mobile telecommunications are included, but also the location of any other cell during the communication. The draft Bill has triggered critical reactions not only by the telecommunications industry, but also by the Dutch Data Protection Authority. 

In France, three different retention periods, all related to different purposes of retention, are provided for in the Code of the Posts and Electronic Communications. The broad and vague terms used by the legislator compel the Telecommunications Operator to retain a large amount of data, which has been highly criticised by the CNIL.