D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe IN CONCLUSION

In conclusion

The conclusion of this report is that the legal framework for processing location data generated in positioning systems, including LBS, is very complex indeed. With three European Directives that partially overlap, using not mutually exclusive definitions of personal data, traffic data, and location data, it is a Herculean task to determine which legal provisions apply when LBS providers process location data. The Venn diagram in (see section ) showing seven possible combinations of data, often divided in two parts, illustrates this. Likewise, it is not easy to pinpoint the exact conditions under which private parties like employers and public parties like law-enforcement authorities can have access to location data. The picture is compounded by the fact that there exists a wide variety of positioning systems and LBS applications based on diverging technologies, which from a legal point of view cannot be easily categorised under the legal definitions.

Apart from the difficulties arising from the sheer complexity of the legal framework, there are also problems with respect to unclear definitions and unresolved legal questions. Major open questions are whether location data generated by mobile phones in stand-by mode qualify as traffic data, and what is meant by ‘public availability’ of electronic communications networks and services. Also, it is uncertain whether sensor-based systems and chip-card-based payment systems, which can also be used for localisation and monitoring of people, fall inside or outside the scope of the legal framework for electronic communications: the rationale of the directives for these sectors suggests that they are excluded, but the wording of the definitions allows including them within the scope of the directives. Finally, there are also several open questions with respect to the consent that should in certain cases be obtained for processing location data: who exactly should give consent to whom, and how?

The complexity, unclarities, and open legal questions do not occur only at the European level; they exist similarly in the national legal frameworks we have studied. This indicates that national implementations of the European legal framework have not been able to address the problems that occur at the European level and that are compounded by the development of new location-based serviced and positioning systems. 

Another conclusion that can be drawn from this study is that law enforcement authorities have a vast range of possibilities to access and process location data, the scope of which is significantly widened through the recent requirements for traffic data retention, which include location data of mobile phones. Moreover, the lack of specific rules in employment relationships and the lack of applicability of the existing legal framework to private localisation systems, imply that employers have a substantial capacity and authority to monitor the whereabouts of their employees, which are hardly off-set by checks and balances to protect the privacy of employees. As a result, the legal framework for processing location data by public and private parties allows much scope for these parties to infringe the privacy of citizens and employees. With the increasing pervasiveness and accuracy of positioning devices, vast amounts of precise location data are being generated and stored. The fast growth in sophisticated location techniques together with the wide legal scope for processing the resulting location data pose a significant threat to the privacy of European citizens.  

Given these conclusions, a first recommendation to be made is that the European legislator investigate whether the European legal framework for positioning systems and LBS can be simplified. Should this turn out to be infeasible in the short term, the European legislator should at least provide more clarity regarding the applicability of the various legal provisions in Directive 2002/58/EC to the various forms of positioning systems and LBS. This clarification should not only cover a schematic overview of which provisions apply to which type of location systems, but also resolve current unclarities and answer open questions. In particular, it should be resolved whether ‘standby’ location data are traffic data, which LBS systems are ‘publicly available’ electronic communications systems, whether sensor-based and chip-card-based systems involve electronic communications, and how consent should be given in the context of location systems.

A second recommendation is that a reassessment of the privacy protection mechanisms in the legal framework for accessing personal location data by public and private parties is warranted. The technical possibilities to generate and store location data imply that the movement of European citizens and employees can be monitored accurately and pervasively, and these possibilities are likely to increase further in the near future. Such pervasive monitoring of citizens’ whereabouts will seriously impact their privacy, and perhaps more checks and balances need to be installed in order to off-set this increasing privacy intrusion.  

In conclusion, in view of the fast development of location systems and new communication technologies, a reassessment and clarification of the European legal framework for processing location data is urgently needed, both to adequately protect citizens’ privacy and to foster the development of location-based services in Europe.  

10 References 

Asscher L. F. 2004. Regulating Spam: Directive 2002/58 and Beyond (May 1, 2004), (available at SSRN: <http://ssrn.com/abstract=607183 or DOI: 10.2139/ssrn.607183>). 

Béraldin C. 2007. La mesure de surveillance électronique en Belgique : processus d’institutiionnalisation du dispositif, in Justice et Technologies : Surveillances électronique en Europe, eds. Froment J.-C and Kaluszynski, PUG, 2007, p.117-127. 

Beugelsdijk R. 2006. RFID; Veelbelovend of onverantwoord?, CBP oktober 2006. 

Boulanger M.-H., Lacoste A-C & Louveaux S. 2003. La surveillance électronique des employés, Revue Ubiquité – Droit des technologies de l’information, n°15/2003. 

De Jong J.D.C. 2005. Een juridische blik op WiFi, Wetenschapswinkel Rechten, Universiteit van Utrecht 2005. 

ECP.nl 2005. Privacyrechtelijke aspecten van RFID, report mei 2005. 

Hallaschka F. & Jandt S. 2006. Standortbezogene Dienste im Unternehmen, Multimedia & Recht, 7/2006, p. 436–441. 

Hildebrandt, M. and Meints, M. (2006). D7.7: RFID, Profiling, and AmI, Deliverable. (available at <http://www.fidis.net/fidis-del/period-3-20062007>).

Jandt S. 2007. Datenschutz bei Location Based Services – Voraussetzungen und Grenzen der rechtmäßigen Verwendung von Positionsdaten, Multimedia & Recht, 2/2007, p. 74 – 78.

Grasse D. 2006. Proteccion de los datos personales y geolocalizacion, datospersonales.org, n°21, 3 May 2006. 

Hendrickx F. 2005. Privacy and Data Protection in the Workplace: The Netherlands, in: Nouwt S., DeVries B.R. & Prins C. (Eds.), Reasonable Expectations of Privacy? Eleven Country Reports on Camera Surveillance and Workplace Privacy, The Hague: TMC Asser Press 2005. 

Kölmel B.2002. Location Based Services: Wünsche und Realität, 2002. (available at <http://www.e-lba.com/YellowMap%20LBS%20Wuensche%20und%20Realit%C3%A4t.pdf>).  

Kaspersen H.W.K. 2002. Data protection and e-commerce, in: Lodder A.R. & Kaspersen H.W.K. (Eds.), eDirectives: Guide to European Union Law on E-Commerce, The Hague/London/New York: Kluwer Law International 2002, p. 119-145. 

Koevoets M.M. 2006. Wangedrag van werknemers; De bevoegdheid van werkgevers tot opsporing en sanctionering, dissertation, Den Haag: Boom Juridische Uitgevers 2006. 

Koops B.J. et al. 2005. Aftapbaarheid van Telecommunicatie. Een evaluatie van hoofdstuk 13 Telecommunicatiewet, november 2005.

Mallié C. 2007. La mesure de surveillance électroniques en Belgique, in Justice et Technologies : Surveillances électronique en Europe, eds. Froment J.-C and Kaluszynski, PUG, 2007, p.107-116.

Martucci L. et al. 2006. Trusted Server Model for Privacy-Enhanced Location Based Services. In: Proceedings of the 11th Nordic Workshop on Secure IT Systems 19-20 October 2006, Linköping Sweden, 2006, pp. 13-25. 

Moreno O. 2005. La géolocalisation des travailleurs, DroitBelge.net, Actualité, 22 December 2005. 

Nassary Zadeh, L. (2007) (forthcoming). D11.2: Location based services (available at <http://www.fidis.net/fidis-del/period-3-20062007>).

Ohlenburg A. 2004. Der neue Telekommunikationsdatenschutz – Eine Darstellung von Teil 7 Abschnitt 2 TKG, Mutimedia und Recht 7/2004, p. 431–440. 

Renette S. & De Bot D. 2006. Employee, where are thou? De Belgische wet van 13 juni 2005 betreffende de elektronische communicatie en haar gevolgen voor door een werkgever aangewende geolokalisatiesystemen. Privacy & Informatie

Rijckaert O. 2005. Surveillance des travailleurs : Nouveaux procédés, multiples contraintes, Droit et nouvelles Technologies, 26 April 2005. 

Smits D., Exit-route via GPS?, 23 oktober 2006. (available at: <http://www.expertlog.nl/2006/10/
exitroute_via_g.html>).

Terstegge J.H.J. (CBP) 2002. Goed werken in netwerken, Achtergrondstudies en verkenningen 21, Den Haag, april 2002, (available at: <http://www.cbpweb.nl/downloads_av/av21.pdf?refer=true&theme=purple>).

Terstegge J., Zijn uw systemen WBP-proof?, available at: <http://home.planet.nl/~privacy1/wbpproof.htm>. 

Tinnefeld M-T., Ehmann E. & Gerling R.W. 2005. Einführung in das Datenschutzrecht, Munich, 2005. 

Van der Hof S. et al 2006. Openbaarheid in het Internettijdperk. De invloed van ICT op juridische concepten van openbaarheid, Den Haag: Sdu Uitgevers 2006. 

Veldhuijzen A. 2006. Autocomputer is ook bewijs, 20 oktober 2006, (available at: <http://www.ad.nl/autowereld/article730043.ece>). 

White J. C., People not places. A policy framework for Analyzing Location Privacy Issues, (available at: <http://www.epic.org/privacy/location/jwhitelocationprivacy.pdf>). 

WODC 2005. Geboeid door de enkelband, Evaluatie pilot Elektronische Detentie, Nijmegen: ITS, 2005. 

Working Party 29 2001. Opinion 8/2001 on the processing of personal data in the employment context, WP 48. 

Working Party 29 2005. Opinion on the use of location data with a view to providing value-added services, 2130/95/EN, WP 115, November 2005. 

Working Party 29 2006. Work Programme 2006-2007, document nr. 00744/06/EN, WP 120. 

Working Party 29 2006. Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive. Adopted on 26th September 2006, 1611/06/EN WP 126. 

11 Abbreviations & Glossary 

Abbreviations 

ATM        Automated Teller Machine

BfDIBundesbeauftragte für den Datenschutz und die Informationsfreiheit (German Federal Data Protection Commissioner)

CBPCollege Bescherming Persoonsgegevens (Dutch Data Protection Authority)

CCC        Council of Europe Convention on Cybercrime

CCTV        Closed-Circuit Television

CDMA        Code Division Multiple Access

CNILCommission Nationale de l’Informatique et des Libertés (French Data Protection Authority)

DCCP Wetboek van Strafvordering)

DTATelecommunicatiewet)

ECHR        European Convention on Human Rights and Fundamental Freedoms

ECtHR        European Court of Human Rights

GPS        Global Positioning System

GPRS        General Packet Radio Service

GSMGroupe Spécial Mobile)

IBBT        Intitute for Broadband Technology (Flanders)

ICAO        International Civil Aviation Organization

ISMS        Information Security Management System

IT        Information Technology

JOJournal Officiel (French Official Journal)

LBS        Location Based Service

MM        Manufacturing Management

MO        Mobile Operator

MRTD        Machine Readable Travel Document

OECD        Organisation for Economic Co-operation and Development

OPTAOnafhankelijke Post en Telecommunicatie Autoriteit (Dutch Independent Mail and Telecommunications Authority)

PDA        Personal Digital Assistant

PDPADutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens)

RFID        Radio Frequency Identification

SCM        Supply Chain Management

SMS        Short Message Service

TKGTelekommunikationsgesetz (German Telecommunications Act)

TMGTelemediengesetz (German Telemedia Act)

UMTS        Universal Mobile Telecommunications System

WAP        Wireless Application Protocol

WiFi        Wireless Fidelity

Glossary 

A-GPS    Assisted GPS: Based on GPS, this technology uses an assistance server to cut down the time needed to determine a location.

Bluetooth    An industrial specification for wireless personal area networks (PANs). Bluetooth provides a way to connect and exchange information between devices such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles over a secure, globally unlicensed short-range radio frequency.(source: Wikipedia)

Cell-ID    An identification code sent by GSM masts when transmitting to a mobile device. Each mast has it’s own ID.

E-OTD    Enhanced Observed Time Difference: Measures the time of arrival of a base station signal on the handset.

IMSI-Catcher    A device for intercepting the IMSI number of GSM mobile phones.

IP-address    Internet Protocol address. Unique number for each personal computer, comparable with a telephone number.

ISMS    (Information Security Management System) Management system used to ensure the appropriateness, security and adequate use of information.

push serviceA service that is triggered on demand of the user. The term originated from the domain of marketing.

pull serviceA service that is provided automatically without user interaction. The term originated from the domain of marketing.

traffic data    Electronic-communications traffic data, i.e., data about who telecommunicated with whom when, how long, and where.