Does collecting user geolocation require consent?December 5, 2017byJulie Tamba
Collecting geolocation is a tricky topic in data privacy regulations.
As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on the other hand, specifies that use of personal data (including location data) may be based upon different grounds among which one may find consent but also the performance of a contract with the person or the legitimate interest of the recipient of the data.
In that regard, guidelines of the Article 29 Working Party (published in 2011 but still relevant) have indicated that “because location data from smart mobile devices reveal intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent“. Yet certain exceptions exist under which legitimate interest may be sufficient, for example, locations of WiFi access points for the specific purpose of offering geolocation services. If the data is not precise enough to indicate the specific geographic position of the terminal equipment of an individual (for example when the IP address is used to determine the country for statistics or to select a language or applicable legislation for a given individual), it would most likely not require consent: this interpretation may be elaborated on a decision of the French Data Protection Authority which mentioned in relation to audience measuring cookies that consent is not required when the IP address is not more precise than the city and immediately deleted after purpose is accomplished.
Now, will the adoption of the ePrivacy Regulation (whose scope will extend far beyond telecom operators to information society service providers) change this state of facts? The last version of the proposal released in October contains various provisions which may prove relevant and complexify the regime of location data.
First situation: electronic communications services providers
Location data such as IP address, GPS, Wifi or GSM signal belongs to the “metadata” category when it is necessary for the purpose of providing electronic communications services i.e. services encompassing an internet access service (e.g. an ISP) and/or an interpersonal communications service (e.g. WhatsApp) and/or a service consisting wholly or mainly in the conveyance of the signals (e.g. a mobile payment solution) and/or access to a publicly available electronic communications network (e.g. telephony). It may, therefore, be put forward that such qualification relates to the status of electronic communications services provider of the entity collecting the data.
Under article 6 §1 and §2 of this document, such metadata can only be used if necessary (i) to achieve the transmission of the communication, (ii) to maintain or restore the availability, integrity, confidentiality and security of the respective electronic communications network or services, or to detect technical faults and/or errors in the transmission of electronic communications, (iii) to meet mandatory quality of service requirements, (iv) for billing, determining interconnection payments, detecting or stopping fraudulent use of, or subscription to, electronic communications services.
If none of these exceptions apply, consent of the concerned individual is required. In principle, such metadata must be erased or made anonymous when it is no longer necessary for the provision of the service requested by the individual “without prejudice” however of points (ii) and (iii) and of a consent of the individual to the contrary.
Second situation: other actors collecting data emitted for a communication
When it is not necessary for the purpose of providing electronic communications services, location data may fall under the scope of article 8 §2 which concerns information emitted by terminal equipment to enable it to connect to another device and, or to network equipment. Here the qualification does not relate to the entity collecting the data but ensues from the context of emission of the data.
It must be underlined that in the initial version of the Commission dated January 2017, such data could be used provided a clear and prominent information notice was displayed. The Article 29 Working Party noted that this provision “gives the impression that organizations may collect information emitted by terminal equipment to track the physical movements of individuals (such as “WiFi-tracking” or “Bluetooth-tracking”) without the consent of the individual concerned” and recommended that this possibility should be restricted. Now the last version imposes that (i) data is used for the sole purpose of establishing a connection requested by the individual or (ii) the risks should be mitigated and that use of such data should be limited to mere statistical counting.
Outside of this scope, consent of the concerned individual is required.
Third situation: data collected from a device in the absence of a communication
Finally, if it is neither necessary for the purpose of providing electronic communications services nor emitted by the device to connect to another equipment, the same location data may still be governed by article 8 §1 which concerns any collection of information from end-users’ terminal equipment. In such case, data may be used if strictly necessary (i) to carry out the transmission of an electronic communication, (ii) for providing an information society service specifically requested by the individual, (iii) for measuring the reach of an information society service requested by the individual, only by or on behalf of the provider of said service, (iv) for software updates relating to security, confidentiality, integrity, availability and authenticity, and (v) for the execution of an employee’s task.
Again, if none of these exceptions apply, consent of the concerned individual is required.
The above can be summarized as follows: consent is and will remain the main rule for geolocation… Except under certain circumstances to be further specified by the EU and Data Protection Authorities.
To properly obtain a consent, mandatory information must be provided and a clear and positive action must be realized by the concerned person. The guidelines of the Article 29 Working Party, however, specified that when services require automatic location, requesting the relevant service would amount to consenting to be located provided individuals are given full information in advance about the processing of their location data. As always, information of individuals is the key to compliance.