Kees stuurman

Location based services: “keeping track” of the regulatory developments

20 June 2011

Prof.dr. Kees StuurmanTilburg Institute for Law, Technology and Society

(TILT) / Van Doorne attorneys Amsterdam

c.stuurman@uvt

mailto:c.stuurman@uvt

2

Contents

• Location based data and technologies

• The current EU regulatory framework, LBS and personal data; the Opinion of the Article 29 Working Group

• Some US developments

• Future outlook, challenges and possible results

• Final remarks

3

Location based data

• ‘Location based services ‘(LBS): threat or menace?

• Navigation systems, vehicle tracking, parcel tracking, coupons/advertising, ‘buddy finder’(…)

• ‘Geoslavery’(Dobson/Fisher, 2003):“Society must contemplate a new form of slavery, characterized by location control”

• Development of LBS requires a level playing field for the industry as well as an adequate protection of its users

• How are we doing so far? Focus: data protection

4

Data and technologies?

• LBS is based on different technologies

• GPS, RFID, WiFi, GSM, UMTS, sensor based systems, (….)

• Various data streams:– mobile/static device sensor– sensors back end systems– back end systems applications– (…)

5

6

7

Current EU regulatory framework

• LBS and data protection

• European Union:

– Directive 95/46/EC (the Data Protection Directive)

– Directive 2002/58/EC (the E-Privacy Directive)

– Directive 2009/136/EC (‘the EU Cookie Directive”)

– Various opinions of the Article 29 Data Protection Working Party, in particular: “Opinion13-2011 on Geolocation services on smart mobile devices “(16 May 2011)

8

Personal data

• Location data=“personal data”?

• EC Directive 95/46 (Art. 2):

“Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”)”

• Can location data from smart mobile devices considered to be ‘personal data’?

• Article 29 Data Protection Working Party. Opinion 13/2011 on Geolocation services on smart mobile phones (16 May 2011)

9

Art. 29 Working Group (1)

• Scope of the Opinion:

– Focus on three main infrastructures: GPS, GSM base stations and WiFi

– Not: • toll systems for cars, satellite navigation systems,

geolocations of IP addresses ;• social networks• geolocation services based on technologies for

interconnecting in small areas, (e.g. RFID, Bluetooth)

– Findings may however be equally relevant

10


• Privacy risks:– “A smart mobile device is very intimately linked to

a specific individual” (identifiable link)

– This allows for gaining an intimate overview of the habits of the owner and building extensive profiles

– The data collected could include ‘sensitive’ data (health, religion, political views, sex life, ...)

– The technology allows for constant monitoring of location data

11


• Even when location data are being made available intentionally very significant risks might arise (burglary, physical aggression, stalking, ...)

• Main findings of the art. 29 Working Group:

“Location data from smart mobile devices are ‘’personal data”

• But also: the combination of a MAC address of a WiFi access point with its calculated location should be treated as ‘personal data’

12


• Legitimate grounds for processing of location data:

– Smart mobile devices: prior consent (freely given, specific, informed data subject)

– Mandatory acceptance of T&C’s or opt-out is inadequate

– The device should continuously warn that geolocation is ‘on’

13


• Other aspects:

– Adequate information with regard to key elements (purpose, rights, identity of the data controller, ...) art 10 Data Protection Directive)

– Data subject rights (access, update, rectify, erase)

– Retention period (no longer than necessary for the purposes of collection and further processing)

14

The European regulatory framework

• Directives 95/46/EC, 2002/58/EC and 2009/136/EC

• “a complex patchwork of legal rules applies to the provision of LBS” (Koops/Cuijpers, 2008)

• Distinctions to be include:– “personal data” (Privacy Directive)– “traffic data” (E-Privacy Directive)– “location data” (E-Privacy Directive)

• Seven types of data can be distinguished (….)

• Regulatory framework should be further developed

15

US Developments

• The United States:

– Recent Congressional hearings. Issues include whether Apple’s and Google’s applications running on their mobile platforms are compliant with the Children's Online Privacy Protection Act (COPPA)

– Current situation is a patchwork of state regulation and industry self-regulation

– Upcoming FCC/FTC educational forum on June 28, 2011 to help consumers understand the privacy implications of location-based services.

– Impact of the proposed new federal privacy law

16

Future outlook

• Current location based services primarily based on tracking of mobile devices

• Future developments:– ambient intelligence/”internet of things”– the use of any networked device could generate

location data

• Reversed paradigm: which data will not qualify as ‘personal data’?

17

Possible solutions

• LBS creates a number of legal challenges

• “Geo slavery” ahead?

• Location data much more ‘’sensitive” than perceived by some of the stakeholders

• LBS: balance between benefits and (privacy)threats?

• No “quick fix” for the current legal challenges

18

Final Remarks

• Solutions?– Technological, e.g.: “privacy by design”, separating data

layers (with each a different regime)

– Regulatory (incl. self regulation)

– Awareness/education

• Most urgent: public debate with the industry, consumers and all other stakeholders (e.g. FCC/FTC Forum )

• Looking for new standards for LBS

Location based services: “keeping track” of the regulatory developments

20 June 2011

Prof.dr. Kees StuurmanTilburg Institute for Law, Technology and Society

(TILT) / Van Doorne attorneys Amsterdam

c.stuurman@uvt

mailto:c.stuurman@uvt