Upload
atif-unaldi
View
893
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Location based services: “keeping track” of the regulatory developments
20 June 2011
Prof.dr. Kees StuurmanTilburg Institute for Law, Technology and Society
(TILT) / Van Doorne attorneys Amsterdam
c.stuurman@uvt
2
Contents
• Location based data and technologies
• The current EU regulatory framework, LBS and personal data; the Opinion of the Article 29 Working Group
• Some US developments
• Future outlook, challenges and possible results
• Final remarks
3
Location based data
• ‘Location based services ‘(LBS): threat or menace?
• Navigation systems, vehicle tracking, parcel tracking, coupons/advertising, ‘buddy finder’(…)
• ‘Geoslavery’(Dobson/Fisher, 2003):“Society must contemplate a new form of slavery, characterized by location control”
• Development of LBS requires a level playing field for the industry as well as an adequate protection of its users
• How are we doing so far? Focus: data protection
4
Data and technologies?
• LBS is based on different technologies
• GPS, RFID, WiFi, GSM, UMTS, sensor based systems, (….)
• Various data streams:– mobile/static device sensor– sensors back end systems– back end systems applications– (…)
5
6
7
Current EU regulatory framework
• LBS and data protection
• European Union:
– Directive 95/46/EC (the Data Protection Directive)
– Directive 2002/58/EC (the E-Privacy Directive)
– Directive 2009/136/EC (‘the EU Cookie Directive”)
– Various opinions of the Article 29 Data Protection Working Party, in particular: “Opinion13-2011 on Geolocation services on smart mobile devices “(16 May 2011)
8
Personal data
• Location data=“personal data”?
• EC Directive 95/46 (Art. 2):
“Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”)”
• Can location data from smart mobile devices considered to be ‘personal data’?
• Article 29 Data Protection Working Party. Opinion 13/2011 on Geolocation services on smart mobile phones (16 May 2011)
9
Art. 29 Working Group (1)
• Scope of the Opinion:
– Focus on three main infrastructures: GPS, GSM base stations and WiFi
– Not: • toll systems for cars, satellite navigation systems,
geolocations of IP addresses ;• social networks• geolocation services based on technologies for
interconnecting in small areas, (e.g. RFID, Bluetooth)
– Findings may however be equally relevant
10
Art. 29 Working Group (2)
• Privacy risks:– “A smart mobile device is very intimately linked to
a specific individual” (identifiable link)
– This allows for gaining an intimate overview of the habits of the owner and building extensive profiles
– The data collected could include ‘sensitive’ data (health, religion, political views, sex life, ...)
– The technology allows for constant monitoring of location data
11
Art. 29 Working Group (3)
• Even when location data are being made available intentionally very significant risks might arise (burglary, physical aggression, stalking, ...)
• Main findings of the art. 29 Working Group:
“Location data from smart mobile devices are ‘’personal data”
• But also: the combination of a MAC address of a WiFi access point with its calculated location should be treated as ‘personal data’
12
Art. 29 Working Group (4)
• Legitimate grounds for processing of location data:
– Smart mobile devices: prior consent (freely given, specific, informed data subject)
– Mandatory acceptance of T&C’s or opt-out is inadequate
– The device should continuously warn that geolocation is ‘on’
13
Art. 29 Working Group (5)
• Other aspects:
– Adequate information with regard to key elements (purpose, rights, identity of the data controller, ...) art 10 Data Protection Directive)
– Data subject rights (access, update, rectify, erase)
– Retention period (no longer than necessary for the purposes of collection and further processing)
14
The European regulatory framework
• Directives 95/46/EC, 2002/58/EC and 2009/136/EC
• “a complex patchwork of legal rules applies to the provision of LBS” (Koops/Cuijpers, 2008)
• Distinctions to be include:– “personal data” (Privacy Directive)– “traffic data” (E-Privacy Directive)– “location data” (E-Privacy Directive)
• Seven types of data can be distinguished (….)
• Regulatory framework should be further developed
15
US Developments
• The United States:
– Recent Congressional hearings. Issues include whether Apple’s and Google’s applications running on their mobile platforms are compliant with the Children's Online Privacy Protection Act (COPPA)
– Current situation is a patchwork of state regulation and industry self-regulation
– Upcoming FCC/FTC educational forum on June 28, 2011 to help consumers understand the privacy implications of location-based services.
– Impact of the proposed new federal privacy law
16
Future outlook
• Current location based services primarily based on tracking of mobile devices
• Future developments:– ambient intelligence/”internet of things”– the use of any networked device could generate
location data
• Reversed paradigm: which data will not qualify as ‘personal data’?
17
Possible solutions
• LBS creates a number of legal challenges
• “Geo slavery” ahead?
• Location data much more ‘’sensitive” than perceived by some of the stakeholders
• LBS: balance between benefits and (privacy)threats?
• No “quick fix” for the current legal challenges
18
Final Remarks
• Solutions?– Technological, e.g.: “privacy by design”, separating data
layers (with each a different regime)
– Regulatory (incl. self regulation)
– Awareness/education
• Most urgent: public debate with the industry, consumers and all other stakeholders (e.g. FCC/FTC Forum )
• Looking for new standards for LBS
Location based services: “keeping track” of the regulatory developments
20 June 2011
Prof.dr. Kees StuurmanTilburg Institute for Law, Technology and Society
(TILT) / Van Doorne attorneys Amsterdam
c.stuurman@uvt