Home Articles IP, privacy & liability: The legal angle of geo-info

IP, privacy & liability: The legal angle of geo-info

Dr. Colette Cuijpers
Assistant Professor
TILT, Tilburg University
[email protected]
 

Geoinformation is increasingly used to track, trace and locate people in real time, using various technologies. Besides questions relating to the technical and design specifications necessary to effectively provide these services, legal issues are an important concern. Location based services (LBS) can be provided by public and private bodies or a combination of both, they can have commercial and non-commercial purposes, they can entail different kinds of techniques and they can be directed towards different kinds of people. Because of this diverse picture, the range of legal rules that might impact a particular LBS is extensive, as demonstrated by Bauman (Figure 1).

Intellectual Property (IP)
According to the World Intellectual Property Organisation (WIPO), intellectual property refers to creations of the mind: inventions, literary and artistic works and symbols, names, images and designs used in commerce. With regard to geospatial data, one of the most important questions concerns whether or not those data can be protected by intellectual property rights? Closely related to this question is whether these rights can exist in data generated with public money? In this respect rules and regulations regarding access to and licensing of public geospatial data are of interest. A final question to be addressed in this section concerns ownership of geospatial data.

From the nature of IP, it is clear that protection of geospatial data as such, must be sought in copyright protection. In this respect, it must be noted that copyright does not extend to raw data, but only to enriched data. In the same sense, copyright does not extend to ideas, but only to the form of expression of ideas. However, in the United States, the supreme court in the case Feist has rejected the so called 'sweat of the brow' doctrine established by lower courts. Under this doctrine, copyright protection was a reward for the hard work that went into compiling facts. The court makes it clear that 'industrious collection' is beyond the scope of existing copyright law.

Another difference between the European Union and the US concerns database protection. In the EU, as opposed to the US, a sui generis right to database protection is embedded in Directive 96/6/EC, which requires for protection a substantial investment in collection, presentation or verification of data within a database.

In relation to IP and geospatial data, another question is important: whether or not the data were created with public money. In the Netherlands, governments who created geospatial data with public money can claim copyright protection. An opposed perspective towards the copyright approach taken in the Netherlands can be found in the United States where federal government in general does not have copyright in works it creates.

Attention needs to be given to the question: Who owns geospatial data? This question closely relates to the theme of public and private partnerships. Closely related to the ownership of the data, is the access to those data by third parties. In this respect there might be friction between rights from different parties involved, such as IP rights of private parties versus legal obligations.


Privacy

Introduction
There are no privacy issues related to geospatial data, as those data as such do not relate to an identified or identifiable person. However, in providing LBS on the basis of geospatial data, a link is usually made between location data and personal data. There is a growing interest in the use of LBS among people, who also value privacy.

People want to remain in control over the use of their personal data. In this respect, it is necessary to clarify the notions of privacy and data protection. Privacy can be seen as an umbrella concept. It entails several dimensions of privacy such as bodily integrity, relational privacy, territorial privacy and informational privacy. Privacy, as the comprehensive concept, constitutes a fundamental human right, which in practice is often strongly related to other human rights. The right to data protection is the most important dimension of privacy in view of LBS. EU, data protection has its own legal framework. In the US, data protection as such is not embedded in specific legislation, but in several instances forms part of more specific sectoral regulations.

US Perspective
In the US, there is no general federal law concerning data protection. The framework can best be described as a patchwork of statutes, case law and self regulation with a strong sectoral approach. Several sector specific regulations do not concern data protection as such, but do relate to the processing of personal data and do regulate some aspects of the use of personal data.

Circular No. A-16 concerning "Coordination of Geographic Information and Related Spatial Data Activities" assures that spatial data from multiple sources (federal, state, local, and tribal governments, academia, and the private sector) are available and easily integrated to enhance the understanding of our physical and cultural world. The circular states in article 2 that: "The NSDI assures that spatial data from multiple sources are available and easily integrated to enhance the understanding of our physical and cultural world. The NSDI honours several key public values." The first value mentioned concerns privacy: "Privacy and security of citizens' personal data and accuracy of statistical information on people, both in raw form and in derived information products."However, the need to balance differing interests becomes immediately clear when reading the second key public value: "Access for all citizens to spatial data, information, and interpretive products, in accordance with OMB Circular A-130."

In the absence of specific data protection rules, the general doctrine of reasonable expectations of privacy comes into play. Privacy is related to private life, while locating people often takes place in public spaces. This raises the question whether being in a public place automatically constitutes a waiver of the rights to privacy, or whether it entails implicit consent to data processing? And by using LBS, do you automatically consent to the collection, use and disclosure of location information? Or when the LBS provider informs you about data processing in a privacy policy, does this eliminate all reasonable expectations of privacy? If so, does this make all data processing in the process of providing the LBS legitimate?


The EU legal framework
The first directive of EU concerns the protection of individuals with regard to the processing of personal data and the free movement of such data (General DP Directive). The second directive concerns the processing of personal data and the protection of privacy in the electronic communications sector (Specific DP Directive). The third directive concerns data retention. The General DP Directive provides rights and obligations in relation to the processing of personal data, while the Specific DP Directive provides for rights and obligations in respect of the processing of personal data, traffic data and location data, in connection with the provision of publicly available electronic communications services in public communications networks. More precisely, article 5 of Directive 2002/58 concerns confidentiality of traffic data, article 6 regards the processing of traffic data, while article 9 regulates the processing of location data other than traffic data. Figure 2 demonstrates the complexity that arises out of the different definitions and regimes laid down in the different directives.

In Figure 2, yellow indicates applicability of articles 5 and 6 of the Specific DP Directive, while red indicates that article 9 of this directive applies. Blue indicates the scope of the General DP Directive. The purple (red + blue) and the green (yellow + blue) part show that for some data both the provisions of the Specific DP Directive as well as the General DP Directive apply.

The figure demonstrates that providers of LBS have to answer a lot of questions before they can determine which regime is applicable to the data they are processing. At least the following questions must be answered:

  • Are the data to be processed 'personal data'? (see Art. 2(a) of Directive 95/46/EC)
  • Are the data to be processed 'traffic data'? (see Art. 2(b) of Directive 2002/58/EC)
  • Are the data to be processed 'location data'? (see Art. 2(c) of Directive 2002/58/EC)
  • Do the data relate to users or subscribers of public communications networks or publicly available electronic communications services? (see Art. 6 and 9 of Directive 2002/58/EC and Art. 2 (a), (c) and (d) of Directive 2002/21/EC)
  • Is one of the exceptions applicable? (see Article 13 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC)

Both in the US, because of a lack of a comprehensive legal framework, and in the EU, due to a too complex legal framework.

Liability
One of the main reasons why IPR and privacy rights must be obeyed, concerns the risk of being held liable if these, or other rights and obligations, are violated. Besides liability for the violation of rights, liability can also emerge out of incorrectness of geospatial data or the (mis)use thereof. Within the project Public Protection and Ethical Geospatial Data Dissemination an Initiative of GEOIDE (Project IV-23,) an inventory is being made of known examples of damage caused by geospatial data. Examples of damage caused by incorrect geo data that are listed so far concern traffic jams, car and plane accidents, bombing of incorrect targets, logging of protected forest, building public facilities onto private property, lack of flood insurance etc.

From a legal perspective, there are no specific liability issues in relation to geo information. Territorial borders are vanishing in a networked and wired world, a trend closely related to all kinds of LBS that are provided regardless of territorial borders. Even though LBS make it possible to track and trace people, dematerialisation often makes it harder to track and trace wrongdoers as they can 'hide' within the network. In view of technological turbulence, the description of the EU legal framework on data protection provides a good example. More in general technological turbulence leads to the question whether existing legal rules can still deal with new technologies and the changes they bring about in society? Another difficulty in view of liability in relation to geo spatial data and LBS concerns the cooperation between private parties, public bodies and technical applications.

The combination of the three trends together with the complex cooperation between private parties, public bodies and the technologies used in providing LBS, lead to an unanswerable question, which is necessary to answer in view of liability: Where did it go wrong? As the applicability of specific liability regimes in the US and in the EU depend on whether private or public bodies are involved and whether or not liability is caused by a product or a service, the need to establish where things went wrong and who is responsible, is decisive.

Conclusion
The above sketch of legal issues related to geospatial data and the provision of LBS is probably just the tip of the iceberg. As technology and the law are in several ways intertwined in the process of designing and providing products and services based on geospatial data, it becomes evident that technicians and lawyers to cooperate within these processes.