Brussels, Belgium: Geolocation data – which is becoming increasingly common thanks to the rapid adoption of GPS-enabled smartphones – should be classified as personal data, concluded the European (EU) data protection working party, because it can easily be used to identify individuals.
The Article 29 Working Party, a group of European privacy authorities, said that geolocation data is personal and that permission for collecting it cannot be given through people accepting terms and conditions. In an advisory document, the group looked at the application of the EU’s Data Protection Directive and the e-Privacy Directive to the gathering of geolocation data via GSM base stations, GPS and Wi-Fi. It noted that this data is being used by companies to sell a variety of location-based services, such as maps and navigation, augmented reality and local advertising.
“If telecom operators want to use base-station data in order to supply a value-added service to a customer, according to the revised e-Privacy Directive they must obtain his or her prior consent,” the group said. “They must also make sure the customer is informed about the terms of such processing.”
The Article 29 Working Party said that consent should not be gained through general terms and conditions; rather, people must explicitly agree for their data to be used for a specified purpose. Companies must also only use geolocation when necessary, and allow employees to switch off geolocation outside work.
The group said that companies must make it clear that location tracking is taking place even if a person is using a service that needs to have tracking constantly switched on. “In order to prevent the risks of secret monitoring, the Article 29 Working Party considers it essential that the device continuously warns that geolocation is ‘ON’, for example through a permanently visible icon,” it said.
The EU decision will also impact companies such as Apple and Google, both of which have a track record of collecting vast troves of data from their users. If geolocation data has to be treated as personal information, it will place a far greater burden on those who retain it, both in terms of the security around storage and in allowing individuals to discover what information pertaining to them is being held.
Source: ZDNet UK