EU Demands Explicit Geo-Location Permissions

Apple, Google and employers must comply with new European Union rules for geo-location data permissions

The hopes of companies planning to use geo-location data to push products and services to mobile device users have taken a beating in the European Union, following a pronouncement from the European Data Protection Supervisor (EDPS) Peter Hustinx.

His opinion that geo-location data should be considered private has been approved by the Article 29 Working Group. This means that mobile service providers will have to gain the user’s explicit permission to collect or relay location data.

Implicit Permission Is Not Good Enough

The opinion document released by the working party states: “If telecom operators want to use base station data in order to supply a value-added service to a customer, according to the revised e-privacy directive they must obtain his or her prior consent. They must also make sure the customer is informed about the terms of such processing.”

When it comes to phones and tablets using satellite geo-location, the situation is much the same. The report points out that processing location data and seeking patterns in a user’s daily travels is a sensitive area. Here too, prior “informed” consent should be sought, the group said.

By this, the EU will require proof of the user’s consent. “According to the data protection directive, article 2(h), consent must be freely given, specific and informed indication of the data subject’s wishes,” the opinion paper states.

It adds that just because someone buys a device that has the ability to transmit geopositioning data, it does not constitute their consent to allow this information to be used by a third party. If anyone else wants to make use of the freely accessible data, they must first seek the permission of the user.

Apple And Google In A Bad Position

This ruling would mean that Apple and Google would have transgressed the European Union’s guidelines by collecting data. Even though Apple, for example, warned users in the small print of its mobile devices that data might be collected, it would not be considered lawful in the European Union without a more explicit consent being given by the user.

“If the default settings of an operating system would allow for the transmission of location data, a lack of intervention by its users should not be mistaken for freely given consent,” the opinion document says. “It  must be clear that such consent cannot be obtained freely through mandatory acceptance of general terms and conditions, nor through opt-out possibilities. The default should be that location services are ‘OFF’, and users may granularly consent to the switching ‘ON’ of specific applications.”

No Exceptions For Company Devices

This position also applies when the device belongs to a company and is issued to a staff member. A company has to make a case that expresses why it is “demonstrably necessary” to geo-locate the user and this must be weighed against the fundamental rights and freedoms of the employee.

“The employer must always seek the least intrusive means, avoid continuous monitoring and for example choose a system that sends an alert when an employee is crossing a pre-set virtual boundary,” the report specifies. “An employee must be able to turn off any monitoring device outside of work hours and must be shown how to do so.”

Even vehicle monitoring systems have to be used with awareness of human rights. Such monitoring should be restricted to vehicle movements and not be used as staff-tracking devices. The wording becomes convoluted by stating that the devices should not be used to “track or monitor the behaviour or the whereabouts of drivers or other staff”. This is a legal clarification preventing companies from using vehicle location tracking to be used to discipline or dismiss employees.

Neither can the devices be used for purposes other than tracking, such as calculating whether the employee is exceeding speed limits.

The implementation of the EU regulations will not be immediate but the existence of the working party’s opinions will force mobile device makers to rethink how their operating systems interact with users and, hopefully, more permission screens will be appearing on smartphones and tablets in forthcoming releases.