The Article 29 Working Party has concluded an opinion on geo-location services on smart mobile devices (such as smart phones and tablet computers) by saying that they are linked to natural persons and therefore any geo-location data involving the devices are deemed personal data. As such, under the Data Protection Directive, the most applicable legitimate ground for processing that data is by giving the users of those devices sufficient information and obtaining their prior, informed consent. The Working Party said that the means of consent must be clear, rather than implied without the user being fully aware. The description must therefore not be hidden away in terms and conditions. The consent must be specific for particular purposes and if the purposes change in any way then further specific consent must be obtained. Users should in any event be reminded at least once every year that location data is being processed about them. Users must be able to withdraw their consent without negative consequences for their use of their mobile device. By default, location services must be switched off. Use of location data concerning employees should only be permissible if necessary for a legitimate purpose and the goals cannot be achieved with less intrusive means. And use by parents on children should be done by the parents agreeing with the children.
Geo-location services involve any services related to the actual location of a particular device, and the people linked to that device. The services may be used in any number of growing ways, such as for tagging where a photograph was taken, providing useful information for users as to where a local service such as a restaurant is located, recovering lost or stolen items, identifying where children are or whether friends are nearby. Geo-location data can be gathered in a number of ways, such as through GSM base stations, GPS, WiFi and RFID readers.
The Working Party’s findings are particularly strict and may affect a range of different types of organisation, from network operators to controllers of geo-location infrastructure (such as WiFi access points), to application providers, through to social networking sites that provide location-based functionality for mobile devices. The Article 29 Working Party’s opinion is not legally binding, but it is best practice to do so as it is the body of the European Union’s data protection regulators and so it strongly indicates how the regulators will interpret compliance with data protection legislation.