[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Location Privacy

Location information is generated through various electronic interactions. Location information may be collected in the provision of location-based services (LBS), or as a necessary part of some other service. Location tracking can be separated into three types of technologies. First, active location tracking technologies include mobile phones, wireless internet devices, and automobile location technology.[506] Second, passive technologies include biometric sensors, surveillance cameras with recognition software,[507] and Radio-Frequency Identification (RFID) technology. A third category includes technologies that have the unintended consequence of tracking location information, such as the recording of a point-of-sale transaction.[508]

The Internet Engineering Task Force (IETF) creates Internet standards, each of which it publishes as a "Request For Comments" on its website.[509] The IETF GEOPRIV working group is concerned with how applications acquire location information. According to GEOPRIV’s Charter, "[t]he primary task of this working group will be to assess the authorization, integrity and privacy requirements that must be met in order to transfer such information, or authorize the release or representation of such information through an agent."[510] GEOPRIV recently finalized a threat analysis that recommends that technical systems include Fair Information Practices to defend against harms associated with the use of location technologies:

Fair information practices are designed to prevent specific threats posed by the collection of personal information about individuals. For this reason, fair information practices are "countermeasures" that should be reflected in technical systems that handle personal information and the Rules that govern their use.[511]

GEOPRIV also has in draft form a document format for communicating privacy preferences in location information.[512]

The European Commission Directive on Privacy and Electronic Communications (2002/58/EC) addresses cellular location information.[513] The directive differentiates between location information needed to enable transmission and more accurate location information used for value-added services.[514] Location data other than traffic data is treated under Article 9, which requires that location data be processed anonymously or with consent of the individual. Obtaining this consent requires informing the user of the type of data, the purpose of the collection, the duration of the collection and whether a third party will be doing the processing. Consent may be withdrawn at any time, and there must be a simple and free means for a subscriber to refuse the processing of location data for a specific connection or transmission. The processing of data is restricted to what is necessary for providing the value-added service.[515] Further, Article 26 of the Universal Service Directive requires that Member states ensure that providers of public telephone networks make call location information available to emergency authorities.[516]

The Article 29 working party has issued an opinion on location information.[517] Consent means specific consent, not obtained as part of an agreement to more general terms.[518] Location data may not be stored beyond the delivery of the location-based service, unless kept for billing purposes, or anonymized.[519] In locating employees, the working group considers the collection excessive in situations where employees would be free to make their own travel arrangements or where the location monitoring is done for the sole purpose of monitoring employees and other means are available.[520] Location information should not be collected outside of working hours, and the working group recommends that location equipment which is also used for private purposes permit employees to turn off the location tracking.

Telecommunications Carriers in the United States are required to follow § 222 of the Telecommunications Act.[521] The Wireless Communications and Public Safety Act of 1999 required wireless carriers to implement 911 emergency calling and added location privacy provisions the Telecommunications Act.[522] Section 222 protects location information along with other costumer proprietary network information (CPNI), requiring user "approval" for uses or disclosures.[523] CPNI includes "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier."[524] Express prior authorization of the customer is required for uses and disclosures of "call location" information, with certain exceptions. These exceptions are to providers of emergency services, to family and guardians in emergency situations, and to information or database services solely for assisting in delivering emergency services.[525]

The Transatlantic Consumer Dialogue (TACD) has passed a resolution on mobile commerce.[526] The resolution states that the EU and US governments should: “Protect consumer privacy in mobile commerce and prohibit use of any personal data (including purchase and location information) for purposes that consumers have not explicitly agreed to or that unfairly disadvantage them."

[506] James White, People Not Places: A Policy Framework for Analyzing Location Privacy Issues, (Spring 2003), available at <http://www.epic.org/privacy/location/jwhitelocationprivacy.pdf>.
[507] Id.
[508] Id.

[509] < http://www.ietf.org/tao.html#rfcs.ids>.
[510] <http://www.ietf.org/html.charters/geopriv-charter.html>.

[511] IETF, Threat Analysis of the GEOPRIV Protocol, February 2004, <http://www.ietf.org/rfc/rfc3694.txt>.

[512] IETF, Geolocation Policy: A Document Format for Expressing Privacy Preferences for Location Information, May 22, 2007 <http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-12.txt>.

[513] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) <http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf>.
[514] Id. at (35).
[515] Id. at Art. 9.
[516] Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and user's rights to electronic communications networks and services (Universal Service Directive), <http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_108/l_10820020424en00510077.pdf>.

[517] Working Party 29 Opinion on the use of location data with a view to providing value-added services, 2130/05/EN, November 2005, <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp115_en.pdf>.
[518] Id. at 5.
[519] Id. at 7.
[520] Id. at 11.

[521] 47 U.S.C. § 222.
[522] Pub. L. No. 106-81, 113 Stat. 1286 (1999).
[523] 47 U.S.C. § 222(c)(1).
[524] 47 U.S.C. § 222(h)(1)(A).
[525] 47 U.S.C. § 222(d)(4).

[526] Transatlantic Consumer Dialogue, Resolution on Mobile Commerce, August 2005, <http://www.tacd.org/cgi-bin/db.cgi?page=view&config=admin/docs.cfg&id=283>.