The use of location data by mobile apps post-GDPR

This article was first published on Lexis®PSL TMT on 24 September 2018.

From the perspective of a party providing an app via an app store, what regulations govern the use of location data by that mobile app?

The key consideration is data privacy and, therefore, the main regulation to consider is the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. This will apply to the app provider if they carry out processing of personal data on the device.

While there is as yet no specific guidance under the GDPR on the use of location data by Apps, in 2011 the Article 29 Data Protection Working Party (now the European Data Protection Board (EDPB)) adopted Opinion 13/2011 on “Geolocation services on smart mobile devices” and in 2013 Opinion 2/2013 on “Apps on smart devices”. Although these opinions relate to the Data Protection Directive (95/46/EC), much of the content of the Opinions is still relevant under the GDPR.

In the UK, you should also take into account the Data Protection Act 2018 which supplements the GDPR in certain areas (such as in relation to special categories of personal data and data subject rights) although not specifically in relation to location data.

To what extent / in what circumstances will the Privacy and Electronic Communications Regulations 2003 regulate the use of location data by mobile app providers? What exemptions apply and does PECR 2003 apply to ‘information society services’?

Under regulation 6 of PECR (as amended by the 2011 Regulations), it is unlawful to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user (a) is provided with clear and comprehensive information about the purposes of the access to that information; and (b) has given his or her consent. This applies irrespective of whether or not the location data is “personal data”.

Regulation 14 relates specifically to the processing of location data and provides that you can only process location data if you are a public communications provider, a provider of a “value-added service”, or a person acting on the authority of such a provider, and only if: (a) the data is anonymous; or (b) you have the user’s consent to use it for a value-added service, and the processing is necessary for that purpose. This does not apply to data collected independently of the network or service provider such as GPS-based location data or data collected by a local wifi network. However, the use of such data will still need to comply with the GDPR.

To what extent / in what circumstances will the GDPR regulate the use of location data collected from mobile apps by mobile app providers?

The GDPR will apply if the app provider collects the location data from the device and if it can be used to identify a person.

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc are not known.

Opinion 13/2011 sets out the regulator’s view that a device is usually intimately linked to a specific individual and that location data will, therefore, be regarded as “personal data”. Indeed, the definition of “personal data” in the GDPR, specifically includes location data as one of the elements by reference to which a person can be identified.  The Opinion comments that the providers of geolocation based services gain “an intimate overview of habits and patterns of the owner of such a device and build extensive profiles.”

Furthermore, in certain contexts, location data could be linked to special category personal data (sensitive personal data). For example, location data may reveal visits to hospitals or places of worship or presence at political demonstrations.

How is compliance with such laws commonly addressed by app providers?

To process the data derived from the device or the app, the app provider needs to have a legal basis.

Contract necessity may apply to some uses of the location data. For other uses, depending on the app, it may be problematic to rely on “legitimate interests” as a lawful basis for tracking individuals using location data, for example, to serve location specific ads. Therefore, in many cases the app provider will need to rely on the user’s “consent” for processing location data.

How should app providers respond to recent changes in the law (e.g., the introduction of GDPR) impacting their apps’ use of location data?

Where app providers rely on “consent” as the legal basis, they will need to ensure that this meets the stricter requirements for consent under GDPR. This can be challenging given the constraints of the mobile app environment.

Transparency is essential. The Article 29 Guidelines on transparency WP260 rev.01 indicate that, for apps, the Article 13 privacy information should be made available from the app store before download. Once the app is installed, the privacy information needs to be easily accessible from within the app. The recommendation is that it should never be more than “two taps away” (e.g. by including a “Privacy” option in the app menu). Use of layered notices and contextual real time notifications will be particularly helpful on a mobile device.

The device’s operating system (such as IOS) may require the user’s permission to use the location data, for example via a dialogue box asking if the user agrees to allow the app to access the user’s location, either while using the app or in the background. Clicking on the “allow” button enables location service on the device and may also help signify consent provided that this has been sufficiently informed and is sufficiently granular.

If the app integrates with a third-party provider to enable, for example, location-based advertising the consent to use location data must be sufficiently explicit to include consent to data collection for advertising purposes by the third party, including the identity of the third party. Data sharing arrangements may also be required between the app provider and the third party.

Where children (in UK, under 13) may be involved, the consent must be given or authorised by the holder of parental responsibility over the child.

Following GDPR, app providers should review their data security and retention policies for compliance with the Article 5 principles.

App providers should be mindful of the principles of privacy by design and by default, and so for example location services should, by default, be switched off and its use should be customizable by the user.

Finally, using location data may involve “profiling” within the meaning of Article 4(4) which specifically refers to analysing location data. As such, consideration should be given to whether a data protection impact assessment (DPIA) is required under Article 35 or, if not required, should be undertaken as good practice.

Are there any forthcoming or anticipated changes to the law which may impact on use of location data by mobile app providers?

The ePrivacy Directive on which PECR is based is currently under review to be updated and aligned with GDPR in the form of the ePrivacy Regulation.

This is not yet finalised and its implementation date is not certain but may be in 2019 or 2020. However, GDPR-grade consent will still be required for use of location data subject to certain exceptions including where strictly necessary for providing an information society service specifically requested by the individual. Assuming the ePrivacy Regulation takes effect after Brexit, it remains to be seen if / how it will be implemented in the UK but this can be expected in the interests of UK “adequacy” status.

 

Nigel Miller leads Fox Williams’ technology and data protection group. Nigel is a Certified Information Privacy Professional/Europe (CIPP/E).

Advertisements

The consent trap

Nigel Miller

Having got passed 25 May 2018, the day the GDPR came into effect, the torrent of GDPR emails is beginning to abate.

It would be interesting to analyse how many GDPR emails were sent in the run up to the go live date seeking consent to continue being in contact, as against the percentage of recipients who then responded to opt-in. And how many trumpeted a new privacy policy, as against the percentage of recipients who actually read the new policy. I suspect the percentages in each case will be low! Indeed, many people have expressed satisfaction that, by doing nothing and not confirming consent when requested, they can reduce the flow of unwanted spam into their inbox.

But were all these emails necessary, and in particular, was it actually necessary to seek consent?

In many cases it was not necessary to seek consent to “stay in touch” and continue email marketing.

Under GDPR consent is one of the legal basis for processing, but is not the only one. In most cases, organisations will be able to rely on the “legitimate interests” ground to remain in contact with their contact list. Recital 47 GDPR expressly says that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Subject to confirming this in a “legitimate interests assessment”, many businesses can rely on the concept of ‘legitimate interest’ to justify processing client personal data on their mailing lists without the need to re-affirm the consent. GDPR expressly acknowledges that businesses may have a legitimate interest in direct marketing activities, which could include circulating invitations to events, new products and services, or updates etc. This is an appropriate basis for data processing where you use data in ways that people would reasonably expect and has a minimal privacy impact especially as a recipient should always be able to easily opt-out of future marketing.

While permission based marketing is certainly to be preferred, unless it is required, there is no need to seek specific GDPR-grade consent which may predictably result in the contact database being decimated as a result of recipient inertia and GDPR fatigue.

That all said, there is a key exception where consent to email marketing may be required.  This requirement is not to be found in the GDPR; instead it is in the Privacy and Electronic Communications Regulations (“PECR”). These have been around since 2003 and are currently being upgraded to GDPR level with a new ePrivacy Regulation, although this did not make it into law at the same time as GDPR as was the plan; it is likely to come on stream within the next year or so.

PECR contains supplemental rules on consent for electronic marketing (i.e. marketing by email, phone, SMS or fax). Whilst you may not need consent under the GDPR, you may need consent under PECR.

Different rules apply depending on whether the marketing is sent to an ‘individual’ or ‘corporate’ subscriber’.

Marketing to a corporate email address does not need consent. However, if you are sending unsolicited marketing emails to individual subscribers (a personal email address), then you will need the individual’s consent, unless the so called “soft opt-in” applies (e.g. where the individual is an existing customer).

In summary, assuming you can justify “legitimate interests” for the continued contact, consent is not needed to continue marketing by post, or by email to existing customers or to contacts at corporate email addresses. Consent will only be needed to send direct marketing by email to personal email addresses of individuals who are not customers for similar products and services.

Ironically, in an effort to be compliant, the email requesting consent to future marketing may itself be unlawful if consent was not already in place, and the ICO has fined organisations for engaging in this (e.g. Honda and Flybe). So, sending emails seeking consent may be either unnecessary or unlawful.

Tricky issues with use of employee data

Helen Farr
Helen Farr

Employers cannot manage the employment relationship without using their employees’ data. Data is used by employers on a daily basis for a variety of tasks ranging from monitoring sickness absence, administering benefits to paying salary using payroll.

To process this data lawfully most employers rely on provisions in the employment contract authorising them to do so.‎ However, employers need to be aware that simply including a provision in a contract may not be enough if the employer is using a specific class of data; sensitive personal data.

Sensitive personal data includes data about an employee’s health, sexuality, diversity and political beliefs. To use this data lawfully employers need the employee’s express consent to do so.

Problems can arise for employers in a number of situations where they need to use sensitive personal data.

A common problem area is when a referral ‎is made to a company’s occupational health team for an opinion and prognosis on an employee’s health problems. There are two main components to occupational health records: transferable information and the confidential clinical record. Transferable information is information that is generally accessible by the employer, the employee and enforcing bodies like the HSE – it includes information about accidents at work, monitoring data and exposure to hazards. The confidential clinical record is specific to the employee and his or her health during employment. This is sensitive personal data.

‎When the referral is made to Occupational Health it must be made with the employee’s consent. However, relying on consent may not be enough to protect the employer from a claim.

Employers must ensure that when they make a request for a medical report from Occupational Health the request is focussed and limited to the purposes for which consent is obtained.

They also need to make sure that any medical information provided to Occupational Health is focused. It is common practice for HR practitioners making the referral to send all sickness records they have about the employee. But what if the employee has suffered various health problems over the years, including conditions that the employee would not necessarily want his or her line manager or the wider business to know about? If the Occupational Health report refers to these historical conditions there could be claims by the disgruntled employee.

The consent that has been obtained is unlikely to be enough to protect the employer from a claim. Potential claims include a breach of the employee’s right to privacy and breach of the Data Protection Act. The issue could also lead to claims of discrimination. Therefore employers should not complacently rely on the consent received when requesting a report but must properly consider the ‎particular purposes for which the report is needed.

Our experience is most businesses do not send a copy of the Occupational Health referral to the employee. Best practice must be to do so. This will avoid any potential problem when the employee reads a report containing lots of historical medical information ; it makes it difficult for them to claim they did not agree to it being referred to.

Another potential problem area is the use of sensitive personal data about an employee’s sexual orientation. Many large employers have relationship at work policies obliging their employees to disclose information about romantic relationships with work colleagues. Of course this policy applies to same sex relationships.

Again the problem employers often omit to consider is how that information is used. The business justification for disclosure of a relationship with a work colleague is to enable the employer to ensure that the parties to the relationship do not either benefit or suffer because of it. Sometimes employers post information about the existence of a relationship with a colleague on their intranet.

What the policy authors overlook is that the employer needs express consent to process information about sexuality which of course this is. Therefore posting such information on the company’s intranet, unless the employee expressly consents to this, will be a clear breach of the Data Protection Act. There may also be claims for discrimination if the employee suffers less favourable treatment following publication of the information.

Employers therefore need to take care when relying on policies that allow them to use data. If the data concerned is sensitive personal data reliance on the policy is not enough to protect them from claims.

 

Helen Farr is a Partner in the HR Law team at Fox Williams LLP and can be contacted at HFarr@foxwilliams.com.

Dynamic IP address can be personal data

Nigel Miller
Nigel Miller

Whether or not an IP address is “personal data” can be a crucial question because the answer determines whether or not the data is subject to the rigours of the EU Data Protection Directive (in the UK, the Data Protection Act).

An IP address is a number used to identify a device on a network. An IP address can be “dynamic” or “static”. A static IP address remains constant and does not change every time the device connects to the Internet. In contrast, the more usual dynamic IP address changes each time a new connection is made.

It has long been agreed that static IP addresses are personal data because they enable a link to be made with a particular device for profiling. IP addresses enable an individual to be “singled out” (even if that individual’s real-world identity remains unknown).

In its early opinion 4/2007, the Article 29 Working Party accepted that an IP address, for example, for a computer in an Internet café used by many people may not identify any particular individual. In other cases, however, the IP address can be associated with a particular user if for example there is a log of who used the computer at the relevant time. The Working Party therefore concluded that all IP information should be treated as personal data, “to be on the safe side”.

The question of whether a dynamic IP address can be “personal data” was less certain.

Patrick Breyer v Bundesrepublik Deutschland

The Court of Justice of the European Union (CJEU) has now ruled that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.

While a dynamic IP address alone may not directly identify an individual, when combined with other information a dynamic IP address could be used to identify the individual user.

The question before the Court was whether a dynamic IP address can be personal data if the relevant additional information is in the hands of a third party (an internet service provider).

The case was brought by a politician, Mr Patrick Breyer, against the Federal Republic of Germany seeking to prevent them from storing, or arranging for third parties to store, his IP address from when he consulted publicly accessible websites of German Federal institutions. Mr Breyer claimed that IP addresses qualify as personal data under data protection laws; and therefore that consent was needed for processing such data.

If a user of a website reveals his identity on the website, for example by completing a form, then the IP address is certainly personal data because the operator of that website is able to identify the user by linking his name to his computer’s IP address.

However, if the user does not reveal his identity, the IP address alone does not enable the user to be directly identified. The website operator can identify the user only if the information relating to his identity is communicated to them by his ISP.

The court decided that the fact that the additional data necessary to identify the user are held, not by the website operator, but by the user’s ISP does not exclude dynamic IP addresses from being personal data. The question is whether the website operator has a legal way to obtain the additional data from the ISP. In that case it was decided that the Federal Republic of Germany did have a legal means to obtain the necessary additional information from the ISP and therefore the raw dynamic IP address data should be regarded as personal data.  For information to be treated as “personal data”, it is not necessary that all the information enabling the identification of the data subject must be in the hands of one person.

Comment

The Court has decided that a dynamic IP address could – but will not always necessarily – constitute personal data. In light of this decision, businesses that have not up to now been treating dynamic IP addresses as personal data need to re-assess that position and may need to alter data compliance practices. This may for example impact businesses engaged in online analytics and targeted advertising.

It may be that the case highlights a possible difference between the UK Data Protection Act and the implementation of the Directive in other EU countries. In the UK, data is personal data if an individual can be identified from those data and from “other information which is in the possession of, or is likely to come into the possession of, the data controller”. Is data “likely” to come into the possession of a data controller where the only way for him to obtain it is to ask for it?

All this will soon become academic as, looking ahead to May 2018, the General Data Protection Regulation (GDPR) specifically includes online identifiers, such as IP addresses, in its definition of “personal data”. It’s not that the position is now beyond doubt, it’s just that the nature of the question is changing …

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

Privacy Shield, the new Safe Harbor

Nigel Miller
Nigel Miller

The EU has approved a new framework for transfers of personal data from the EU to the US, called the EU-US Privacy Shield. The Privacy Shield will replace the old ‘Safe Harbour’, which was ruled invalid in October 2015.

According to the EU, the EU-US Privacy Shield is fundamentally different from the old ‘Safe Harbor’. Like Safe Harbor, it is a self certification process. However, it imposes stronger obligations on companies handling the data to make sure that the rules are followed and enforced in practice.

Also, for the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Privacy Shield also provides some mechanisms for redress including a specific ombudsman.

Registration for Privacy Shield can begin 1 August 2016. US companies that wish to take advantage of Privacy Shield can benefit from a nine month grace period to get into compliance if they register for Privacy Shield before end September 2016. So this does not give much time to decide about this and take action.

Unfortunately, while Privacy Shield is a very welcome development, it does not mean that the whole vexed issue of transfers from the EU to the US has been resolved. The Article 29 Working Party – made of the European data protection regulators – have been critical of certain aspects of Privacy Shield, which raises the possibility that Privacy Shield will itself be subject to challenge at some point.

In addition, the EU Model Clauses – the main enabling solution for transfers of personal data from the EU – has also been referred to the EU court by the Irish data protection regulator and could possibly suffer the same fate as Safe Harbor.

Privacy Shield – progress, but not the legal certainty that businesses need.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com