EU Demands Explicit Geo-Location Permissions

The hopes of companies planning to use geo-location data to push products and services to mobile device users have taken a beating in the European Union, following a pronouncement from the European Data Protection Supervisor (EDPS) Peter Hustinx.

His opinion that geo-location data should be considered private has been approved by the Article 29 Working Group. This means that mobile service providers will have to gain the user’s explicit permission to collect or relay location data.

Implicit Permission Is Not Good Enough

The opinion document released by the working party states: “If telecom operators want to use base station data in order to supply a value-added service to a customer, according to the revised e-privacy directive they must obtain his or her prior consent. They must also make sure the customer is informed about the terms of such processing.”

When it comes to phones and tablets using satellite geo-location, the situation is much the same. The report points out that processing location data and seeking patterns in a user’s daily travels is a sensitive area. Here too, prior “informed” consent should be sought, the group said.

By this, the EU will require proof of the user’s consent. “According to the data protection directive, article 2(h), consent must be freely given, specific and informed indication of the data subject’s wishes,” the opinion paper states.

It adds that just because someone buys a device that has the ability to transmit geopositioning data, it does not constitute their consent to allow this information to be used by a third party. If anyone else wants to make use of the freely accessible data, they must first seek the permission of the user.

Apple And Google In A Bad Position

This ruling would mean that Apple and Google would have transgressed the European Union’s guidelines by collecting data. Even though Apple, for example, warned users in the small print of its mobile devices that data might be collected, it would not be considered lawful in the European Union without a more explicit consent being given by the user.

“If the default settings of an operating system would allow for the transmission of location data, a lack of intervention by its users should not be mistaken for freely given consent,” the opinion document says. “It  must be clear that such consent cannot be obtained freely through mandatory acceptance of general terms and conditions, nor through opt-out possibilities. The default should be that location services are ‘OFF’, and users may granularly consent to the switching ‘ON’ of specific applications.”

No Exceptions For Company Devices

This position also applies when the device belongs to a company and is issued to a staff member. A company has to make a case that expresses why it is “demonstrably necessary” to geo-locate the user and this must be weighed against the fundamental rights and freedoms of the employee.

“The employer must always seek the least intrusive means, avoid continuous monitoring and for example choose a system that sends an alert when an employee is crossing a pre-set virtual boundary,” the report specifies. “An employee must be able to turn off any monitoring device outside of work hours and must be shown how to do so.”

Even vehicle monitoring systems have to be used with awareness of human rights. Such monitoring should be restricted to vehicle movements and not be used as staff-tracking devices. The wording becomes convoluted by stating that the devices should not be used to “track or monitor the behaviour or the whereabouts of drivers or other staff”. This is a legal clarification preventing companies from using vehicle location tracking to be used to discipline or dismiss employees.

Neither can the devices be used for purposes other than tracking, such as calculating whether the employee is exceeding speed limits.

The implementation of the EU regulations will not be immediate but the existence of the working party’s opinions will force mobile device makers to rethink how their operating systems interact with users and, hopefully, more permission screens will be appearing on smartphones and tablets in forthcoming releases.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • My Android phone already asks this when I first set it up and everytime I install an app that needs this permission. What more is it meant to do? Am I missing something?

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago