Iñigo de Miguel Beriain and Lorena Pérez Campillo (UPV/EHU)

The last section of this document partially reproduces the part of AI originally written by Gianclaudio Malgieri and Andres Chomczyk Penedo (VUB)

Acknowledgment: Mario Muñoz Organero and Julian Estévez provided valuable support regarding technical issues.

This part of the Guidelies was revised by Elena Gil González, IT and data protection lawyer and finally validated by Iñaki Pariente, former director of the Basque Data Protection Agency.

INTRODUCTION

“In the context of online geolocation services provided by information society services three different functionalities can be discerned, with different responsibilities for the processing of personal data. These are: controller of a geolocation infrastructure; provider of a specific geolocation application or service and the development of the operating system of a smart mobile device. In practice, companies often fulfil many roles at the same time, for example when they combine an operating system with a database with mapped WiFi access points and an advertising platform”.^[1]

In this section of the Guidelines, we focus on the two last types of controllers: those who are willing to provide a specific geolocation application or service or to design the operating system of a smart mobile device. We are focusing here, thus, in geospatial data. These are data that offers many social and economic benefits, and these opportunities should be realized responsibly. Geospatial data is a wide category that includes, at least, these types of data:

“Geospatial data” for a broad meaning. This is the term used in the EthicalGEO website^[2]. It includes both location and proximity data.

“Location data”: specific or very granular geospatial data, that allows for a very precise information of where a subject or device is geopositioned.

“Proximity data”: less precise geospatial data, that allows one to know in a general way where a subject or device is geopositioned. For instance, by dividing a map in bigger quadrants, by using postal code information rather than specific addresses, etc. In general, proximity data informs the user about whether a data subject has been near to another data subject or a concrete location.

In this part of the Guidelines we do not tackle data protection issues related to the processing performed by online third parties that enable the (further) processing of location data such as browsers, social networking sites or communication media that enable for example ‘geotagging’. We do not consider here the development of a device or system based on location or proximity data. These activities are included in the module of these Guidelines devoted to social networks and online services.

It is also necessary to point out that the developers of the operating system of the smart mobile device might be the controller for the processing of proximity or location data when they interact directly with the user and collects personal data (such as by requesting initial user registration and/or collecting location information for the purposes of improving services). “A developer is also the controller for the data they process if the device has a ‘phone home’ functionality for its whereabouts. Since the developers in that case decide on the means and purposes for such a data stream, they are the controllers for the processing of these data. A common example of such a ‘phone home’ functionality is the automatic provisioning of time zone updates based on location.”^[3]

This module of the Guidelines follows the structure of the Locus Charter.^[4] This is an important intent to create some common international principles to help users of geospatial data make better informed decisions, and provide the basis for communication with people affected by those decisions. PANELFIT is happy to cooperate in such a collaborative effort that was originally supported by the Benchmark and EthicalGEO initiatives. Following the Charter, we consider that there are ten basic principles that must be addressed when using position/proximity data: realize opportunities, understand impacts, do not harm, protect the vulnerable, address bias, minimize intrusion, minimize data, protect privacy, prevent identification of individuals and provide accountability. This part of the Guidelines is aimed at concretizing these ethical principles into tangible legal advice.

DISCLAIMER

This part of the Guidelines was written at a time when the ePrivacy Regulation had not been passed. It may happen that at the time of using this tool, the Regulation is in force. If so, it will be necessary to take into account the possible changes that this may have produced in the regulatory framework. In any case, this document has attempted to introduce some of the main provisions included in the draft ePrivacy Regulation. This is because, at the very least, we should understand that they are ethical requirements that a proper implementation of the GDPR demands. In this sense, we have introduced in this part of the Guidelines the main instructions developed by the EDPB in this regard.^[5]

Until the ePrivacy Regulation enters into force, a fragmented situation will exist. Indeed, supervisory authorities face now a situation where the interplay between the ePrivacy Directive and the GDPR coexist and pose questions as regards the competences, tasks and powers of data protection authorities in those matters that trigger the application of both the GDPR and the national laws implementing the ePrivacy Directive. ^[6] 

References

¹Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 12, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf ↑

²https://ethicalgeo.org/ ↑

³Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 12, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf ↑

⁴https://ethicalgeo.org/locus-charter/ ↑

⁵EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities Adopted on 12 March 2019, at: https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf ↑

⁶EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities Adopted on 12 March 2019, at: https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf. ↑