‘We Know Where You Are’ to ‘We Know Who You Are’ … How far are the risks involved with processing information collected from geo-location technologies alleviated by data protection rules?

With the wide uptake of smart mobile devices and the rapid development of location-based apps and services, all kinds of geographic information about us are now available to industry and governments. This data deluge, which provides enhanced capabilities to pinpoint exactly where a mobile device and its owner are at a given time, is accentuated by the growing trend for checking-in on social media, as well as for ‘geo-tagging’ images uploaded online to show exactly where, when, and with whom, they were taken. While undeniably there are many benefits associated with the processing of geo-location data when it can be associated with one or more particular people (e.g. through advertising services of interest in close proximity to potential consumers), there are also privacy and data protection risks.

The purpose of this, and another post to be published shortly, is to consider and compare two guidelines published by European regulators regarding the processing of geolocation data. Both illustrate how EU data protection rules have been interpreted to help prevent personal data misuse that flows geo-location technologies. Both also include an assessment of the types of data protection obligations with which those who access and process geo-location data may have to comply. In this respect, the guidelines are of interest to network operators, controllers of geo-location infrastructure, developers of operating systems used by mobile devices, application providers, as well as social networking sites that embed location functionalities for mobile devices in their platforms.

First to be considered is guidance published by the UK Information Commissioner’s Office (ICO) last month for organisations processing Wi-Fi location analytics. ‘Analytics data’ is defined here to include information obtained through identifiers (such as media access control (MAC) addresses), which are transmitted by and can be unique to particular Wi-Fi-enabled devices when “broadcasting probe requests” (searching) for nearby Wi-Fi networks even when the device is switched off (as long as the Wi-Fi feature is switched on).

[For background, there are three main types of infrastructure used to provide geolocation services: 1. Global Positioning Systems (GPS) based upon the transmission and reception of data to and from satellites to determine the location of mobile devices to within a few metres’ accuracy; 2. Global Systems for Mobile Communications (GSM) Base Stations which collect telecoms network data from base stations within a grid of divided areas, albeit of varying accuracy depending on the number of base stations found in a relevant area; and, 3. Wireless Frequency (Wi-Fi) Access Points which transmit a unique ID (from a Wi-Fi access point) that can be detected by a mobile device, and sent to a service that has a location for each unique ID.]

According to the ICO, those involved in processing certain types of analytics data collected from the operation of Wi-Fi networks may be subject to obligations under the UK Data Protection Act 1998 (DPA). A key primary issue for determination is whether information gathered from geolocation technologies may be deemed personal data and, in particular, whether such data can be construed personally identifiable of specific individuals. If so, under what conditions.

• First, the ICO states that analytics data collected through the provision of Wi-Fi networks can be personal data if individuals can be identified from such identifiers or other information in the possession of Wi-Fi network operators. This fits with the definition of personal data under section 1(1) of the DPA as “data which relate to a living individual who can be identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. But, how does the ICO interpret identification in the geo-location context?
• The ICO goes on to refer to device-unique identification numbers, such as a Media Access Control (MAC) address or International Mobile Equipment Identity (IMEI) number. These are network addresses primarily used for tracking stolen devices, but often re-purposed as user IDs in mobile applications. The ICO states that if an individual can be identified from these, or other information in the possession of the network operator, then the data will be personal data. This doesn’t add much to the conventional analysis in this area.
• Next, however, the ICO says that identification can occur where such unique identifiers can be used to track a device with the purpose of singling out its nameless owner or treating them differently (“eg by offering specific products, services or content”).
• So what does tracking involve? According to the ICO, “Monitoring of the signal strength received by the access point can also estimate the distance of the device from the access point. If the user’s device is within range of more than one access point then the location of the device can be pinpointed more accurately. This could mean that an organisation can monitor the location of the device and track the behaviour of a particular device over time.” (my emphasis)
• Thus, the ICO deems technological capabilities to monitor a particular device’s location and behaviour capable of identifying them for the purpose of the DPA. As such, this implies that data about unique identifiers associated with a particular device, in combination with data derived from the granular mapping of a Wi-Fi access point for that device over time [how much?], may be deemed personal data under the DPA where it is in the possession of a data controller.

Now, none of this should be surprising for readers of this blog. See, e.g. Sophie’s post last year here about how the identificatory requirement – a data subject must be identifiable, if not identified, from information relating to them – aspect of the personal data definitional concept (Article 2 of the Data Protection Directive) is being increasingly interpreted as including singling out. This is something which is moreover reflected in Recital 23 of the latest text of the proposed General Data Protection Regulation (GDPR) recently agreed here. This states that “To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by any other person to identify the individual directly or indirectly” (my emphasis).

What becomes more interesting, however, is to compare the ICO’s guidance on this point with previous guidance provided by the EU Article 29 Data Protection Working Party (WP) on geo-location services, in particular, its Opinion on Geo-location services on smart mobile devices. The stated objective behind this 2011 Opinion was “to clarify the legal framework applicable to geolocation services that are available on and/or generated by smart mobile devices that can connect with the Internet and are equipped with location sensitive sensors such as GPS.”

In addressing the question of whether geo-locational data are personal data, the WP observes that both smart mobile devices and the address of a Wi-Fi access point are “inextricably linked to natural persons” giving rise, usually, to what it terms “direct and indirect identifyability” with the following examples:

• First, the WP points out that geo-location data are typically linked directly to specific persons by virtue of the registers used by telecoms operators containing a record of the names, addresses and banking details of all their customers.
• Second, the WP states that inextricable indirect links between mobile devices and their users are formed as a result of the unique numbers transmitted from each device. The strength of such links may be enriched by their subsequent association with identifying information. For example, says the WP, as device identifiers may be further processed in the context of geolocation services, this allows the location of a particular device to be calculated, especially when evidence from different geolocation infrastructures are combined. In particular, the identification of device users may be achieved upon repeated observations, placing an individual at one or more location points over time, which can gain particular significance if linked to a possible address or work place.
• Moreover, in allowing the tracking of a user from their specific device, the WP agrees (referring back to its Opinion 4/2007 on the concept of personal data) that this enables the user to be singled out and, hence identifiable, even if his/her real name is not known.

Like the ICO, therefore, the WP opines that data associated with unique device identifiers, in combination with calculated locations for such devices, can be personal data because they enable the singling out of nameless owner-individuals (assuming that identifiability of such individuals is not possible using other information in the data controller’s possession). However, unlike the ICO, the WP says this particular combination of information should always be treated as such.

To understand why this is, we should take heed of the fact that the WP provides deeper analysis than the ICO in considering the “means likely reasonably” of identification. [This is language referred to in Recital 26 of the Data Protection Directive as a factor to be taken into account when assessing personal identifiability from data. It is also a phrase mirrored in Recital 23 of the agreed version of the new GDPR text, as quoted above (in that context “means reasonably likely“)]. In its 2011 Opinion:

• The WP says that the ease with which it is possible to identify the owner of a device transmitting a unique identifier will depend on the environment. For example, the less populated the local area where the signal come from, the easier it is to determine a single residence and its likely owner with the aid of tools such as house ownership registries. A simple search engine enquiry may also help determine ownership. The WP also refers specifically here to the tendency of people to disclose the location of their houses or work places online, along with other information that can enrich the likelihood of a link being made between geo-location data, an address, and their identification.
• Even in areas of more dense population, the WP point to the availability of resources such as signal strength, which can help pinpoint the precise location of a Wi-Fi access point that can then be linked to a particular person.
• Only in very densely populated areas, in circumstances where a potential access point location cannot be isolated, the WP admits it “is not possible without unreasonable effort to ascertain precisely the individual living in the apartment where the access point is located”.

Thus, for the WP like the ICO, the reasonableness of the effort that may be expended in identifying Wi-Fi access points and their owners, is strongly influenced by the technical possibilities for the controller or any other person to pinpoint them physically and then identify them using additional (e.g. publicly-available) information. Furthermore, in contrast to the purpose-centric view favoured by the ICO (see page 14 of its earlier guidance on Determining What is Personal Data) – that where the intent of the data controller in processing data is to identify the data subject, then the data should be deemed personal for that controller – the WP rejects the relevance of purpose in these circumstances. [This position by the WP seems preferable, as it is more doctrinally coherent with Recital 26 and its emphasis upon taking into account the means to be used to identify an individual from data, not the intention driving them to seek the identification.]

Notwithstanding, the Opinion concludes, “The fact that in some cases the owner of the device currently cannot be identified without unreasonable effort, does not stand in the way of the general conclusion that the combination of a MAC address of a WiFi access point with its calculated location, should be treated as personal data”. It believes this is the only logical conclusion that can be reached due to the fact that “it is unlikely that the data controller is able to distinguish between those cases where the owner of the WiFi access point is identifiable and those that he/she is not”.

There are several main reasons why appreciating the nuances of the arguments used by the ICO and the WP are important.

1. It highlights the growing value to identification capabilities of publicly-available information that organisations can use, alongside other information, to identify people. These have correlative risks to individuals, accentuated by the new technological possibilities of producing machine-derived data analytic patterns, from which jigsaw identification may be pieced together. (For related, see my earlier post here).
2. These capabilities also belie the fact that location data is a rich seam, from which (in and of itself) many sensitive aspect of an individual’s life can be inferred, including their religion, sexuality, health status, and even political affiliations.
3. It illustrates how the data misuse harm that can be caused through the processing of data to single out its subject can easily extend outside the virtual realm into the physical world.
4. It underpins the importance of the expanded definition of personal data under the proposed GDPR (Article 4(1) specifically mentions “location data” as an example of personal data).
5. Moreover, and this is why the differences between the viewpoints of the ICO and the WP are so important, it highlights the debate about whether personal data are data from which the subject is identifiable by anyone at all, not just the data controller. In this context, the Court of Justice of the EU (CJEU) is currently hearing arguments regarding whether IP addresses are personal data touching on exactly that point of law. (In the case, the German Federal Court of Justice referred the question of whether a dynamic IP address constitutes personal data when it is logged and stored by a website operator, but only a third party (the Internet Service Provider (ISP)) possesses sufficient additional information to identify the user. By implication, this question entails wrestling with the related issue of the extent to which the legal classification of personal data depends on such additional information being accessible in practice to a website operator [in this case, the German Federal Government], taking into account its technical and legal capacity to obtain this additional information?). Will the CJEU follow its legal approach taken in the Scarlet v SABAM 2011 decision, in which it confirmed that IP addresses are personal data but did not expand on its conclusion why this is the case other than saying that “they allow those users to be precisely identified”.
6. Both guidelines place emphasis upon the combination of unique device identifiers with other information that enables singling out. This might be read as implying that a unique device address can never solo be deemed personal data where it is used to track a nameless individual. Again, this makes the exact wording of the CJEU’s anticipated judgement on the legal status of IP address – which are not typically unique to one device – even more important.

Finally, the reason why this debate is doubly important is because the collection and processing of geo-location data can be unknown to individuals and there is no way to block your mobile device from emitting unique identifiers. This brings us to the topic of consent. I will deal with this topic, and the issue of the anonymisation of location data, in the context of summarising and comparing the main conclusions of both reports in a second post shortly.

Alison Knight