Out-Law News 3 min. read

All businesses should face tight restrictions on using traffic and location data, says EU watchdog

All businesses, and not just telecoms companies, should be required to obtain device users' consent to gather and use their traffic and location data, an EU privacy watchdog has said.

The views expressed by the European Data Protection Supervisor (EDPS) put the watchdog at odds with the UK's Information Commissioner's Office (ICO) opinion on how the EU's Privacy and Electronic Communications (e-Privacy) Directive should be reformed.

In a newly published opinion (25-page / 1.08MB PDF) EDPS Giovanni Buttarelli said: "In order to better protect the confidentiality of electronic communications, the current consent requirement for traffic and location data must … be maintained and strengthened. The scope of this provision should be broadened to cover everyone and not just traditional telephone companies and internet service providers."

Location data is information that records the geographic position of electronic devices, such as smartphones. Businesses use location data to promote the proximity of their outlets to consumers in the nearby area. Location data can reveal information that is inherently sensitive, in a non-technical sense, and in many cases is classed as personal data because it can identify devices users. This means that the collection, use and disclosure of this data is subject to data protection laws.

Under the e-Privacy regime, telecoms companies, including internet service providers (ISPs), are prohibited from processing location data unless the data has either been anonymised or they have the consent of the data subjects. Even where consent is given it can only be processed "to the extent and for the duration necessary for the provision of a value added service".

The providers also face pre-processing disclosure obligations relating to location data. These include a requirement to tell customers what type of location data they plan to process and for what purposes, how long they plan to carry out the processing for and what data sharing arrangements they have with third parties. Customers have the right to withdraw their consent to the processing of location data at any time.

Similar restrictions apply in the case of traffic data, which is information that is processed when electronic communications are transmitted. It can "consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the terminal equipment of the sender or recipient, to the network on which the communication originates or terminates, to the beginning, end or duration of a connection", and "may also consist of the format in which the communication is conveyed by the network", according to the e-Privacy Directive.

At the moment only providers of a public communications network or publicly available electronic communications service are subject to the restrictions. The processing of traffic or location data by other businesses is currently governed by broader EU data protection laws, but those rules offer greater flexibility over the legal basis for processing that data. Consent for such processing is not always required.

In response to the European Commission's consultation on reforms to the e-Privacy regime, the ICO called for the provisions requiring telecoms companies to obtain consent to process location and traffic data to be deleted. It said conditions on such data processing are "covered by the GDPR". The GDPR, or General Data Protection Regulation, is the EU's new broad data protection framework which and will come into effect in May 2018.

However, in his new opinion, Buttarelli said the existing e-Privacy rules on processing traffic and location data should be maintained and extended. This is because "metadata about communications can provide a very detailed profile of an individual and processing it can be just as intrusive as processing ‘content’ of communications".

Buttarelli said: "By requiring consent for the processing of traffic and location data, the current e-Privacy Directive offers a higher level of protection than the GDPR. The GDPR, at least potentially, allows other legal grounds, such as legitimate interests or performance of a contract. A controller might try to argue, for example, that tracking users over the internet, and building detailed profiles for them would be part of their legitimate interest to market their services and products."

"In order to better protect the confidentiality of electronic communications, the EDPS recommends that the e-Privacy Directive maintains and strengthens the current consent requirement for traffic and location data. In particular, he recommends that the e-Privacy Directive be revised to include a single consent requirement for the processing of metadata. This should apply to all traffic and location data, irrespective of who collects and processes such data. In other words: the scope of this provision … should be broadened to cover everyone and not just traditional telephone companies and internet service providers," he said.

Buttarelli said a revised e-Privacy regime should set rules that apply to both traditional telecoms companies and new-age internet-based communications providers that provide "functionally equivalent services".

The new rules "should also unambiguously continue to cover machine-to-machine communications in the context of the internet of things, irrespective of the type of network or communication service used", he said.

The EDPS also said all unsolicited electronic communications should be subject to "prior consent" regardless of the medium of communication or if it is a "behavioural advertisement" or not. He said existing exceptions to the consent rules, such as where providers have existing relationships with consumers and wish to offer them similar products and services, should be "preserved" but that the new legislation clarifies those exceptions further.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.