This is not the European Commission telling operators what to do – it is just an opinion on compliance from the EU's Article 29 Working Party on Data Protection. Such opinions are not binding; but they are influential and the latest opinion will be of interest to anyone operating in the market for location data services.
All location data relates back to an identifiable person – the person driving the car or the owner of the mobile phone. So the Working Party, which is an independent EU advisory body, is anxious to ensure that the data processing is lawful. The focus of its 11-page opinion is on commercial uses of data rather than the retention and use of location data for national security or law enforcement purposes.
The current rules are set out in the Data Protection Directive of 1995 and the Directive on Privacy and Electronic Communications of 2002. These provide, generally, that location data can only be processed if the user or subscriber of a service that relies on processing the data has consented to the processing.
In its opinion, the Working Party does not consider issues raised by the use of location data for national security or law enforcement purposes, but instead highlights how it believes some of the provisions of the Directives should be applied. In particular it considers:
Some services help parents to locate their children by tracking a child's phone. The Working Party took the view that such uses of location data may affect the mutual trust between a parent and child, it may falsely reassure parents that they know what their children are doing, and it may acclimatise children to constant monitoring. But the Working Party is not lobbying for a ban; rather, it calls for vigilance in this type of use, and raised the question of whether a child can truly consent to the use of the data.
Similarly, services that locate employees raises questions about the boundary between private and working life. How much monitoring is it acceptable to subject employees to? The Working Party stresses that consent must be freely given, and the processing must relate to a specific need on the part of the company. The data should be kept for no longer than two months, unless it is rendered anonymous.
The Opinion was published on 25th November 2005 but only became available online in late-December.