Location matters – Geospatial information under GDPR
A lot of our everyday mobile services are enabled by location data. This is part of a wider trend in an interconnected world, where data is the key currency. But location data holds a special place within the mix of big data. More than anything it can reveal sensitive information about an individual user.
To adjust current privacy rights to the digital age, the EU is implementing the new General Data Protection Regulation (GDPR) in May 2018. It defines an extended set of data privacy rights for EU residents. With an increasing number of mobile internet users, location data will be one of the key elements the regulation is aiming at.
First things first: What is location data?
Location can be a broad term. In this case we will take a look at the data that is generated by the use of mobile apps. The Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act, offers a useful definition.
PECR defines location data as:
“any data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—
(f) the latitude, longitude or altitude of the terminal equipment;
(g) the direction of travel of the user; or
(h) the time the location information was recorded”.
In other words, it is information collected by an app or service provider about where the user’s phone was located at a certain time.
Why does location matter?
Access to location is typically granted by accepting the terms & conditions when first installing an app. But what is the service provider doing with the data? While many apps wouldn’t work without location data, it is not always clear why the information is necessary.
For instance: Mapping applications use GPS to show a phone’s current location; Uber uses location data to connect drivers and passengers; and fitness apps track running routes and pace to help users monitor and improve their athletic performance.
But for applications that do not fundamentally rely on location data, the value for the service user is often debatable. Facebook and Instagram track location by default – even when the app is not in use. For the user this means more accurate suggestions for friends or events in your area. But the benefits for companies prevail, since they are able to use this geo information to deliver targeted advertisements for stores or places to visit.
Persistent tracking and limited transparency about what this data is used for has raised privacy concerns among both users and regulators.
There are three main traits of location data that make it stand out:
Location can be an identifier
The major concern about the use of location data is that it might be linked back to an individual. That’s why anonymization is key. But to eliminate every way in which individuals can be identified is a technically complex task – especially when it comes to location.
It is not enough to store the information without identifiers, such as a name or an ID. Daily routines give away a person’s home address and place of work easily. If a mobile device captures these movements over time, it can be enough to identify a user with location data alone.
Location carries sensitive information
Furthermore, the analysis of an individual’s location data can reveal highly sensitive information. Sensitive Personal Data is the term that’s used with GDPR to describe information that needs special protection. It includes data revealing a person’s ethnicity; political, religious or philosophical beliefs; and data concerning health or sexual orientation.
Data on places a person visits can contain information on sensitive traits. For example, frequent visits to a church, a hospital or a trade union can give away information that is not intended to be shared. The intimate nature of these personal details adds to the importance of effective anonymisation.
Location creates patterns
Patterns of accumulated geospatial information can give away crucial information – even if it is successfully anonymised. These patterns are highly valuable for organisations and companies, but they can be misused.
This dimension of location data got into the public eye in early 2018, when Strava’s global heatmap revealed the location of military bases in remote locations. The fitness app’s map visualised running trails of athletes all over the world – including soldiers – and made US bases clearly identifiable.
This case created a global controversy about the impact location data can have, about companies’ responsibility, data security protocols and the scope of user consent.
How will GDPR change the way location data is processed?
GDPR acknowledges location data’s unique position as identifiable information by making it part of its definition of “personal data” in Article 4 (1). Under GDPR subjects of personal data are granted extended rights, including a right to access and a right to erasure.
With the right to access users can obtain confirmation about whether data concerning them is being processed, where and for what purpose. The right to erasure can put an expiration date on the data already collected.
GDPR consequently describes requirements for data processing companies and organisations. Processors are required to offer explicit and transparent notification about their data practices. A “Privacy by Design” approach should ensure that data processors take the measures necessary to collect, process and store data in a secure way.
GDPR also states special rules that apply to the processors of sensitive data. This will include guidelines for data assessments and the mandatory appointment of an official data protection officer to inform and advise the organisation.
Furthermore, the regulation emphasises the importance of consent. In future it will need to be clear and affirmative, putting an end to pre-checked checkboxes when installing or using apps.
With regard to the recent discussions about the Strava map, the question arises if giving clear consent is even possible. Given its immense potential it is difficult to foresee the many ways location data could be used and misused in the future. If its implications are unclear – to both users and companies, how can anyone give effective consent?
This problem highlights the need for research and education about privacy rights as well as data science. Organisations can use GDPR as a guideline to evaluate their data practices and to ensure their external communication gives users all the information they need to provide consent.
Conclusion: Understanding location matters
If there is one thing to take away from the examples above, it’s that personal location data is extremely valuable. GDPR will increase the pressure on organisations that process data (that’s most of them), improve security standards and create transparent communication about how and why data is used.
Greater understanding and transparency about different types of data and the consequences of its use is something both companies and users will benefit from in the long term.