13 July 2017
The Inspector General for Personal Data Protection (‘GIODO’) announced, on 5 July 2017, that it had presented a report on geolocation (‘the Report’) to the Digitalisation, Innovation and New Technologies Committee (‘the Committee’). The Report highlights the current uses of location data and the associated risks for privacy, as well as outlines the applicable legislative provisions for its lawful processing, including under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Key points analysed by the Report include consent and other lawful grounds for processing.
Marcin Lewoszewski, privacy lawyer at CMS Cameron McKenna Greszta i Sawicki sp.k. and Co-chair of the IAPP KnowledgeNet Chapter Poland, told DataGuidance, “Based on the Report, it seems that GIODO is quite lenient when it comes to processing of location data. Although we may get the impression that GIODO insists on obtaining consent that would justify the processing of such data, other legal bases are also [permitted], including the need to execute an agreement with a data subject. However, this should be analysed on a case-by-case basis, particularly when sensitive data is processed by the data controller.”
GIODO made the point that, in the event location data is processed and consent is used as a legal ground for the processing, the consenting individual must be fully aware of the implications; therefore, where the data subject is unaware of the technical ability of a device to transmit data to a third party or of the default operating system settings allowing location data to be forwarded, it will be deemed that voluntary consent has not been given.
Although the Report does not focus on legislative changes, GIODO confirms that changes are required in order to meet GDPR standards
Lewoszewski added, “Under the current Polish legal framework, processing location data is considered by most privacy practitioners as processing personal data, assuming that such data can lead to an identifiable individual. As a result, all the requirements placed on a data controller arising from data protection legislation apply. This will naturally change with the GDPR in a way that will strengthen [the rights of] data subjects. First of all, the GDPR clearly considers location data to be personal data, so it will be difficult for any data controller to argue otherwise in the event of a dispute. Further, location data will have to be processed in compliance with new data subject rights (e.g. in relation to data portability or profiling) and, as such, will require more diligence.”
The Report illustrates a plethora of uses for geolocation data by a number of services, including by GPS vehicle tracking services, smartphone device operating systems and apps, but also by features available through web browsers such as geotagging and Wi-Fi hotspot technologies. It describes the primary and secondary sources of location data, as well as the methods used for its collection, and expands on current applications in multiple sectors.
“According to the Report, GIODO has registered a number of databases where location data is processed by data controllers,” commented Lewoszewski. “This may lead to the conclusion that GIODO accepts changes in technology and the digital world and the influence of such changes on citizens. [That] is always good for business. Although the Report does not focus on legislative changes, GIODO confirms that changes are required in order to meet GDPR standards. Therefore, the possibility that telecommunications law will be amended to some extent may not be excluded, as well as other acts where principles of protection and disclosure of location data to enforcement bodies is regulated.”
Cristina Ulessi | Privacy Analyst