An extensive range of today’s applications on all sorts of devices are based on geographical information and therefore geolocation data. Think of map apps or popular dating apps, social networks and messenger apps containing whereabout and geotagging functionalities. Geographical information is regularly collected from all of us, playing an important role in our daily lives. It is therefore critical to clarify the legal framework applicable to hardware, software, applications and services equipped with or based on data generated by location-sensitive sensors.This article describes the data protection perspective, particularly considering the European General Data Protection Regulation (GDPR) and experiences gained in the year since its entry into effect. Many of the devices and applications generating or using geographical information are intimately linked to a specific individual. Most people keep their smartphone and similar devices very close to themselves, from the breakfast table to their pocket or handbag, to the workplace, to the bedside table. Cars, e-bikes, or scooters accompany people on their daily commute and during business or recreational travel.

Geolocation makes it possible to obtain all types of information in real time and locate the user with pinpoint accuracy at any given point in time, from any device connected to the Internet. This allows manufacturers of devices and providers of geolocation-based services to gain a very intimate and accurate overview of user habits and patterns. They can build extensive profiles, and even to link such profile information to all kinds of other information. Such profiles may also include highly sensitive categories of data, such as information about visits to specialized physicians or hospitals, religious or cultural places, or political demonstrations. Profiles can easily be used to prepare and make decisions that significantly affect the individual in an unprecedented form and manner.

Such constant and extensive monitoring, analytics, use and dissemination of location data generates unpredictable risks, not only for individuals concerned, but to an equal extent for service providers facing potential attacks and data breaches, and in the sequence of events, possible sensitive punitive measures by supervisory authorities. Such risks increase exponentially due to rapid technical progress and largely unhindered commercial exploitation. Particular attention must be paid to risks connected with monitoring carried out secretly, without properly informing the individual concerned. Many users ignore or “forget” that location data processing or even location services are switched on or are performing as “background applications.” To ensure a legal framework to mitigate such risks and define ways for companies to use such data, the GDPR established a framework for processing personal data, including geolocation data.

GDPR Impact on Geolocation Information

The GDPR Regulation (EU) 2016/679 became applicable throughout the entire European Union on May 26, 2018. It has a major impact on data protection discussions worldwide. Originally conceived as an instrument for further harmonizing the different data protection standards of EU member states, the GDPR has such a broad scope of application that its influence extends far beyond EU borders. It may be applicable for companies in third countries, even if such companies do not have any establishment within the EU.

General Principles of the GDPR

The GDPR sets the legal framework for businesses located within the EU processing personal data, ensuring a high level of data protection. The GDPR’s basic principles stipulate that the processing of personal data must be lawful, fair and transparent, carried out with a strict purpose limitation, based on the principle of data minimization, and always ensuring appropriate security (Art. 5 (1)).

Foremost, the rights of individuals (called data subject — an identified or identifiable natural person whose personal data are processed) have been harmonized, renewed and extended. The right of access to one’s own personal data (Art. 15) does not only include the right to information on such data, but also the right to request an electronic copy. The right to deletion enforces the corresponding controller’s obligation to minimize data processing, once the purposes for processing are accomplished. The data subject also has a right to object to the processing of the data, which is to be complied with without limitations for direct marketing purposes (Art. 21).

To observe the data subject’s rights and provide a proper protection of personal data, suitable technical and organizational measures, not only on IT security, are to be adopted. Such measures must be updated regularly according to the current state of the art in IT technology.

Tackling the risks, mentioned earlier, of unintentional or even secret data collection, the principle of privacy by design and default was prioritized (Art. 25). This requires proof by the controller that no more personal data than necessary for each specific purpose are processed, and that personal data is not made accessible by default if not required. This is particularly relevant for geolocation data, which should only be collected when specifically required for the purposes requested by the data subjects.

The conditions for violations of the GDPR have been considerably strengthened, with fines up to 20 million EUR (approximately $22.21 million), or in the case of a company group, up to 4% of the total worldwide annual turnover of the preceding financial year (Art. 83 (3)). However, it should be noted that such high fines will only be imposed in cases of severe GDPR breaches.

Personal Data, GDPR Applicability Defined

The GDPR’s definition of personal data includes all information relating to an identified or identifiable living natural person. Personal data within the scope of the GDPR therefore includes device IDs, location data, browser types, IP addresses, etc.

While (online) identifiers (e.g. user ID, IP address, etc.) are not considered personal identifiable information, since they alone cannot be used to identify a person, the GDPR considers it sufficient that any entity may identify a person, irrespective of the fact that a link between the “de-identified” information and the identifying information may only be created in the most aggravated circumstances. Therefore, even if the controller itself does not own or does not have access to the identifying information, the data can still be considered personal data if any other entity may identify the person based on the information held. As an example, telecommunications companies and website operators can establish a clear link to the customer via the IP address of a person and therefore may establish a connection between IP address and username. Therefore, the IP address and other similar identifiers constitute personal data, according to the GDPR.

If data is pseudonymized–all identifiable characteristics are replaced by identifiers–such data can still fall under the term personal data as used in the GDPR, if such data can be used for the renewed identification of persons.

Anonymized data are neither personal identifiable information nor personal data. Such data must however be processed in a way so that they cannot be traced back to a natural person. This may for example be the case for financial data, statistical data for data used for research purposes.

Territorial Scope of the GDPR

The scope of the GDPR can also affect companies located outside the EU, including in the U.S. Companies fall into the territorial scope of the GDPR if personal data are processed either by “an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Art. 3 (1)). Therefore, the GDPR is applicable if a foreign company has a branch in Europe which processes personal data. Even renting of office space or having an individual representative within the EU can constitute an “establishment.”

Even companies with no establishment in the EU may fall under the GDPR’s territorial scope, as all companies that offer goods or services in the EU or observe the behavior of EU citizens are subject to the GDPR (Art. 3 (2)). The definitions of goods and services are not to be interpreted restrictively: it is enough to obviously intend to offer services in one (or more) EU member states.

While the mere accessibility of a website in the EU is not enough, price labeling in local currency (e.g. EUR) or websites in local language (e.g. French or German) may indicate the intended provision of goods and services in the EU. Lastly but very importantly, any activity linked with behavioral monitoring of EU data subjects opens the GDPR’s applicability.

Thus, the GDPR applies in many cases where a company, due to its location, would not generally assume its applicability. As a direct consequence, the processing activities falling under the territorial scope of the GDPR have to comply with the GDPR and the respective entity has to designate in writing a representative in the EU (Art. 27 (1)).

Lawfulness of Processing Personal Data

The processing of personal data is only lawful if occurring on an explicit legal basis. Otherwise, such data processing is prohibited. A legal basis can either derive from the data subject’s free consent or from an explicit statutory permission.

In practice, the most relevant legal basis for the processing of personal data derives from the controller´s legitimate interests (Art. 6 (1) sentence 1 lit. f). The question as to the existence of legitimate interests must be answered by a balancing of interests: the legitimate interest of the controller on the one hand and the opposing interests of the data subject on the other. In principle, the definition of a legitimate interest covers any legal, factual or economic interest. This is the case, for example, where “there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller” (Recital 47).

Further, a contractual relationship between the controller and the data subject (not: the data subject’s employer) constitutes a legal basis for all data processing which is necessary for the performance of such contractual relationship (Art. 6 (1) sentence 1 lit. b GDPR). The concept of “necessity” may not be interpreted too strictly; processing is already necessary for the performance of the contract if no less incisive, economically equally efficient means are available.

Furthermore, the controller can only rely on the consent given by the data subject. If, for example, the provider of a navigation software compiles profiles on the movement of its customers for personalized marketing activities, such processing will generally require consent. A consent to data processing must be given freely, unequivocally and with full knowledge of all background information about the data processing of the data subject´s personal data. Thus, full disclosure of the processing activities is key for obtaining valid consent.

Since the legal basis (or rather the purposes of processing) cannot be exchanged at one’s own discretion, it is important to identify and lay down the explicit purpose and the respective legal basis for every processing activity upfront. The processing activities must then be designed in such a way that they comply with the conditions set out in the respective provisions of the GDPR. The processing of geolocation data will require the consent of the data subject in most cases. When basing such processing on legitimate interests, a clear information to the data subject, with proof that it was given, will be required.

Data Protection Impact Assessment

To avoid uncontrollable risks for the data subject’s vital interests and rights, manufacturers and service providers must ensure compliance with the GDPR. Alongside the controller’s obligations to implement technical and organizational measures to assure such compliance, the GDPR establishes dedicated compliance instruments. Namely, controllers can be obliged to perform a data protection impact assessment (DPIA) prior to the start of data processing (Art. 35). The DPIA evaluates the risks arising from the planned processing activities. Such assessment obligation is new and did not exist before the GDPR.

The controller’s obligation to perform the assessment applies “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” and is understood to be required “in case of systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” or when “processing on a large scale of special categories of data” is carried out.

Data protection impact assessments may have significant impact on the processing activities and should therefore be conducted carefully with involvement of all relevant internal stakeholders (e.g. management, commercial, data protection officer, IT) and external expertise.

Conclusion

Geolocation devices, applications and services are pervasive in an “always connected” world. They have introduced innumerable innovative, profitable and functional services and applications. With location technology, a user’s experience can be uniquely personalized, and user data can be evaluated and processed in a way that was not imaginable a few years ago. This appeals to all types of companies in the digital economy, as well as law enforcement, other public agencies and, unfortunately, criminals.

Compliance with the GDPR is mandatory for all companies falling under its scope, but such compliance can also provide key competitive advantages to other companies. Many countries are preparing for adjustments of the national law according to the European standards, while customers and business partners are increasingly being sensitized to the issue of data protection.

Manufacturers of devices producing geolocation data and services providers processing or using such geolocation data should retain the following:

• Companies basically fall into the territorial scope of the GDPR if:

• their headquarters is located within the EU,

• they have a branch which processes personal data in the EU,

• they offer their goods or services in the EU or

• monitoring of a data subject takes place within the EU.

• The GDPR has a broad definition of personal data. Personal data include all information relating to an identified and even identifiable and living person.

• Once the GDPR is applicable, all its requirements must be met.

• The GDPR’s key requirements regarding geolocation data include:

• Assignment of a data protection officer and, in the case of a company not located in the EU, the designation of a representative in the EU;

• Observance of data subject´s rights (such as Information and data deletion);

• IT Security measures;

• Appropriate safeguards concerning data protection in contracts with service providers;

• implementing and updating a record of data processing activities;

• being able to proof data privacy by design and default;

• performance of data protection impact assessments (if applicable).

The main questions in order to assess on one’s own data protection compliance regarding geolocation data are:

• Are data processed within the EU or do processing activities affect EU citizen data?

• What location data are collected and how are they used?

• Are profiles obtained or derived out of data sets?

• What are the purposes of specific data processing activities?

• What is the legal basis for such data processing?

• Are special categories of personal data (Art. 9 (1)) processed?

• Are appropriate safeguards and technical and organizational measures in place?

• Which information obligations are to be met and how?

• Is there an obligation to perform a data protection impact assessment regarding certain processing activities of geolocation data?

Compliance with the GDPR, if it applies to a company´s activities, is a legal obligation, and non-compliance can lead to severe consequences. Even if compliance with the GDPR is not “legal witchcraft,” it requires awareness and legal expertise in the company. External expertise may be useful to get the process started. 

Additional Resources

(1) Text of the GDPR in the current version (all languages): https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679

(2) GDPR guidelines, recommendations and best practices, issued by the European data protection board (edpb): https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

(3) First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, issued by the edpb: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

(4) Opinion 13/2011 on Geolocation services on smart mobile devices, issued by the former Article 29 Data Protection Working Party of 16 May 2011: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp185_en.pdf

Authors

Dr. Philip Lüghausen is partner at BHO Legal since January 2019. His practice primarily focuses on data and data protection law with a special focus on scientific and commercial R&D, IT law, E-comm

Dr. Matthias Lachenmann is partner at BHO Legal since April 2019. He specializes in Technology and Data Protection Law, with a focus on international corporate data protection, employee data protection and industry 4.0. His main clients come from the digital economy, manufacturing and fashion industries.erce law, competition law and intellectual and industrial property law. His client base includes several multinational corporations.