Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design

GNSS NEWS

September 18, 2019

GNSS & The Law: Collecting and Processing Geolocation Data

Collecting and Processing Geolocation Data

LAW-icon

UNDER THE EUROPEAN GENERAL DATA PROTECTION REGULATION

Dr. Philip Lüghausen and Dr. Matthias Lachenmann, BHO Legal Germany

Geographical information plays a permanently increasing role in our society. More and more devices and applications use and process geographical information to serve all kinds of purposes. Smartphones, cars, e-bikes, scooters or foot shackles for law enforcement purposes collect and process geographical information on a permanent basis. Here, we take a close look at privacy issues and the data protection perspective, namely considering the European GDPR and experiences gained one year after its entry into effect.

An extensive range of today’s applications on all sorts of devices are based on geographical information and therefore geolocation data. Think of map apps or popular dating apps, social networks and messenger apps containing whereabout and geotagging functionalities. Geographical information is regularly collected from all of us, playing an important role in our daily lives. It is therefore critical to clarify the legal framework applicable to hardware, software, applications and services equipped with or based on data generated by location-sensitive sensors.This article describes the data protection perspective, particularly considering the European General Data Protection Regulation (GDPR) and experiences gained in the year since its entry into effect. Many of the devices and applications generating or using geographical information are intimately linked to a specific individual. Most people keep their smartphone and similar devices very close to themselves, from the breakfast table to their pocket or handbag, to the workplace, to the bedside table. Cars, e-bikes, or scooters accompany people on their daily commute and during business or recreational travel.

 

Dr._Ingo_Baumann
Ingo Baumann is the column editor for GNSS & the Law, and co-founder and partner of BHO Legal in Cologne, Germany, a boutique law firm for European high-technology projects mainly in the space sector. He studied law at the Universities of Muenster and Cologne. His doctoral thesis, written at the Institute for Air and Space Law in Cologne, examined international and European law on satellite communications. He worked for the German Aerospace Centre (DLR), including as head of the DLR Galileo Project Office and CEO of the DLR operating company for the German Galileo Control Center.

Geolocation makes it possible to obtain all types of information in real time and locate the user with pinpoint accuracy at any given point in time, from any device connected to the Internet. This allows manufacturers of devices and providers of geolocation-based services to gain a very intimate and accurate overview of user habits and patterns. They can build extensive profiles, and even to link such profile information to all kinds of other information. Such profiles may also include highly sensitive categories of data, such as information about visits to specialized physicians or hospitals, religious or cultural places, or political demonstrations. Profiles can easily be used to prepare and make decisions that significantly affect the individual in an unprecedented form and manner.

Such constant and extensive monitoring, analytics, use and dissemination of location data generates unpredictable risks, not only for individuals concerned, but to an equal extent for service providers facing potential attacks and data breaches, and in the sequence of events, possible sensitive punitive measures by supervisory authorities. Such risks increase exponentially due to rapid technical progress and largely unhindered commercial exploitation. Particular attention must be paid to risks connected with monitoring carried out secretly, without properly informing the individual concerned. Many users ignore or “forget” that location data processing or even location services are switched on or are performing as “background applications.” To ensure a legal framework to mitigate such risks and define ways for companies to use such data, the GDPR established a framework for processing personal data, including geolocation data.

GDPR Impact on Geolocation Information

The GDPR Regulation (EU) 2016/679 became applicable throughout the entire European Union on May 26, 2018. It has a major impact on data protection discussions worldwide. Originally conceived as an instrument for further harmonizing the different data protection standards of EU member states, the GDPR has such a broad scope of application that its influence extends far beyond EU borders. It may be applicable for companies in third countries, even if such companies do not have any establishment within the EU.

General Principles of the GDPR

The GDPR sets the legal framework for businesses located within the EU processing personal data, ensuring a high level of data protection. The GDPR’s basic principles stipulate that the processing of personal data must be lawful, fair and transparent, carried out with a strict purpose limitation, based on the principle of data minimization, and always ensuring appropriate security (Art. 5 (1)).

Foremost, the rights of individuals (called data subject — an identified or identifiable natural person whose personal data are processed) have been harmonized, renewed and extended. The right of access to one’s own personal data (Art. 15) does not only include the right to information on such data, but also the right to request an electronic copy. The right to deletion enforces the corresponding controller’s obligation to minimize data processing, once the purposes for processing are accomplished. The data subject also has a right to object to the processing of the data, which is to be complied with without limitations for direct marketing purposes (Art. 21).

To observe the data subject’s rights and provide a proper protection of personal data, suitable technical and organizational measures, not only on IT security, are to be adopted. Such measures must be updated regularly according to the current state of the art in IT technology.

Tackling the risks, mentioned earlier, of unintentional or even secret data collection, the principle of privacy by design and default was prioritized (Art. 25). This requires proof by the controller that no more personal data than necessary for each specific purpose are processed, and that personal data is not made accessible by default if not required. This is particularly relevant for geolocation data, which should only be collected when specifically required for the purposes requested by the data subjects.

The conditions for violations of the GDPR have been considerably strengthened, with fines up to 20 million EUR (approximately $22.21 million), or in the case of a company group, up to 4% of the total worldwide annual turnover of the preceding financial year (Art. 83 (3)). However, it should be noted that such high fines will only be imposed in cases of severe GDPR breaches.

Personal Data, GDPR Applicability Defined

The GDPR’s definition of personal data includes all information relating to an identified or identifiable living natural person. Personal data within the scope of the GDPR therefore includes device IDs, location data, browser types, IP addresses, etc.

While (online) identifiers (e.g. user ID, IP address, etc.) are not considered personal identifiable information, since they alone cannot be used to identify a person, the GDPR considers it sufficient that any entity may identify a person, irrespective of the fact that a link between the “de-identified” information and the identifying information may only be created in the most aggravated circumstances. Therefore, even if the controller itself does not own or does not have access to the identifying information, the data can still be considered personal data if any other entity may identify the person based on the information held. As an example, telecommunications companies and website operators can establish a clear link to the customer via the IP address of a person and therefore may establish a connection between IP address and username. Therefore, the IP address and other similar identifiers constitute personal data, according to the GDPR.

If data is pseudonymized–all identifiable characteristics are replaced by identifiers–such data can still fall under the term personal data as used in the GDPR, if such data can be used for the renewed identification of persons.

Anonymized data are neither personal identifiable information nor personal data. Such data must however be processed in a way so that they cannot be traced back to a natural person. This may for example be the case for financial data, statistical data for data used for research purposes.

Territorial Scope of the GDPR

The scope of the GDPR can also affect companies located outside the EU, including in the U.S. Companies fall into the territorial scope of the GDPR if personal data are processed either by “an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Art. 3 (1)). Therefore, the GDPR is applicable if a foreign company has a branch in Europe which processes personal data. Even renting of office space or having an individual representative within the EU can constitute an “establishment.”

Even companies with no establishment in the EU may fall under the GDPR’s territorial scope, as all companies that offer goods or services in the EU or observe the behavior of EU citizens are subject to the GDPR (Art. 3 (2)). The definitions of goods and services are not to be interpreted restrictively: it is enough to obviously intend to offer services in one (or more) EU member states.

While the mere accessibility of a website in the EU is not enough, price labeling in local currency (e.g. EUR) or websites in local language (e.g. French or German) may indicate the intended provision of goods and services in the EU. Lastly but very importantly, any activity linked with behavioral monitoring of EU data subjects opens the GDPR’s applicability.

Thus, the GDPR applies in many cases where a company, due to its location, would not generally assume its applicability. As a direct consequence, the processing activities falling under the territorial scope of the GDPR have to comply with the GDPR and the respective entity has to designate in writing a representative in the EU (Art. 27 (1)).

Lawfulness of Processing Personal Data

The processing of personal data is only lawful if occurring on an explicit legal basis. Otherwise, such data processing is prohibited. A legal basis can either derive from the data subject’s free consent or from an explicit statutory permission.

In practice, the most relevant legal basis for the processing of personal data derives from the controller´s legitimate interests (Art. 6 (1) sentence 1 lit. f). The question as to the existence of legitimate interests must be answered by a balancing of interests: the legitimate interest of the controller on the one hand and the opposing interests of the data subject on the other. In principle, the definition of a legitimate interest covers any legal, factual or economic interest. This is the case, for example, where “there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller” (Recital 47).

Further, a contractual relationship between the controller and the data subject (not: the data subject’s employer) constitutes a legal basis for all data processing which is necessary for the performance of such contractual relationship (Art. 6 (1) sentence 1 lit. b GDPR). The concept of “necessity” may not be interpreted too strictly; processing is already necessary for the performance of the contract if no less incisive, economically equally efficient means are available.

Furthermore, the controller can only rely on the consent given by the data subject. If, for example, the provider of a navigation software compiles profiles on the movement of its customers for personalized marketing activities, such processing will generally require consent. A consent to data processing must be given freely, unequivocally and with full knowledge of all background information about the data processing of the data subject´s personal data. Thus, full disclosure of the processing activities is key for obtaining valid consent.

Since the legal basis (or rather the purposes of processing) cannot be exchanged at one’s own discretion, it is important to identify and lay down the explicit purpose and the respective legal basis for every processing activity upfront. The processing activities must then be designed in such a way that they comply with the conditions set out in the respective provisions of the GDPR. The processing of geolocation data will require the consent of the data subject in most cases. When basing such processing on legitimate interests, a clear information to the data subject, with proof that it was given, will be required.

Data Protection Impact Assessment

To avoid uncontrollable risks for the data subject’s vital interests and rights, manufacturers and service providers must ensure compliance with the GDPR. Alongside the controller’s obligations to implement technical and organizational measures to assure such compliance, the GDPR establishes dedicated compliance instruments. Namely, controllers can be obliged to perform a data protection impact assessment (DPIA) prior to the start of data processing (Art. 35). The DPIA evaluates the risks arising from the planned processing activities. Such assessment obligation is new and did not exist before the GDPR.

The controller’s obligation to perform the assessment applies “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” and is understood to be required “in case of systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” or when “processing on a large scale of special categories of data” is carried out.

Data protection impact assessments may have significant impact on the processing activities and should therefore be conducted carefully with involvement of all relevant internal stakeholders (e.g. management, commercial, data protection officer, IT) and external expertise.

Conclusion

Geolocation devices, applications and services are pervasive in an “always connected” world. They have introduced innumerable innovative, profitable and functional services and applications. With location technology, a user’s experience can be uniquely personalized, and user data can be evaluated and processed in a way that was not imaginable a few years ago. This appeals to all types of companies in the digital economy, as well as law enforcement, other public agencies and, unfortunately, criminals.

Compliance with the GDPR is mandatory for all companies falling under its scope, but such compliance can also provide key competitive advantages to other companies. Many countries are preparing for adjustments of the national law according to the European standards, while customers and business partners are increasingly being sensitized to the issue of data protection.

Manufacturers of devices producing geolocation data and services providers processing or using such geolocation data should retain the following:

• Companies basically fall into the territorial scope of the GDPR if:

• their headquarters is located within the EU,

• they have a branch which processes personal data in the EU,

• they offer their goods or services in the EU or

• monitoring of a data subject takes place within the EU.

• The GDPR has a broad definition of personal data. Personal data include all information relating to an identified and even identifiable and living person.

• Once the GDPR is applicable, all its requirements must be met.

• The GDPR’s key requirements regarding geolocation data include:

• Assignment of a data protection officer and, in the case of a company not located in the EU, the designation of a representative in the EU;

• Observance of data subject´s rights (such as Information and data deletion);

• IT Security measures;

• Appropriate safeguards concerning data protection in contracts with service providers;

• implementing and updating a record of data processing activities;

• being able to proof data privacy by design and default;

• performance of data protection impact assessments (if applicable).

The main questions in order to assess on one’s own data protection compliance regarding geolocation data are:

• Are data processed within the EU or do processing activities affect EU citizen data?

• What location data are collected and how are they used?

• Are profiles obtained or derived out of data sets?

• What are the purposes of specific data processing activities?

• What is the legal basis for such data processing?

• Are special categories of personal data (Art. 9 (1)) processed?

• Are appropriate safeguards and technical and organizational measures in place?

• Which information obligations are to be met and how?

• Is there an obligation to perform a data protection impact assessment regarding certain processing activities of geolocation data?

Compliance with the GDPR, if it applies to a company´s activities, is a legal obligation, and non-compliance can lead to severe consequences. Even if compliance with the GDPR is not “legal witchcraft,” it requires awareness and legal expertise in the company. External expertise may be useful to get the process started. 

Additional Resources

(1) Text of the GDPR in the current version (all languages): https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679

(2) GDPR guidelines, recommendations and best practices, issued by the European data protection board (edpb): https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

(3) First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, issued by the edpb: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

(4) Opinion 13/2011 on Geolocation services on smart mobile devices, issued by the former Article 29 Data Protection Working Party of 16 May 2011: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp185_en.pdf

Authors

Philip_Lüghausen_bw

Dr. Philip Lüghausen is partner at BHO Legal since January 2019. His practice primarily focuses on data and data protection law with a special focus on scientific and commercial R&D, IT law, E-comm

 

Matthias_Lachenmann_bw

Dr. Matthias Lachenmann is partner at BHO Legal since April 2019. He specializes in Technology and Data Protection Law, with a focus on international corporate data protection, employee data protection and industry 4.0. His main clients come from the digital economy, manufacturing and fashion industries.erce law, competition law and intellectual and industrial property law. His client base includes several multinational corporations.

By Ingo Baumann
September 18, 2019

NovAtel Now a Positioning Intelligence Supplier to CNH Industrial

Calgary, Alberta – Novatel Inc., a global OEM provider of high-precision GNSS positioning technology, today announced that it will supply its positioning intelligence technologies to CNH Industrial N.V. This introduces NovAtel’s agriculture-focused GNSS receivers and Correction Services to the CNH Industrial global agricultural brands Case IH and New Holland Agriculture, together with European brand STEYR.

Read More >

By Inside GNSS
September 16, 2019

GPS Innovation Alliance Adding Four New National Affiliates

WASHINGTON – Today, the GPS Innovation Alliance (GPSIA) announced the addition of four national organizations representing a variety of sectors: The American Council of the Blind (ACB), the U.S. Geospatial Executives Organization (U.S. GEO), NENA: The 9-1-1 Association, and the Subsurface Utility Engineering (SUE) Association.

Read More >

By Inside GNSS
September 10, 2019

25 years of INTERGEO: an Evolutionary Success

When the very first visitors to INTERGEO passed through the turnstiles in Dortmund’s Westfalenhallen exhibition centre on the dot of 9 a.m. on August 23, 1995, even the most wildly optimistic observers could hardly have imagined the trajectory this fledgling event was embarking upon. Although the geodesists conference was a firm fixture in this specialist field, the trade fair—until then billed as the “accompanying exhibition”—with its 185 exhibitors was really quite modest, despite having grown considerably, compared to the event held in Mainz in 1994.

Read More >

By Inside GNSS
September 10, 2019

GMV Spearheading GNSS Positioning Technology for Autonomous Vehicles

GMV has been chosen for development of advanced safe and precise positioning technology for a new generation of autonomous vehicles. Last week the Madrid, Spain-based company announced the award of an important contract for development of a precise satellite-based (GNSS) positioning system with integrity for the new generation of autonomous vehicles of the German carmaker BMW Group.

Read More >

By Inside GNSS
September 9, 2019

BeiDou Constellation Has 39 Satellites, Completion Planned for 2020

The Chinese are closing in on the completion of the BeiDou constellation with 39 satellites now on-orbit and more launches planned, an official told a conference on aerospace technology innovation.

Yang Jun, deputy director of China’s Satellite Navigation System Management Office, told attendees at the Shanghai event that the plan is to loft five to seven more satellites into place this year and another two to four in 2020, according to the Xinhua news agency.

Read More >

By Inside GNSS
MORE NEWS

INDUSTRY VIEW

More Industry News
September 18, 2019

Trimble Pivot Platform and Alloy GNSS Reference Receiver Now Support BeiDou Generation III Signals

Read More >

New Compact MEMS IMUs from Honeywell

Read More >
September 17, 2019

Hemisphere GNSS Debuts All-New OEM Boards and Next-Gen ASIC Technology

Read More >

GNSS TIMELINE

More Timelines
September 15, 2019

INTERGEO 2019 Held Sept. 17-19 in Stuttgart

Read More >
September 13, 2019

Spirent To Unveil Enhanced Flagship Simulator at ION GNSS+ 2019

Read More >
September 10, 2019

25 years of INTERGEO: an Evolutionary Success

Read More >

COLUMNS & EDITORIALS

September 18, 2019

GNSS & The Law: Collecting and Processing Geolocation Data

Collecting and Processing Geolocation Data

LAW-icon

UNDER THE EUROPEAN GENERAL DATA PROTECTION REGULATION

Dr. Philip Lüghausen and Dr. Matthias Lachenmann, BHO Legal Germany

Geographical information plays a permanently increasing role in our society. More and more devices and applications use and process geographical information to serve all kinds of purposes. Smartphones, cars, e-bikes, scooters or foot shackles for law enforcement purposes collect and process geographical information on a permanent basis. Here, we take a close look at privacy issues and the data protection perspective, namely considering the European GDPR and experiences gained one year after its entry into effect.

An extensive range of today’s applications on all sorts of devices are based on geographical information and therefore geolocation data. Think of map apps or popular dating apps, social networks and messenger apps containing whereabout and geotagging functionalities. Geographical information is regularly collected from all of us, playing an important role in our daily lives. It is therefore critical to clarify the legal framework applicable to hardware, software, applications and services equipped with or based on data generated by location-sensitive sensors.This article describes the data protection perspective, particularly considering the European General Data Protection Regulation (GDPR) and experiences gained in the year since its entry into effect. Many of the devices and applications generating or using geographical information are intimately linked to a specific individual. Most people keep their smartphone and similar devices very close to themselves, from the breakfast table to their pocket or handbag, to the workplace, to the bedside table. Cars, e-bikes, or scooters accompany people on their daily commute and during business or recreational travel.

 

Dr._Ingo_Baumann
Ingo Baumann is the column editor for GNSS & the Law, and co-founder and partner of BHO Legal in Cologne, Germany, a boutique law firm for European high-technology projects mainly in the space sector. He studied law at the Universities of Muenster and Cologne. His doctoral thesis, written at the Institute for Air and Space Law in Cologne, examined international and European law on satellite communications. He worked for the German Aerospace Centre (DLR), including as head of the DLR Galileo Project Office and CEO of the DLR operating company for the German Galileo Control Center.

Geolocation makes it possible to obtain all types of information in real time and locate the user with pinpoint accuracy at any given point in time, from any device connected to the Internet. This allows manufacturers of devices and providers of geolocation-based services to gain a very intimate and accurate overview of user habits and patterns. They can build extensive profiles, and even to link such profile information to all kinds of other information. Such profiles may also include highly sensitive categories of data, such as information about visits to specialized physicians or hospitals, religious or cultural places, or political demonstrations. Profiles can easily be used to prepare and make decisions that significantly affect the individual in an unprecedented form and manner.

Such constant and extensive monitoring, analytics, use and dissemination of location data generates unpredictable risks, not only for individuals concerned, but to an equal extent for service providers facing potential attacks and data breaches, and in the sequence of events, possible sensitive punitive measures by supervisory authorities. Such risks increase exponentially due to rapid technical progress and largely unhindered commercial exploitation. Particular attention must be paid to risks connected with monitoring carried out secretly, without properly informing the individual concerned. Many users ignore or “forget” that location data processing or even location services are switched on or are performing as “background applications.” To ensure a legal framework to mitigate such risks and define ways for companies to use such data, the GDPR established a framework for processing personal data, including geolocation data.

GDPR Impact on Geolocation Information

The GDPR Regulation (EU) 2016/679 became applicable throughout the entire European Union on May 26, 2018. It has a major impact on data protection discussions worldwide. Originally conceived as an instrument for further harmonizing the different data protection standards of EU member states, the GDPR has such a broad scope of application that its influence extends far beyond EU borders. It may be applicable for companies in third countries, even if such companies do not have any establishment within the EU.

General Principles of the GDPR

The GDPR sets the legal framework for businesses located within the EU processing personal data, ensuring a high level of data protection. The GDPR’s basic principles stipulate that the processing of personal data must be lawful, fair and transparent, carried out with a strict purpose limitation, based on the principle of data minimization, and always ensuring appropriate security (Art. 5 (1)).

Foremost, the rights of individuals (called data subject — an identified or identifiable natural person whose personal data are processed) have been harmonized, renewed and extended. The right of access to one’s own personal data (Art. 15) does not only include the right to information on such data, but also the right to request an electronic copy. The right to deletion enforces the corresponding controller’s obligation to minimize data processing, once the purposes for processing are accomplished. The data subject also has a right to object to the processing of the data, which is to be complied with without limitations for direct marketing purposes (Art. 21).

To observe the data subject’s rights and provide a proper protection of personal data, suitable technical and organizational measures, not only on IT security, are to be adopted. Such measures must be updated regularly according to the current state of the art in IT technology.

Tackling the risks, mentioned earlier, of unintentional or even secret data collection, the principle of privacy by design and default was prioritized (Art. 25). This requires proof by the controller that no more personal data than necessary for each specific purpose are processed, and that personal data is not made accessible by default if not required. This is particularly relevant for geolocation data, which should only be collected when specifically required for the purposes requested by the data subjects.

The conditions for violations of the GDPR have been considerably strengthened, with fines up to 20 million EUR (approximately $22.21 million), or in the case of a company group, up to 4% of the total worldwide annual turnover of the preceding financial year (Art. 83 (3)). However, it should be noted that such high fines will only be imposed in cases of severe GDPR breaches.

Personal Data, GDPR Applicability Defined

The GDPR’s definition of personal data includes all information relating to an identified or identifiable living natural person. Personal data within the scope of the GDPR therefore includes device IDs, location data, browser types, IP addresses, etc.

While (online) identifiers (e.g. user ID, IP address, etc.) are not considered personal identifiable information, since they alone cannot be used to identify a person, the GDPR considers it sufficient that any entity may identify a person, irrespective of the fact that a link between the “de-identified” information and the identifying information may only be created in the most aggravated circumstances. Therefore, even if the controller itself does not own or does not have access to the identifying information, the data can still be considered personal data if any other entity may identify the person based on the information held. As an example, telecommunications companies and website operators can establish a clear link to the customer via the IP address of a person and therefore may establish a connection between IP address and username. Therefore, the IP address and other similar identifiers constitute personal data, according to the GDPR.

If data is pseudonymized–all identifiable characteristics are replaced by identifiers–such data can still fall under the term personal data as used in the GDPR, if such data can be used for the renewed identification of persons.

Anonymized data are neither personal identifiable information nor personal data. Such data must however be processed in a way so that they cannot be traced back to a natural person. This may for example be the case for financial data, statistical data for data used for research purposes.

Territorial Scope of the GDPR

The scope of the GDPR can also affect companies located outside the EU, including in the U.S. Companies fall into the territorial scope of the GDPR if personal data are processed either by “an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Art. 3 (1)). Therefore, the GDPR is applicable if a foreign company has a branch in Europe which processes personal data. Even renting of office space or having an individual representative within the EU can constitute an “establishment.”

Even companies with no establishment in the EU may fall under the GDPR’s territorial scope, as all companies that offer goods or services in the EU or observe the behavior of EU citizens are subject to the GDPR (Art. 3 (2)). The definitions of goods and services are not to be interpreted restrictively: it is enough to obviously intend to offer services in one (or more) EU member states.

While the mere accessibility of a website in the EU is not enough, price labeling in local currency (e.g. EUR) or websites in local language (e.g. French or German) may indicate the intended provision of goods and services in the EU. Lastly but very importantly, any activity linked with behavioral monitoring of EU data subjects opens the GDPR’s applicability.

Thus, the GDPR applies in many cases where a company, due to its location, would not generally assume its applicability. As a direct consequence, the processing activities falling under the territorial scope of the GDPR have to comply with the GDPR and the respective entity has to designate in writing a representative in the EU (Art. 27 (1)).

Lawfulness of Processing Personal Data

The processing of personal data is only lawful if occurring on an explicit legal basis. Otherwise, such data processing is prohibited. A legal basis can either derive from the data subject’s free consent or from an explicit statutory permission.

In practice, the most relevant legal basis for the processing of personal data derives from the controller´s legitimate interests (Art. 6 (1) sentence 1 lit. f). The question as to the existence of legitimate interests must be answered by a balancing of interests: the legitimate interest of the controller on the one hand and the opposing interests of the data subject on the other. In principle, the definition of a legitimate interest covers any legal, factual or economic interest. This is the case, for example, where “there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller” (Recital 47).

Further, a contractual relationship between the controller and the data subject (not: the data subject’s employer) constitutes a legal basis for all data processing which is necessary for the performance of such contractual relationship (Art. 6 (1) sentence 1 lit. b GDPR). The concept of “necessity” may not be interpreted too strictly; processing is already necessary for the performance of the contract if no less incisive, economically equally efficient means are available.

Furthermore, the controller can only rely on the consent given by the data subject. If, for example, the provider of a navigation software compiles profiles on the movement of its customers for personalized marketing activities, such processing will generally require consent. A consent to data processing must be given freely, unequivocally and with full knowledge of all background information about the data processing of the data subject´s personal data. Thus, full disclosure of the processing activities is key for obtaining valid consent.

Since the legal basis (or rather the purposes of processing) cannot be exchanged at one’s own discretion, it is important to identify and lay down the explicit purpose and the respective legal basis for every processing activity upfront. The processing activities must then be designed in such a way that they comply with the conditions set out in the respective provisions of the GDPR. The processing of geolocation data will require the consent of the data subject in most cases. When basing such processing on legitimate interests, a clear information to the data subject, with proof that it was given, will be required.

Data Protection Impact Assessment

To avoid uncontrollable risks for the data subject’s vital interests and rights, manufacturers and service providers must ensure compliance with the GDPR. Alongside the controller’s obligations to implement technical and organizational measures to assure such compliance, the GDPR establishes dedicated compliance instruments. Namely, controllers can be obliged to perform a data protection impact assessment (DPIA) prior to the start of data processing (Art. 35). The DPIA evaluates the risks arising from the planned processing activities. Such assessment obligation is new and did not exist before the GDPR.

The controller’s obligation to perform the assessment applies “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” and is understood to be required “in case of systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” or when “processing on a large scale of special categories of data” is carried out.

Data protection impact assessments may have significant impact on the processing activities and should therefore be conducted carefully with involvement of all relevant internal stakeholders (e.g. management, commercial, data protection officer, IT) and external expertise.

Conclusion

Geolocation devices, applications and services are pervasive in an “always connected” world. They have introduced innumerable innovative, profitable and functional services and applications. With location technology, a user’s experience can be uniquely personalized, and user data can be evaluated and processed in a way that was not imaginable a few years ago. This appeals to all types of companies in the digital economy, as well as law enforcement, other public agencies and, unfortunately, criminals.

Compliance with the GDPR is mandatory for all companies falling under its scope, but such compliance can also provide key competitive advantages to other companies. Many countries are preparing for adjustments of the national law according to the European standards, while customers and business partners are increasingly being sensitized to the issue of data protection.

Manufacturers of devices producing geolocation data and services providers processing or using such geolocation data should retain the following:

• Companies basically fall into the territorial scope of the GDPR if:

• their headquarters is located within the EU,

• they have a branch which processes personal data in the EU,

• they offer their goods or services in the EU or

• monitoring of a data subject takes place within the EU.

• The GDPR has a broad definition of personal data. Personal data include all information relating to an identified and even identifiable and living person.

• Once the GDPR is applicable, all its requirements must be met.

• The GDPR’s key requirements regarding geolocation data include:

• Assignment of a data protection officer and, in the case of a company not located in the EU, the designation of a representative in the EU;

• Observance of data subject´s rights (such as Information and data deletion);

• IT Security measures;

• Appropriate safeguards concerning data protection in contracts with service providers;

• implementing and updating a record of data processing activities;

• being able to proof data privacy by design and default;

• performance of data protection impact assessments (if applicable).

The main questions in order to assess on one’s own data protection compliance regarding geolocation data are:

• Are data processed within the EU or do processing activities affect EU citizen data?

• What location data are collected and how are they used?

• Are profiles obtained or derived out of data sets?

• What are the purposes of specific data processing activities?

• What is the legal basis for such data processing?

• Are special categories of personal data (Art. 9 (1)) processed?

• Are appropriate safeguards and technical and organizational measures in place?

• Which information obligations are to be met and how?

• Is there an obligation to perform a data protection impact assessment regarding certain processing activities of geolocation data?

Compliance with the GDPR, if it applies to a company´s activities, is a legal obligation, and non-compliance can lead to severe consequences. Even if compliance with the GDPR is not “legal witchcraft,” it requires awareness and legal expertise in the company. External expertise may be useful to get the process started. 

Additional Resources

(1) Text of the GDPR in the current version (all languages): https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679

(2) GDPR guidelines, recommendations and best practices, issued by the European data protection board (edpb): https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

(3) First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, issued by the edpb: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

(4) Opinion 13/2011 on Geolocation services on smart mobile devices, issued by the former Article 29 Data Protection Working Party of 16 May 2011: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp185_en.pdf

Authors

Philip_Lüghausen_bw

Dr. Philip Lüghausen is partner at BHO Legal since January 2019. His practice primarily focuses on data and data protection law with a special focus on scientific and commercial R&D, IT law, E-comm

 

Matthias_Lachenmann_bw

Dr. Matthias Lachenmann is partner at BHO Legal since April 2019. He specializes in Technology and Data Protection Law, with a focus on international corporate data protection, employee data protection and industry 4.0. His main clients come from the digital economy, manufacturing and fashion industries.erce law, competition law and intellectual and industrial property law. His client base includes several multinational corporations.

By Ingo Baumann
September 18, 2019

Brussels View: Human Engineering

Ivan Revnivykh’s life and experience encompass the far frontiers of his homeland, Russia, from the magnificent landscapes of the country’s Pacific coast to research stations in Antarctica, to the great capital city of Moscow where he lives and works today. To everything he does he brings a sense of excitement and adventure.

Ivan Revnivykh is head of GLONASS Application Division at Roscosmos. His academic career included study and research in France and Italy, and he currently represents GLONASS in numerous international cooperative actions, all of which makes him a familiar face among the global satellite-based navigation community.

“I grew up in the countryside outside of Moscow,” Revnivykh told Inside GNSS. “My home town is Korolyov, near Elk Island National Park.” Not coincidentally, Korolyov is also the home of the Russian space engineering and ISS mission control center.

Revnivykh was born with a passion for GNSS in his blood. His father is the noted GLONASS expert Sergey Revnivykh.Ivan Revnivykh said, “My father started working for the space flight mission control center of the Central Research Institute of Machine Building (TsNIImash) in 1978, before I was born.”

The senior Revnivykh had many important tasks to carry out within the Russian space program, but he made time for his son, sometimes mingling professional and fatherly responsibilities, as when he occasionally took his son with him to the mission control center on weekends. These were important experiences for the youngster, and the memories, Ivan said, have remained with him all through his life.

Thus, young Ivan was always aware of and interested in the work his father was doing. And who wouldn’t be? Since 1995, father Sergey has been in charge of national and international projects in satellite navigation on behalf of Roscosmos, the Russian State Space Corporation.

ivans_parents
Ivan and his parents (top) in Moscow

A willingness to work hard and the determination to solve complex problems were among the traits passed from father to son. “My father was and still is a crazy workaholic,” Revnivykh said with a grin. “He is a man who can become totally involved in the things he deals with. Of course all of my father’s activities while I was growing up left an imprint on me. I’m sure I would not be doing what I am doing today were it not for this early awareness.”

At the far Eastern end of the Asian continent, still in his home country of Russia, Revnivykh spent his childhood summers on Sakhalin Island, on the Pacific Coast. From the age of five Revnivykh passed about 10 summers there, running, climbing mountains, riding bikes and fishing for salmon with his cousins, the children of his father’s sister.

“My father grew up on Sakhalin, in a family of a mining engineers. His father, my grandfather, eventually become a CEO in the island’s coal industry. My grandmother was a mine surveyor, an underground navigation expert, if you will.”

For those not familiar with the remote paradise, Sakhalin Island is a vast, mountainous and heavily forested wilderness, home to bears, foxes, otters, and sables, as well as reindeer and other deer species. There is some isolated but important industrial development, and the island is bounded on its east coast by some of the most productive waters in the North Pacific. “It’s really mad,” Revnivykh said, “Sakhalin is an amazing place, with nature and ocean.

Ivan_childhood
A young Ivan with a fish caught in small river on Sakhalin Island.

“All in all, it was a very agreeable childhood,” he said. Among other family members who made a big difference were his two grandfathers. “They taught me how to make things by hand, to craft, shoot and hunt. They showed me how to take pictures with old film cameras and to do other boyish things. I had a lot of fun growing up.”

Next Step

Young Revnivykh had an exciting future to look forward to, although he didn’t yet know exactly what kind of work he wanted to do. He was a good student and excelled in the sciences. “I knew for sure that I would be working in a technical field. Anything that involved science and technologies I knew would be a fun area for me to work in. As for my going to university, my parents and I never quarreled. They both supported my decision when I chose the Moscow Aviation Institute.”

In 2002, Revnivykh started worked on two degrees in parallel at the prestigious Institute. He received a bachelor’s degree in Economics in 2007 and a master’s degree in Systems Analyses and Control in 2008, specializing in simulation and operation research in organizational and technical systems. When he graduated, Revnivykh joined Sergey Karutin’s team at JCS (Russian Space Systems) working on the GLONASS System of Differential Correction and Monitoring (SDCM), the Russian correlate to the U.S. Wide Area Augmentation System (WAAS).

Karutin, who is now General Designer of the GLONASS system, is another person who has played a big part in Revnivykh’s life and career. “Karutin is open-minded, very smart and an extremely well organized person who always has an exact target to move towards and to reach for,” Revnivykh said. “For me he is an excellent example of a leader.”

Confirmation

“I could say my ‘GNSS Aha!’ moment came when I participated in the International Summer School on GNSS in 2009, organized by the European Space Agency in Berchtesgaden, Germany,” Revnivykh said. “There were students and young professionals from about 20 countries talking about GNSS as a key component of the world’s information infrastructure, new market capabilities and future innovative trends.”

Ivan_Anna
With his wife Anna and first daughter Elizabeth.

The exchange of ideas was highly stimulating. One key takeaway for Revnivykh was that in today’s increasingly volatile, uncertain, complex and ambiguous (VUCA) world, satellite navigation requires a truly interdisciplinary approach.

“The Summer School gave me a great opportunity to exchange experience with my international colleagues, to upgrade my skills and to understand what I wanted to do with my professional life. It was all done in an informal atmosphere, and with free drinks! That helped!” Back at work, starting in 2010, Revnivykh became more and more deeply involved in SDCM system design and development. He worked to install three reference stations in Antarctica and one in Brazil. “As a GNSS professional, dealing with SDCM, and especially the work we did in Antarctica, was really pivotal for me,” he said. “I was in charge of deployment of three SDCM reference stations, dealing with preparation, transportation and organization of construction and commissioning works, all with a team of brilliant engineers.”

Revnivykh had to work within the limitations of a short Antarctic summer season, with strict demands in terms of station location and without the ability to study sites visually; the only photos available had been made by polar explorers. The Russian Antarctic station Bellingshausen was chosen as the first site. This was followed by Novolazarevskaya station in 2011 and Progress station in 2012, the last being the most difficult and complex to set up. “In our free time we discovered the surrounding area and taught some penguins to fly,” Revnivykh said. “But seriously, deploying and maintaining any facilities in Antarctica is as challenging as doing the same thing in space.”

New Connections

The following year Revnivykh was back in the classroom, this time in a completely new setting, and his rise on the international scene was about to begin. “I felt that I still had a few things to learn,” he said, “so I enrolled myself in the

Ivan_speech
Giving a speech during a PNT conference in Saint Petersburg in 2017.

Aerospace MBA program at the Toulouse Business School in France. I can tell you, Toulouse was a hard nut. 24/7 studies in an international, multicultural team, with all possible challenges and advantages. The study was in English, but the life was in French, and as I had never studied this language before, I faced some day-to-day difficulties, like dealing with the bank. Kind of important.”

His coursework focused on Northern Sea Route Impact on the Aerospace Industry. “During my studies, I was able to structure my own lessons and make good use of them practically,” he recalled, “bearing in mind the modern international approach to doing business and labor organization. What was really important and great for me was that I made good friends and connections there, with French, Australian and Japanese people.”

It was a period of great personal growth, and of course the fun was never-ending. The program lasted for 14 months, from 2013-2014, five of which were spent as a trainee at Thales Alenia Space in Rome, Italy. “When it was time for the internship in Rome,” he said, “I decided to bring my car down from Moscow. I wanted to be more flexible and to be able to travel in my free time. I did the trip in my car in a week with a good friend of mine. On the way back, by the way, when I’d completed my studies, I nailed the same route in three days, including a stop at the Oktoberfest in Munich. It was a wild party and a great way to draw a line under my Europe studies!”

When in Rome, he did as the Romans did. He ate pizza and joined a rock-climbing club to free his mind and stay fit. And he spent a summer making more of those special memories that last a lifetime.

“I was busy with the optimization of an assembly line of one of telecommunication satellites, O3b and GlobalStar second generation,” he said. “Research undertaken during my traineeship revealed some interesting features not only of satellite assembly but also concerning the impact of human factors in the aerospace industry.

“Rome was very different compared to France. I was working in an office just above a satellite assembly line, with very kind and interesting engineers who really are proud of their job and with an extreme passion for coffee and sun. It was not hard to complete my master’s degree at Thales. The people were open and ready to answer all of my questions.”

Love Chimes In

His academic career at an end, Revnivykh had one more very important task to undertake before moving on with his professional life: getting married. “Following my return from Rome,” he said, still grinning, “a good friend of mine from university organized a party where I met Anna. She was also involved in satellite navigation. As it turned out she even knew my father and had worked with him on some projects. So she was from my world.”

Anna is a graduate of Lomonossov Moscow State University, specialized in linguistics. She currently works in the international department of the Information and Analysis Center for Positioning, Navigation and Timing. She routinely forms part of the Russian delegation at international meetings and committees relating to satellite navigation.

“We were married in 2016 in Korolyov city,” Revnivykh said.”We honeymooned in Vienna, in conjunction with certain parallel United Nations activities: a meeting of the International Committee on GNSS!” The Ivan-and-Anna connection has been a fruitful one, as we shall learn.

Back to Work

“When I came back to Russia,” Revnivykh said, “I worked at TsNIImash for one year and then took up my current position as head of GLONASS Application Division at Roscosmos. My team deals with state R&D within the Federal Program on GLONASS Sustainment, Development and Use.”

Revnivykh is currently working to complete R&D and preparations for the launch of a small retroreflector spacecraft, and he has recently organized and ensured the implementation of R&D projects to create a GLONASS system measuring network (RIMS) on the territory of the Russian Federation and in Antarctica, to provide high-precision navigation for users. He is also charged with implementing results of a wide range of interesting and vital R&D initiatives around the expanded use of GNSS in the transport industry (ERA GLONASS).

Very importantly, Revnivykh coordinates international activities related to GNSS compatibility and interoperability. “Together with leading research institutes,” he said, “we represent the GLONASS system within UN initiatives, such as the International Committee on GNSS and ICAO.” Revnivykh therefore, in a very real way, displays the international face of GLONASS, a cornerstone GNSS program and a true model of excellence, initiative and originality for similar programs around the world.

Foundation Firm

Underpinning all the work he does at Roscosmos, Ivan Revnivykh’s bedrock remains his family. He maintains a good relationship with his parents, and runs into his father very regularly, thanks to their common work in the GLONASS program.”

His aunt still lives on Sakhalin Island, although the cousins he used to run with have moved away, one to Australia, and another to the south of Russia. “We follow each other on social media these days,” he said, “and it’s fine for all of us.”

Closer to home, his wife Anna, at the time of this writing, was on maternity leave; she delivered a second beautiful girl, Daria, in late August.

“Our daughter Elizabeth is two and we are expecting a new baby girl this summer,” Ivan said at the time, grinning more broadly than ever. A new generation of Revnivykhs sets forth on the grand adventure.

Combining life and career is a challenge, Ivan acknowledged, as so many will agree. “I try to spend as much time with my daughter as I can. We ride a bicycle together or go hiking with her sitting in a special kid carrier. I suppose with the second baby, only more and newer challenges are on the way.”

Revnivykh said he does like to apply his engineering skills to his daily, non-working life. “My dream now is to get into CNC [computer numerical control, used in 3D printing technologies] and produce some useful cycling equipment or things for interior design.”

He still likes to get on a bike and ride like the wind. He did a lot of mountain biking in his youth. “I am still into it, now more into Enduro MTB, which delivers the fun!” he said. That’s rugged stuff, with steep uphill and downhill sections.

At the beginning of this profile we posited that Revnivykh was born with a passion for GNSS in his blood, but clearly there is more to him than that. He was born with a passion for life. He has shown it and continues to show it in his work, in his family life, and in all the rest of what he does. The glass is raised — Vashe Zdorovie, Ivan Revnivykh!

Ivan Revnivykh’s Compass Points

Engineering specialties and other technologies you work with frequently:

Revnivykh ‘s engineering background is in system analysis and control. He also works with geodetic reference systems and coordinates Roscosmos activities concerning the global terrestrial geocentric reference system ‘Parametry Zemli 1990’ (PZ-90.11). That is the national reference system for geodetic support of orbital missions and navigation. Other important technologies in his work include automated control of machine tools, and computer-based 3D printing.

GNSS Event that most signifies to you that GNSS has “arrived”:

“Today, life with a GNSS-enabled smartphone means you can enjoy so much of your day-to-day lifestyle while on the move,” said Revnivykh.

When did you first “fall in love” with the GNSS and why:

As a GNSS user, Revnivykh fell in love with the technology when he was able to stop using paper road maps. “For me it was a real breakthrough,” he said. “Just imagine, you’re driving a manual transmission car somewhere in Moscow and turning over the pages of the map book with the Russian road system in a panic, trying to find the route. That was real stress! Life has become so much easier nowadays when you can use just any navigation application in your mobile phone.”

Engineering mentor–not necessarily an engineer:

Of course Ivan’s father, Sergey Revnivykh, provided his son’s first introduction to the GNSS world. “I believe he was one of the open-minded people in Russia with a great passion for bringing the old GLONASS system back to life and making it fully operational,” Ivan said.

Sergey Karutin was another key personality for Revnivykh as he started his professional career. Karutin is currently Head of the PNT Center at Central Institute of Machine Building, a leading Roscosmos institute.

What popular notions about GNSS most annoy you?:

“A lot of ordinary people think that GNSS is there to track them, to trace their movements,” Revnivykh said. “And it is slightly annoying,” he added with his signature grin, “that we still hear people saying ‘GPS’ when they really mean ‘GNSS’!”

Favorite equation:

The method of least squares; the method finds the optimal parameter values by minimizing the sum, S, of squared residuals:

equation

As a consumer, what GNSS product, application, or engineering innovation would you most like to see?

Revnivykh said, “I would like to be able to buy a tablet with a real-time zooming world map showing exactly right now all details you need with cm-level accuracy of positioning reference. And it would have some history and predictive functions. Sure, this would not be just a GNSS technology, but would need synergy with satellite remote sensing and communication as well.”

By Peter Gutierrez
MORE COLUMNS & EDITORIALS

NovAtel’s Annual Journal of GNSS Technology Solutions and Innovation

Image
2016
Image
2015
Image
2014
Image
2013