Geolocation: the ‘new sensitive data’?

With 6.6 billion smart-phone users in the world, and up to 90% of smart device Apps making use of geolocation tracking capabilities, it is vital to consider the privacy implications surrounding their use by both governments and businesses. There are a growing number of devices that utilise geolocation technology such as smart-phones, tablets, laptops, smart watches and fitness trackers. Furthermore, the extent and scale to which geolocation data can be used, has been recently highlighted by the COVID-19 pandemic with initiatives such as the NHS’s Track and Trace. This article will explore the use and benefits of geolocation data and the arguments surrounding it, including the extent to which it should be deemed as sensitive data.

What is geolocation data?

Geolocation data relates to any data taken from a user’s device that indicates its geographical location. Mobile devices such as smart-phones contain hardware sensors that allow them to detect a wide variety of signals from a number of sources such as satellites (GPS), nearby Wi-Fi networks and known Bluetooth signals. The Operating System (OS) then analyses these signals and provides the technical permission later for Apps to request access to a precise location measurement. The App can then request permission from the user via the OS. Once this is complete the OS will provide a precise location measurement and timestamp on the App.

Why is geolocation data used?

Geolocation data can be used by governments and the police, but it is also used widely by businesses. It has been described as ‘the foundation for location-positioning services and location-aware applications’, and for many businesses, the use of geolocation and mobile technologies are critical to their success. This technology aids in a number of areas such as targeted marketing; the use of add triggers to alert users in specific locations; and health and fitness monitoring – all of which are becoming ever more essential to compete in a world where products and services are becoming more personalised to the user. With 90% of smart-device Apps making use of geolocation capabilities, it is clear to see both their prevalence and significance.

The debate surrounding geolocation data

Despite the wide-reaching use and benefits to both businesses and the public sector, it is true that the use of geolocation data does increase the risk to the user. However, the extent to which this fact should limit the free flow of information has been questioned by some commentators.

As it currently stands, the EU/UK GDPR categorises location data as ‘personal data’, under the Article 4 definition. Therefore, in order to process this data, one of the six legal bases needs to be identified. However importantly, and offering a distinction to the position developing in the US, geolocation data is excluded from the Article 9 special categories of data (the equivalent to ‘sensitive data’ in the US). The reasoning behind this view is that a person’s location data does not relate to the inherent personal characteristics of an individual, as a person’s location is always changing. It has been suggested that this fact in itself disqualifies location data from meriting consent and opt-in standards. Some commentators in the US, have cited their support of a more EU/UK GDPR approach which does not classify location data as ‘sensitive’, suggesting that legislation in the US should be working towards addressing ‘genuine privacy concerns around reidentification, but nevertheless still enables the free flow of privacy-filtered information our society has come to rely upon’. A recent example illustrating the potential of geolocation data was the NHS’s Track and Trace used during the COVID-19 pandemic by the NHS. Track and Trace used Google and Apple exposure Notification API (which sends random identifiers using Blue-tooth Low-Energy), in order to alert individuals if they had been in contact with another app user who had tested positive for COVID-19. The API measured how close the device had been to other phones running the app, and for how long. Track and Trace highlights the scale and scope of the use of geolocation data and how it can be harnessed to benefit society; however, recently there have been calls for the sensitivity of geolocation data to be reconsidered.

LINC, France’s digital innovation laboratory, have proposed that geolocation data could be the ‘new sensitive data’, stating that ‘geolocation and data flow are to personal data what stem cells are to cellular biology: totipotent, they allow by their abundance of context to infer a considerable amount of data about behaviour, habits and lifestyle’ this is because they can serve as a proxy for where individuals are located over time. A 2015 study on a credit card dataset, provides a good example of this. This three month study, of 1.1 million people, suggested that four “spatio-temporal” points (which refers to geographical coordinates, date and hour) were enough to uniquely identify 90% of the individuals in the study. This precision can be heightened by the existence of data brokers who specialise in the collection and resale of geolocation data.

The issue of data brokerage is one in its own, but is of particular concern within the US, where some of the largest data brokers in the world operate:

Findings such as these, explain the concern by legislators in the US, who have called for further steps to be taken to protect geolocation data. Whilst, there is no overarching federal data privacy legislation, state level privacy laws such as those in Connecticut, Virginia and California have declared geolocation data as ‘sensitive’. Since then, a number of state level privacy laws have declared some versions of the words ‘precise location’ data to be sensitive. Many of these states require ‘affirmative express consent’ for collecting location data, this requires the individual to give a deliberate and specific action to consent to the processing.

Conclusion Whilst the free flow of data is essential in the modern world, and despite geolocation data offering a valuable tool for businesses, and more recently providing the bases of a national programme such as the NHS Track and Trace; there are inherent risks with processing this type of data. Recent events in the US highlight the dangers with processing geolocation data, and provide a sound bases for introducing greater restrictions on the use of geolocation data. However, it is not just within the US that this view has been voiced. As mentioned previously, LINC, based in France have also suggested that within Europe geolocation data’s sensitivity should be addressed, indicating that maybe a stricter approach to geolocational data should be considered in jurisdictions across the globe, not just within the US.

Share:

More Posts

Stop. Comply. Pay.

Introduction Ten years on from the Snowden disclosures, the odyssey to protect EU/EEA subjects’ data from US surveillance continues. On May 22nd Ireland’s Data Protection

Data Protection News Update 05 June

United States FTC and the DOJ order $30.8M fine and corrective measures against Amazon’s Alexa and Ring TikTok requests that Illionois court hears privacy lawsuits

Data Protection News Update 30 May 2023

United States Harvard Pilgrim suffers data breach Biden announces additional initiatives exploring AI US Senators probe Google on data practices related to reproductive health care

Send Us A Message