With 6.6 billion smart-phone users in the world, and up to 90% of smart device Apps making use of geolocation tracking capabilities, it is vital to consider the privacy implications surrounding their use by both governments and businesses. There are a growing number of devices that utilise geolocation technology such as smart-phones, tablets, laptops, smart watches and fitness trackers. Furthermore, the extent and scale to which geolocation data can be used, has been recently highlighted by the COVID-19 pandemic with initiatives such as the NHS’s Track and Trace. This article will explore the use and benefits of geolocation data and the arguments surrounding it, including the extent to which it should be deemed as sensitive data.
What is geolocation data?
Geolocation data relates to any data taken from a user’s device that indicates its geographical location. Mobile devices such as smart-phones contain hardware sensors that allow them to detect a wide variety of signals from a number of sources such as satellites (GPS), nearby Wi-Fi networks and known Bluetooth signals. The Operating System (OS) then analyses these signals and provides the technical permission later for Apps to request access to a precise location measurement. The App can then request permission from the user via the OS. Once this is complete the OS will provide a precise location measurement and timestamp on the App.
Why is geolocation data used?
Geolocation data can be used by governments and the police, but it is also used widely by businesses. It has been described as ‘the foundation for location-positioning services and location-aware applications’, and for many businesses, the use of geolocation and mobile technologies are critical to their success. This technology aids in a number of areas such as targeted marketing; the use of add triggers to alert users in specific locations; and health and fitness monitoring – all of which are becoming ever more essential to compete in a world where products and services are becoming more personalised to the user. With 90% of smart-device Apps making use of geolocation capabilities, it is clear to see both their prevalence and significance.
The debate surrounding geolocation data
Despite the wide-reaching use and benefits to both businesses and the public sector, it is true that the use of geolocation data does increase the risk to the user. However, the extent to which this fact should limit the free flow of information has been questioned by some commentators.
As it currently stands, the EU/UK GDPR categorises location data as ‘personal data’, under the Article 4 definition. Therefore, in order to process this data, one of the six legal bases needs to be identified. However importantly, and offering a distinction to the position developing in the US, geolocation data is excluded from the Article 9 special categories of data (the equivalent to ‘sensitive data’ in the US). The reasoning behind this view is that a person’s location data does not relate to the inherent personal characteristics of an individual, as a person’s location is always changing. It has been suggested that this fact in itself disqualifies location data from meriting consent and opt-in standards. Some commentators in the US, have cited their support of a more EU/UK GDPR approach which does not classify location data as ‘sensitive’, suggesting that legislation in the US should be working towards addressing ‘genuine privacy concerns around reidentification, but nevertheless still enables the free flow of privacy-filtered information our society has come to rely upon’. A recent example illustrating the potential of geolocation data was the NHS’s Track and Trace used during the COVID-19 pandemic by the NHS. Track and Trace used Google and Apple exposure Notification API (which sends random identifiers using Blue-tooth Low-Energy), in order to alert individuals if they had been in contact with another app user who had tested positive for COVID-19. The API measured how close the device had been to other phones running the app, and for how long. Track and Trace highlights the scale and scope of the use of geolocation data and how it can be harnessed to benefit society; however, recently there have been calls for the sensitivity of geolocation data to be reconsidered.
LINC, France’s digital innovation laboratory, have proposed that geolocation data could be the ‘new sensitive data’, stating that ‘geolocation and data flow are to personal data what stem cells are to cellular biology: totipotent, they allow by their abundance of context to infer a considerable amount of data about behaviour, habits and lifestyle’ this is because they can serve as a proxy for where individuals are located over time. A 2015 study on a credit card dataset, provides a good example of this. This three month study, of 1.1 million people, suggested that four “spatio-temporal” points (which refers to geographical coordinates, date and hour) were enough to uniquely identify 90% of the individuals in the study. This precision can be heightened by the existence of data brokers who specialise in the collection and resale of geolocation data.
The issue of data brokerage is one in its own, but is of particular concern within the US, where some of the largest data brokers in the world operate:
- Recently, data broker Kochava, was fined by the FTC ‘for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations’;
- Companies in the US have been found to be reselling children’s geolocation data; with the App Life360 selling data on children’s and families’ whereabouts to a number of data brokers, who have the power to sell this data to anyone. This is of particular concern as in jurisdictions such as the EU, ‘children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing’. This is because the ability to ascertain or track the physical location of a child carries with it the risk that the data could be misused to compromise the physical safety of that child;
- More recently, a data broker has been found to have been selling location data of people visiting abortion clinics: showing where groups of people visiting the locations came from, how long they stayed there, and where they went afterwards. This came in the wake of the leaked Supreme Court decision surrounding the potential to overturn Roe v Wade, leaving the data of thousands of women vulnerable.
Findings such as these, explain the concern by legislators in the US, who have called for further steps to be taken to protect geolocation data. Whilst, there is no overarching federal data privacy legislation, state level privacy laws such as those in Connecticut, Virginia and California have declared geolocation data as ‘sensitive’. Since then, a number of state level privacy laws have declared some versions of the words ‘precise location’ data to be sensitive. Many of these states require ‘affirmative express consent’ for collecting location data, this requires the individual to give a deliberate and specific action to consent to the processing.
Conclusion Whilst the free flow of data is essential in the modern world, and despite geolocation data offering a valuable tool for businesses, and more recently providing the bases of a national programme such as the NHS Track and Trace; there are inherent risks with processing this type of data. Recent events in the US highlight the dangers with processing geolocation data, and provide a sound bases for introducing greater restrictions on the use of geolocation data. However, it is not just within the US that this view has been voiced. As mentioned previously, LINC, based in France have also suggested that within Europe geolocation data’s sensitivity should be addressed, indicating that maybe a stricter approach to geolocational data should be considered in jurisdictions across the globe, not just within the US.