Ch 15.7 - Location data

Location data and contact tracing

Location-based services (LBS) use location to deliver navigation, advertising, gaming, payments and more, drawn from satellite (GPS/Galileo), cell-based mobile network, and chip-card data. Location data is an identifier in the definition of personal data, so if it can identify someone (alone or combined), it is personal data. The big risks are stalking/harassment and inadvertent disclosure (e.g. fitness apps exposing military bases). Demanding GPS for an unrelated purpose is not freely given consent. COVID-19 contact tracing apps must be voluntary, proximity-based not location-based, and DPIA'd.

Main sources of location data for LBS
Source	Examples
Satellite network	GPS and the EU's Galileo system - navigation, security, social networking
Cell-based mobile network	Cell ID, plus Bluetooth, Wi-Fi, NFC and RFID - location services, ads, contactless payments
Chip-card	Payment cards, building access cards, metro/travel cards

Mobile phones and apps are the most prevalent source of location data and can also infer location from user behaviour or from an IP address. Location data is an identifier in the definition of personal data: if it can identify someone alone or with other data, it is personal data. In employment, tracking a delivery vehicle also tracks the driver, whose location data is their personal data.

Consent must match the purpose

Requiring GPS to be activated in a photo-editing app for behavioural advertising is not freely given consent, because GPS is not necessary for the core service. App developers must check the legal basis covers all purposes and that purpose limitation is met.

Location can be misused for stalking or harassment
Apps may disclose sensitive data unintentionally - e.g. fitness apps revealing US military bases and personnel
Even with location services off, an app vulnerability could leak location
Location history (clinics, churches, friends' homes) can reveal political opinions, religious beliefs or medical conditions

EDPB contact-tracing app requirements (2020 guidelines)
Requirement
Use must be strictly voluntary; apps stop collecting once no longer necessary for the pandemic
Must use proximity data with other devices, not location data
DPIAs must be conducted before deployment

Key terms - quick answers

What is “Location-based services (LBS)”?

Services that use a device's location to deliver applications such as navigation, advertising, gaming, payments and emergency response.

What is “Location data”?

An identifier in the definition of personal data; if it can identify a person alone or in combination, it is personal data.

What is “Contact tracing”?

Identifying who a person has been in contact with; during COVID-19, apps notified users of close proximity to a confirmed carrier.

What is “Galileo”?

The EU's Global Satellite Navigation System, the European equivalent of the American GPS.

← Biometric data as special-category data Data protection and direct marketing →