Location information provides the position of someone or something at a certain point in time and with certain accuracy. It links place, time, and attributes. Some attributes are physi- cal or environmental in nature, while others are social or economic (Longley, 2001, pp. 64- 65). Location information may refer to the direction of travel, or to the identification of the network cell in which the terminal equipment is located at a certain point in time (Directive 2002/58/EC recital Number 14).
In the context of this research location information “means any data processed in an elec- tronic communications network, indicating the geographic position of the terminal equip- ment of a user of a publicly available electronic communications service” (Article 2 (c) Direc- tive 2002/58/EC). This includes the location area code, the cell-identity and the X/Y coor- dinates of the cell to which the device was connected (see also Explanatory Memorandum Decree ex article 28 WIV 2002).
Location privacy may be defined as: “the ability to prevent other parties from learning one’s current or past location” (Beresford et al. 2003). It may also be defined as the ability to con- trol the extent to which personal location information is being used by others.
The linkage of information to the earth gives information extra value. It makes the object or subject easy to identify, and as a result easy to reach, and/ or to determine the relative posi- tion between two devices. For many purposes, we need to know where what is. In the past a simple map was sufficient. With the increasing complexity of today’s world the complexity of mapping also increases. Not only do we want to know more, we also want to know it more precise, more up-to-date and presented in a user-friendly way so that also laymen can under- stand it and use it. There is always a need to have access to answers to questions such as where am I, where are you, and what is where? These questions can be linked to property is- sues, situations of war, criminality, economic development, health, geographic planning, dis- aster management, and many more. Moreover, modern technology allows for information searches and analyses by geographic unit, making it extremely useful for geographic man- agement and planning, for example disaster management purposes. In addition, both public (execution of policies) and private sector (profiling) linking a geographic element to the at- tribute may address the specific needs of the people in a geographic area more properly (see
latest models. He has now become more than his name; an asset that is easy to reach. When we include his attributes in a database with all inhabitants of area Y, we can map the income distribution, the distribution of sexes, or the distribution of people with a Mercedes-Benz. Another example is in health care: the knowledge that there is a relation between the charac- teristics of people and the likelihood for a disease is extremely valuable (see, for example, Snow, 1855). The location of the disease helps to find them and cure or prevent the distribu- tion of a disease. These examples can be applied to many more human activities and deci- sions. Moreover, with data about a person's past and present locations, it is possible to im- pute aspects of the person's (future) behaviour. Moreover, linking the data of multiple people reveals human interactions, and behaviour patterns of groups (Clarke 2001, p.208). In this way the location of a user provides important information to grasp the context of the user (Lee et al. 2005, p.1006). Location information is also valuable for location-based services because it implicitly conveys characteristics that describe the situation of a person (Gruteser et al. 2004, p.13).
Location information of mobile devices is also useful for law enforcement or security and in- telligence services; who was at the time of the crime where, where did he go, with whom and where is the suspect now (see, for example, Data Retention Directive 2006/24/EC, recital 11). Further, it may reveal the personal network of the suspect. In addition, location informa- tion could easily facilitate data mining and discrimination, leading to a surveillance situation where the control could even be performed by machines (IPTS 2003, 66). Examples of loca- tion information use of mobile devices, so-called Location based services, are
• Location services through Bluetooth (P.C. Hooftstraat scan) (see Tomesen 2007); • To locate friends or stalk them (see Goldacre 2006) ;
• Find one when kidnapped (e.g., Bauer 2007); • Keeping an eye on employees (Sciannamea 2004); • Keeping an eye on your children;
• Locating people present near location of crime at time of crime committed; • Mass message to all cell-phone in a certain area in instance of emergency, and • Fleet management
4.2 How sensitive is location information?
Within a geographic context, privacy limitations will typically apply to the datasets with a high level of detail where, for example, individual houses or addresses can be used to reveal information about individuals. Small-scale datasets are often of such limited detail that it does not provide the ability to link the geographic information to individuals: privacy issues are not likely to limit the use of small-scale information. The Dutch data protection authority considers data at the address level personal information (Registratiekamer 1996; Kamerstuk- ken 25892 no. 3; CBP 2007). Therefore, this information is subject to privacy legislation. Ini- tially, data at the zip-code level was not considered to include personal data (Kamerstukken 25892 no. 6). However, later it was argued that data at the zip-code level should be consid- ered personal data if one is treated differently due to the linkage to these zip-code level data (see Kamerstukken 25892 no. 92c). Location information extracted from a cell-phone loca- tion may reveal at this zip code level where one has been at a certain point in time with whom, and for how long, directly touching upon one’s privacy.
A name or an address alone may not impact on one’s behaviour or private life. However, a combination of an address or a mobile device, and other information can result in highly de- tailed and intimate personal data (see, for example, R. v. Plant). One may argue that revealing such data may impose a serious threat on the privacy of the individual that is linked to the
device or address. For example, the device may be found frequently at the location of a men- tal hospital, which may suggest that the individual has a mental problem. Similar inferences can be drawn from visits to clinics, drugstores, coffee shops, tobacco shops, entertainment districts or festivals, political events, or ghetto areas with a criminal reputation (e.g., trailer home parks, scrap heap areas). Conclusions drawn from this information can interfere with the daily life of the individual (see also Gruteser et al. 2004, p.13). This is especially annoying if the conclusions are inaccurate. The assumed visit to the coffee shop was in fact a visit to the supermarket just above the coffee shop. Or the visit to the tobacco shop was to buy a birthday card instead of Cuban cigars. This may have undesired consequences such as spam, or a unfavourable situation for one’s health insurance.
4.2.1 Location information as special personal data
One may even argue that when the processing of location data refers to a location of a men- tal hospital or a church the location data should be categorised as the special, more sensitive, category of personal data. These data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or concerning health or sex life. These are the ‘special categories’ of data, the processing of which requires special rules under Article 8 of the Directive 95/46/EC (see EU Directive 95/46/EC; see also EC Regulations No 45/2001; art. 6 Convention 108):
”Member States shall prohibit the processing of personal data revealing racial or eth- nic origin, political opinions, religious or philosophical beliefs, trade-union member- ship, and the processing of data concerning health or sex life.” (art. 8.1 Directive 95/46/EC)
Although location information is not mentioned as a special category, in certain instances it may very well be considered to be in the special category of personal data. The Portuguese data protection authority, for example, has classified ‘phone positioning data’ as sensitive personal information (Korff 2002, p.85). But also in the other countries location data can be sensitive data since location data can reveal one’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data con- cerning health or sex life. One may think of someone frequently visiting a mental hospital, a church, places where labour union boards or political parties meet, places known as fre- quently visited by gays, or a drug rehabilitation centre. In this respect, location data do reveal very sensitive data on individuals and as a consequence should be considered to be in the special category of personal data. One may argue that personal data are sensitive because of the circumstances in which they are processed not simply because of their content (Korff 2002, p.85 citing the UK Information Commissioner). Thus, the context to which location data are attached or used may be decisive for the privacy regime that applies to location data processing.
However, location data do not necessarily relate to the category of special personal data as specified by article 8 of the Directive 95/46/EC. Linking the location data to the member-
But, Member States may restrict the scope of Directive 95/46/EC and Directive 2002/58/EC for the processing of personal data concerning public security, defence, State security (including the economic well-being of the State when the processing operation re- lates to State security matters) and the activities of the State in areas of criminal law. For these exceptional purposes, sensitive personal data may be processed.
In a comparative analysis of the implementation of Directive 95/46/EC in EU Member States, Korff (2002) found that privacy legislation in many European countries does not pro- hibit the processing of special personal data if the data subject has consented with it. For the processing of location data, this applies to even more countries. However, Korff (2002, p.88) found at least two countries that required additional formal requirements for all or certain sensitive data. In Greece, a permit from the data protection authority needs to be obtained for the processing of any sensitive data. In Portugal, such data may only be processed “when it relates to data which are manifestly made public by the data subject, provided his consent for their processing can be clearly inferred from his declarations” (art. 7.3.c Act on the Pro- tection of Personal Data).
In the transposition of Directive 95/46/EC into national legislation several Member States added further categories of sensitive data, such as data on debts, financial standing and the payment of welfare benefits. Moreover, some Member States did not literally transpose the Directive, but broadened its scope by adding to ‘revealing’ the wording ‘or refer to’ (Spain; Korff 2002, p.84), or adding ‘revealing directly or indirectly’ (France; Korff 2002, p.84). More specifically, the Netherlands has created different regimes for each type of special per- sonal data. Churches and other associations based on religious or philosophical principles may process personal data revealing religious or philosophical beliefs unless the data subject has objected to such a processing (Art. 17.1 Wbp). The processing of personal data revealing racial or ethnic origin is allowed if this is to provide people belonging to a minority group a privileged position to ban or limit social imparity and the data subjects have not objected to such a processing (art. 18.b Wbp). Political parties and Labour Unions may process the per- sonal data of their members (artt. 19.1 and 20.1 Wbp).
4.2.2 Location information as traffic data
Directive 2002/58/EC adds a special data category including location data: traffic data of communications. Traffic data are data that are required to enable the communications and those required for the billing process. It includes the phone numbers, duration of communi- cation, time of communication and also information on the location of the cellphone at the time of calling.
Location data of a mobile device are traffic data because they are necessary to enable the transmission of communications (recital 35 Directive 2002/58/EC). In the context of the Directive traffic data only applies to the location of the cell-phone at the moment the com- munication starts and the location of the cell-phone when the communications ends. These traffic data reveal our ‘habits and relations’ (Penders 2004) to some extent at least.
4.2.3 Detailed location information in telecommunications
However, digital mobile networks may have the capacity to process location data, which are more precise than is necessary for the transmission of communications (Directive 2002/58/EC recital 35). For the processing of such more precise location data, the Directive applies a more strict regime. For, for example, value added services the processing of ‘pre-
cise’ location data is only allowed when subscribers have given their consent (see Directive 2002/58/EC art. 9).
Figure 4-1 shows the above in a graphical way. Location information at high levels of detail are indirectly identifying information. By itself or if linked to identifying information, general privacy law provisions apply to its’ processing. If the information is further linked to a sensi- tive context the most restrictive privacy regulations may apply to the processing.
sensitive personal location information (highest detail) personal location information (highest detail) location information (highest detail) (general) privacy legislation applies to the use most restrictive privacy legislation provisions apply to the use
identifying information sensitive context
Figure 4-1 Categorization of location data