Assessment elements with general relevance

3.2.1 Introduction

The following discussions of impact elements concern first and foremost ques-tions which could be classified as privacy and data protection. We mainly relate deliberations to existing legal principles and regulations on European Union le-vel, but add other legal-political considerations. Conclusions are not about what is needed to comply with existing legal requirements, but indicate what should be recommended when protection of individuals is considered.

3.2.2 Sensitivity and privacy exposure

Personal location data is not among the special categories of data regarded as generally sensitive as identified in the Data Protection Directive art. 8(1); i.e. per-sonal data that is revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data con-cerning health or sex life. Thus, the basic conclusion is that personal location data is not generally sensitive.

However, sensitive data may be “constructed” by combining several non-sensitive data, for instance if a location-enabling service links to other pieces of information found in co-functioning systems. In GPS based maps, coordinates showing where a person is may for instance reveal sensitive information because they are linked to addresses of for instance a hospital, medical office, church and similar sites. On the other hand, only a tiny number of coordinates are linked to sites which could be associated to the types of personal data which are regarded to be sensitive. In a legal sense, the mere possibility that there is concurrence

between a position and e.g. a hospital does not make location data sensitive.

However, if location-enabling technologies are designed to particularly target sites which are linked to sensitive data, the conclusion may easily be different. For in-stance, an emergency app designed to locate and rescue people who have fallen ill or are injured, may be seen as processing sensitive data even if sensitivity is only revealed by a combination of non-sensitive data (e.g. the information that person P has been staying for two days on an address where there is a hospital).

Location could be seen as possible entrance to almost every kind of other information, and location increases the usability and importance of these other types of data. Thus, there is a clear difference between use of location-enabling technologies which is restricted to presenting basic position data and technologi-es which adds or facilitattechnologi-es to add information about activititechnologi-es, forthcoming and historical events, property information, social information etc. to the locations.

In concrete services/functions based on location-enabling technology, coor-dinates and other information about sites will not necessarily be directly exposed as part of application, or this information may be very limited. However, personal location data is always combined with time stamps, and may almost always be connected to a very large spectrum of other data; both personal data and general data connected to the location. All together, this may create a complex infor-mation context to the limited inforinfor-mation on coordinates etc. Coordinates and addresses are excellent means of linking information, both because these data are used to identify other types of information on locations, and because almost all locations may be linked to names of individuals, national identification numbers and other means of personal identification.¹⁵²

Given the nature of current technology and development of technology, there is no reason to place emphasis on the fact that systems/services/functions are for-mally distinct from each other. A realistic approach for the future is that services will often allow great amounts of information on each location to be connected.

Returning to the example where a certain position shows presence at hospital H1;

given the identity of the business, there may be a lot of other information availa-ble about this hospital, of which some will add to the picture drawn of the data subject, and others giving context information: The hospital is a private abortion clinic, the clinic is owned by P which also owns hospital H2 where the data sub-ject was present on date D1 and D2 for a certain amount of time, and H2 has been under police investigation, etc.

Equally important; if we consider possibilities of linking other data to a cer-tain position, we should not limit ourselves to examples where a location directly reveals sensitive data (e.g. because it is the site of a hospital). It may just as well be that an “innocent” location, when combined with other information, identifies a

152 At least owners and usufructuaries.

place which reveals sensitive data. Several sources of data may for instance reveal that a certain site (an apartment) has been scene of a serious crime, where the convicted criminal lives after expiation together with identified family members.

On basis of these descriptions, a reasonable conclusion could be that location-enabling technology and personal location data represents great possibilities to reveal sensitive data, both directly and indirectly, and in particular if combined with the many types of other information that could be linked to locations. The probability and extent for this to happen is basically uncertain, but the potentials are in many situations considerable. Given this insight, in a legal-political view, there may be reasons to reconsider what could be seen as grounds for assessing data as sensitive.

The general regulatory approach of the Data Protection Directive and other relevant legislation is to a large extent based on the assumption that processing of data is carried out within the framework of information systems which have specific controllers, used for specific purposes etc. Of course, it is recognised that systems interact; that controllers collaborate etc.¹⁵³ Our point is however that sys-tems may interact with other syssys-tems in a seamless and automatic way, turning it into an information infrastructure rather than being separate information sys-tems. If sensitivity of personal location data is considered with the infrastructure perspective, the subject-matter we assess will be hard to describe with sufficient certainty and credibility because we are in the open environment of infrastructu-res where actual information patterns may be hard to predict.

Personal location data may have indirect effects on other fundamental rights such as the right to free movement,¹⁵⁴ freedom of thought, conscience and re-ligion¹⁵⁵ and freedom of assembly and association.¹⁵⁶ The primary reason is the possible chilling effects from the fact that location data may reveal political, reli-gious and philosophical opinions and actions. Possible indirect effects on other human rights may support the idea of location data as sensitive.

Even though personal location data may not be linked to information of tra-ditionally sensitive character, aggregation of “innocent” location data may be re-garded sensitive in a popular sense of the word, because it may give a very detai-led picture of the daily life of each person, documenting whereabouts and hours, and thus indicating actions, habits, preferences, relations etc.;¹⁵⁷ a sort of constant

153 Cf. proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7 0025/2012 – 2012/0011(COD)), article 4(5) which defines “controller” as a role carried out “alone or jointly with others”.

154 Cf. TFEU art. 21 (1).

155 Cf. ECHR art. 9.

156 Cf. ECHR art. 11.

157 See ARTICLE 29 Data Protection Working Party, opinion 13/2011 on Geolocation services on smart mobile devices.

profiling. A person is always somewhere at a certain hour, and seen in this way, location-enabling technology ultimately have the potential of indicating every aspect of life during a lifetime. The current number of applications using such data and the fact that future potentials of location data are great makes it proba-ble that the insensitivity of registration and further use of personal location data will continue to grow, and that use of several, parallel sources of information on people’s whereabouts will be rather common.¹⁵⁸ Moreover, to the extent that we sum up all location information related to all/many individuals within a defined area, personal, social, economical, and consumer patterns etc. will be revealed, making it possible to analyse each individual in a societal context.

So far, we have discussed whether personal location data is generally regarded to be sensitive, cf. Data Protection Directive art. 8(1). Concrete opinions among citizens of needs for protection could of course deviate from this general classi-fication, and personal views of data subjects could be that data on their financial circumstances, their whereabouts or other types of data are equally sensitive as those identified in the Data Protection Directive. In addition, in concrete cases almost any type of data may be regarded sensitive when it is matched with other data. Location is very often one important ingredient of such concrete assess-ments of sensitivity (someone has been on the wrong place on the wrong time).

Such individual and situational assessments of sensitivity may of course not be basis for classification of what should be regarded sensitive in legislation, but may still be relevant when the sensitivity of personal location data is assessed on ge-neral level.

If we consider the sensitivity of personal location data as the basis for con-ducting an individual rights impact assessment, we really have two basic choices.

Either we stick to the information system perspective and carefully examine each application of location-enabling technology in order to consider whether or not a certain type of device/service yields data which may reveal circumstances as in-dicated in Data Protection Directive art. 8(1). This will leave us in a situation with basic uncertainty because possibilities of linking to other data are many and hard to assess; and we will be in constant doubt regarding where boundaries should be drawn. Thus, even small developments of existing services could be grounds to reclassify. The other approach would be to change to an information infrastructu-re perspective and pinfrastructu-resuppose that geographical information will almost always be possible to link up to a variety of other information, making it almost impos-sible to say something in advance about the sensitivity of these combinations.

We have argued that given the infrastructure perspective, assessments of sen-sitivity of personal location data “dissolves” into over-complexity and uncertainty:

158 For instance four sources of personal location data linked to cars: GPS anti-theft device, GPS-based maps and traffic information device, RFID toll road payment device and GSM telephone service activated.

Location data will sometimes be directly sensitive, sometimes indirectly sensitive (because of general available possibilities to combine data), and sometimes becau-se location data is asbecau-sesbecau-sed as becau-sensitive in concrete cabecau-ses. It may be claimed that al-together this supports the idea that location data should be regarded as sensitive.

The sum of possibilities mentioned above could be argument for supplemen-ting the traditional sensitivity assessment (regarding revelations of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union mem-bership, and the processing of data concerning health or sex life). Alternative to assessing if concrete processing of location data may reveal such information, it may be claimed that the probability that it does may be so high that, in a general sense, personal location data should often be regarded sensitive by its own.

Possible consequences of classifying location data as sensitive

Even if we conclude that personal location data should be regarded sensitive, this would not necessarily lead to the conclusion that such location data should be subject to prohibition of processing unless certain conditions are met, similar to Data Protection Directive art. 8(1) cf. (2). In the future it should be expected that location data will be part of a great number of processing, and we strongly do-ubt that requirement for data subjects’ consent and identification of “necessary”

purposes and grounds in all these everyday situations would add much positive to the protection of individuals concerned. Instead, other safeguards should be considered.

In the last available version of proposal for Data Protection Regulation,¹⁵⁹ three provisions exemplify that location data together with data on children and employees are added to special categories of personal data as referred to in Article 9(1).¹⁶⁰ Within the following three areas, we understand this as giving location data an equal status as general sensitive data in art. 9(1):

• Representatives of controllers not established in the Union (art. 25 (2)(b))

• Risk analyses (art. 32a (2)(b))

• Designation of data protection officer (art. 35 (1)(d))

The fixed wording of these provisions is: “... processing special categories of per-sonal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems …” (bold added).¹⁶¹ Similar regulatory strategies could of course be pursued with respect to other aspects of privacy pro-tection, and classification of location data as sensitive could instead of regulations

159 As agreed 21 October 2013.

160 Similar to Data Protection Directive art. 6 (1).

161 This phrasing is used in different contexts, both positively put and with prior negation. However all three examples clearly strengthens the protection of data subjects.

like in Data Protection Directive art. 8(1) cf. (2) lead to other safeguards similar to those exemplified above.

Possible subcategories of sensitivity and their weight

In the discussion above we concluded that personal location data should be re-garded as generally sensitive by its own. This does however not imply that sensiti-vity should be assessed in the same way regardless of how these data are used. We will suggest the following subcategories:

1. Location-enabling services have functions which link location to data which directly reveal (traditionally) sensitive data as specified in Data Protection Directive art. 8(1) cf. (2). Suggested weight: 4.

2. Location-enabling services have functions which facilitate linking of personal location data to other personal data. Suggested weight: 3.

3. Location-enabling services have functions which facilitate linking of personal location data to other geographical data. Suggested weight: 2.

4. Location-enabling services do not have functions which facilitate linking of location to other types of data. Suggested weight: 1.

The four subcategories reflect a traditional approach to sensitivity in the sense that most weight (4) is assigned positioning and tracking functions which yields information directly revealing the special categories of data as established in Data Protection Directive art. 8(1) cf. (2). Examples are applications directly revealing that a certain position is a church, hospital, site of demonstration, etc. (e.g. vari-ous types of map services). What seems to be the dilemma here is that such func-tions probably will be even more common and have obvious applicafunc-tions which will be desired by a great number of people. It must, however, be remembered that classification of data as sensitive does not presuppose any prohibition against use, and is only one element of a total individual rights impact assessment. The final assessment would thus rely on a combination of several assessments. Thus, at the end of the day, personal use of positioning and tracking functions assigned top sensitivity (cf. above) will all in all receive much lower rating than use of the same function by others against the data subjects’ own will.

The categorization above is based on the general assumption that combina-tion of personal locacombina-tion data and other personal data about the same person typically will generate more sensitive results than combination with geographical data. By geographical data in category 3 is meant everything from topography and speed limits to information of addresses, descriptions of businesses and tions etc. on addresses and other geographical sites etc. We consider that func-tions are facilitated for a certain type of data, as mentioned in the subcategories, if it is described how to carry out necessary operations.

3.2.3 Autonomy of data subjects

In D1 of WP7 we classified four types of situations to capture the degree of auto-nomy and voluntariness for data subjects who use location-enabling technology.

The following groups were suggested:

• People having competence to exercise autonomy and who are in a free situa-tion to make independent choices.

• People having formal competence to exercise autonomy, but do not find them in a position to make (totally) free choices due to social and economical ef-fects.¹⁶²

• People having formal competence to exercise autonomy but are not in a situa-tion to exercise it (cognitively and otherwise).¹⁶³

• People not having competence to exercise autonomy and therefore have in this respect no freedom to decide.¹⁶⁴

In the following we will build on and rephrase the main elements of this categorization.

Autonomy of data subjects may be seen as a fundamental privacy principle.

There are of course both legal and factual limitations to this principle, for in-stance concerning personal location data. One central example of legal limita-tion is the Data Retenlimita-tion Directive art. 5(1)(f) which establish an obligalimita-tion to retain personal location data without regard to the opinion of data subjects. As we understand today’s situation, requirements to retain personal location data is dependent on the type of technology which generate these data. Unless linked to publicly available telecommunication services/networks, RFID-based systems will for instance not be under the obligations of this Directive.¹⁶⁵

It goes without saying that possible extended obligations to retain personal location data will have negative effects on privacy, and we will not go into discus-sions of possible remedial actions if that should happen. Even if formal limita-tions of data subjects’ autonomy (like in the case of data retention) is crucial for an individual rights impact assessment, limitations of data subjects’ self-determi-nation due to factual and societal circumstances (not only legal) are probably just as important and will be emphasized in the discussions below.

162 Employees may typically find themselves in this situation.

163 Senile people who have not been placed under legal guardianship, plus certain other groups of hospitalized people who temporary are incapable of exercising their autonomy.

164 People under legal guardianship is one example, another is people in custody etc. Children under the age of 18 partly belong to this group, dependent on age and maturity.

165 Cf. article 1. It is of course quite possible that retention obligations may be introduced in other fields of society, and given the grounds for existing data retention obligations, it may in principle seem inconsequent if some types of location data are not included in such an obligation.

In D1 we have underlined that technometric location-enabling technology is used as integral part of many services, i.e. the position of various devices and objects which are closely linked to data subjects may be traced. In addition, bio-metric technology may be used to directly determine positions of individuals.

Given the fact that everything has a time and a place, and that information of location in theory may be linked to every processes, conditions, actions, events etc., and that several technologies may produce this data, we believe it is probable that in the future, location functions will be available in a variety of devices and situations. Thus, we see the possibility that individuals will live in surroundings where, in order to avoid having their location registered at all times, they will have to turn off and opt out of such functions. Similar to “consent exhaustion”¹⁶⁶

Given the fact that everything has a time and a place, and that information of location in theory may be linked to every processes, conditions, actions, events etc., and that several technologies may produce this data, we believe it is probable that in the future, location functions will be available in a variety of devices and situations. Thus, we see the possibility that individuals will live in surroundings where, in order to avoid having their location registered at all times, they will have to turn off and opt out of such functions. Similar to “consent exhaustion”¹⁶⁶

In document Use of personal location data by the police (sider 127-146)