A key European Union governmental privacy group has published a key document [PDF] with recommendations about locational privacy, and it’s likely to be influential among EU member states-and perhaps the U.S. as well. The recommendations go above and beyond what’s been discussed so far in the U.S., and they come just as both Google (NSDQ: GOOG) and Apple (NSDQ: AAPL) are being interrogated on Capitol Hill about their policies when it comes to mobile phones and privacy.
The opinion was published by the Article 29 Data Protection Working Party. The Article 29 group is part of the justice division of the European Union, and is formed by a representative in charge of data protection (privacy) in each EU member state. When the Article 29 group puts out an opinion, its recommendations can be followed by either individual EU states or the EU itself.
The conclusions of the opinion aren’t law; they become law only if the EU itself or EU member states choose to pursue the recommendations in the opinion. The group has been influential in the past. It was the Article 29 group, for example, that ultimately set limits on how long search engines should be retaining their search data.
“I think this is a bombshell for the industry,” says Jeffrey Chester, executive director of the Center for Digital Democracy, who suggested that the EU opinion may well influence the U.S. online privacy debate. “This group sets the global privacy agenda. You can be sure on the Hill they’re following this closely.”
The main recommendations of the E.U. report include:
» The report emphasizes that location information is sensitive data and service providers that use the data should obtain “prior informed consent.”
» The consent should be specific; it can’t be obtained through “general terms and conditions.” Does the service aspire to help a smartphone user determine the answer to the question: “Where am I right now?” Or is the purpose to determine “Where are you, where have you been, and where will you be next week?” Either way, the user should give specific consent for the service she is using. If the purpose of the data use changes, consent must be obtained again.
» Users should be “continuously warned” when their location data is being used, in order to prevent “secret monitoring.” One good way to do this would be with a persistent visible icon. (Apple was careful to explain to Congress last week it is already using such an icon on iPhones, and that can’t be circumvented by app developers.) And consenting to a one-off service doesn’t mean a user has consented to a “regular subscription.”
» Consent should be renewed after an appropriate period of time. “For instance, it would not be in order to continue to process location data where an individual had not actively used the service within the previous 12 months,” states the opinion.
» Users must be able to to withdraw their data, “without any negative consequences for the use of their device.” They should also be able to “access, rectify and erase possible profiles based on these location data.”
» Obtaining consent is “problematic” with regard to employees and to children. Employers must be limited in any use of smartphones to track employees. “The employer must always seek the least intrusive means, [and] avoid continuous monitoring.” Employers should investigate whether it is “demonstrably necessary to supervise the exact locations of an employee.” In any case, employees must be able to turn off monitoring devices outside work hours and should be shown how to do so, the report states.