According to press reports, German car giant Volkswagen has banned its employees from using the wildly popular smartphone app Pokémon GO during work hours. Reportedly, the company cited impaired attention and distraction from work as the primary grounds for the prohibition, but data security and privacy issues are supposedly involved as well. Volkswagen has not yet made an official statement on the ban.

This app in particular and augmented reality in general pose many legal questions, especially, in the field of privacy law. The most pressing privacy issue with Pokémon GO seems to be the constant tracking of geolocation data. By agreeing to the Pokémon GO Privacy Policy, the user allows Niantic, the company behind the app, to track the user's “device location [...] and some of that location information, along with [the] user name” any time he or she uses the app.

The Concept of Augmented Reality

The app is based on the concept of “augmented reality,” meaning that the real world environment is “augmented” with virtual elements. The app relies on the users’ GPS location data and images taken by their smartphones' camera devices to let them catch virtual Pokémon monsters on a map overlaying their real surroundings. The real world is used as the setting for the chase.

Data Protection and Privacy Concerns

All gathered data is processed at Niantic’s headquarters in San Francisco, California, United States. While, according to the privacy policy, “information that can be used to identify or recognize [the user]” will, in principle, not be shared, there are still concerns in the Pokémon community regarding the extent to which third parties can access that information. The users’ tracking data could provide information not only on their residency or workplace but also, for example, on their preferred mode of transportation, walking speed and frequency of smartphone use. This information could, by itself or in combination, be considered personal data.

The rules on the collection, use and disclosure of personal data differ among jurisdictions. For example, pursuant to section 3 para. 1 of the German Federal Data Protection Act, personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual.” Within the territory of application of that act, the collection, processing and use of personal data is only permissible in rare prescribed circumstances (see section 4) or with the consent of the data subject. The requirements might be significantly lower in other countries.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.