The analysis of location data has seen a meteoric rise to the top of many marketeers' efforts to understand consumer patterns; in turn, they give consumers exactly what they need, when they need it.

Now that's a good thing for the consumer, right? But is it okay that their apps know where they were last night? By simply using the internet or enabling location services while using apps – should their data become fair game?

And what if it's not being used to further business interests but to stop the spread of a virus, as was done with the Covid-19 pandemic? Governments used location data to track affected individuals, map people they were in contact with and alert others in the locality of the same, which did help contain the virus to a certain extent.

There are obviously benefits to tracking technologies, but maintaining that ethical line between innovation and invasion of privacy is something that businesses and governments must be mindful of.

Do individuals have a right or a remedy in law that would safeguard their privacy and hold others accountable for its violation with respect to location data?

This article raises the need to consider location data as personal data, by providing different scenarios of its applicability in every-day life. To put this in better perspective, let's first understand what location data is and its treatment under the EU General Data Protection Regulation (GDPR) in the context the Indian Personal Data Protection Bill, 2019 (PDP Bill).

What is Location Data?

Location data refers to data collected on a specific geographical position of a device or subject. In other words, it is information on where a person or device is located. An example of source of location data is the IP address available of different device, which could be potentially used to track the location of that device and subsequently of its user. Location data also related to the direction in which a user's device is travelling, or even record of the real-time location information of the device and its user.1 A device could record information on its location through different ways, and is therefore the reason we will be discussing it in context with data protection and privacy.

What are the Types of Location Data?

  • Global Positioning System (GPS) it is a navigation system that uses satellite to obtain a location.
  • Software Development Kit (SDK) is a software code installed in an app. It aids in the collection of location data from device installed on.
  • Bidstream (data collected from the ad servers when ads are served on mobile apps and websites.)
  • Beacons broadcast location of the device.
  • Wi-Fi with the support of other technology, it can be a used for tracking.
  • Mobile Device ID a unique number to each device which can be used as an identity.
  • Carrier data/cell towers calls are routed which can be traced back to the location of the call.
  • IP Address2 can be used to get real-time location of a device using the internet

What does Identifiability of Data Mean?

Is location data an identifier of an individual's personal data? To answer this, we must first understand the concept of ‘identifiability', in the context of personal data. ‘Identifiability' is the factor at which the individual can be distinguished from the others3. An individual could be identified either directly or indirectly. Information such as an address or phone number would be used to directly identify the individual. While, postcode or health data could be used as additional information to attribute information back to an individual. Listed below are a few scenarios of location data collection.

  • Search Engines, Apps and Websites

Search engines such as Google, use location information to provide certain services to customise user experience. The location data is sourced from the device's IP address which provides read-time data. When an app has other related apps, the information contained in these apps regarding the users' activity would be recorded.

  • IP address paired with the Internet

An IP address is a required for any device to use the internet. They allow access through an internet connection to different websites. Some websites are specifically availed from a region and this could be used to get an idea about the user's location. Search engines, or even apps and websites could customise and provide relevant services and user experience.

  • Saved location

Apps such as Swiggy, Uber and Google use location for their services. They would prompt users to save a location for convenience to save time for future use. This is easily used by the app to find the relevant location data to provide a customised user experience.

  • User activity trend

When the user has been actively using an app or a website, it could record the trend and allow history of the usage be saved for analysis.  Upon analysing a trend of the user's activity could be revealed. This would bring up items that are relevant to the user's interest based on the trend of activity. However, this is subject to the settings and permissions allowed on the app or website by the user.

  • Navigation Services

When a navigation service or maps is used, the current location and desired location is being access through the device. The route is provided according to this location that has been allowed to be accessed by the navigation app.

Understanding ‘Identifiability' of Location Data

PDP Bill, 2019:  Clause 2(28) of the Personal Data Protection Bill, 2019 defines ‘personal data' as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.”4 This definition does not include location data as personal data. Since location data can be used as a source for profiling an individual, it is imperative to include location data as personal data through legislative amendments. This should ideally include guidelines for the protection against de-identification and de-anonymisation of location data.

Currently, the Bill defines the concept of ‘anonymisation' under Clause 3(2) as, “in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority.”5  In other words, it is as an irreversible process by which data cannot be identified once it is converted. Here, all identifiable elements relating to the individual are removed to ensure that the data cannot be related back to the individual, thus making identifiability difficult. This definition could be expanded to include an ‘pseudonymisation' of location data collected by data fiduciaries as provided in the GDPR.

EU GDPR: The GDPR includes the concept of ‘pseudonymisation', which help data controllers (similar to data fiduciaries under the PDP Bill) meet their data protection requirements. It is defined under Article 4(5) as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.”6 Simply put, ‘pseudonymisation' is the process of separating data identifiers from the data, without holding any additional information, where identification is not possible7.

Further, the GDPR defines ‘personal data' under Article 4(1) as, “any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”8 It specifically mentions a few types of identifiers namely “a name, an identification number, location data, an online identifier.” In addition to this, biometrics or fingerprints are also considered to be identifiers9. Identification of a device through certain identifiers could include those mentioned in Recital 30 of the GDPR, which provides “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”10  From this, location data identifiers could include Internet protocol (IP) addresses, cookies and radio frequency identification (RFID) tags.11

Profiling Through Location Data by Data Fiduciaries

Data Profiling is the process of compiling and analysing different data sets, and understanding its relationship with a set of raw data gathered from different sources.12 If such a profile is created for an individual, it could most likely be sold to businesses for targeted marketing of their products or services. Some smart phone users are unaware that they have granted location access to different apps on their phone. Once permission is given, the data will need to be collected, processed and protected according to the standards outlined in the GDPR. These individuals are subsequently tracked through apps, which extract personal information to study lifestyle patterns of the users for advertising purposes. Sometimes apps also track ‘real-time' location that create a pattern of location history, making it a source of exploitation for commercial use.13

In some cases, a compilation of multiple sources of location data could be used to create a profile which could de-anonymise data.14 This profile could be constituted using demographic metrics such as home location, real-time location, tracking, or related elements that would reveal behavioural patterns of an individual. It could also reveal transactional metrics such as recent purchases, history of payments, pattern of visits and modes of transport or routes taken, etc.15.

Behaviour profiling is another way in which location data can be used for targeted marketing. For example, a history of an individual's frequent travels, could warrant him viewing Ads on vacation packages even if he is not currently planning a vacation. This is the extent to which location data, coupled with other data sets on an individual, could easily create a whole picture of that individual.

What could be the compliance requirementsfor data fiduciaries?

Currently, the compliance requirements for data fiduciaries are not provided in the Indian context, under the PDP Bill. However, borrowing from the UK PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003)16, which applies to security of public electronic communications services and privacy of users of electronic communications services, some of the possible compliance requirements for the Indian context would be:

  • Processing of location data of a public electronic communications network or service user could only be allowed when it is not possible to identify such user from the data.17
  • When processing of location data is done for a value-added service, i.e., services beyond what is necessary, then consent of the user should be required. Before seeking such consent, the user should be provided with data relating to the types of location data that will be processed, the purposes and duration of the processing of those data, and whether the data will be transmitted to a third party for the purpose of providing the value-added service.18
  • Restrictions on processing location data should be disregarded any individual makes emergency calls to the police, fire station or ambulance services, or any such scenarios.19

In conclusion, it is evident that by including location data in personal data under the PDP Bill, there would be proper regulation and usage to protect all aspects of an individual's privacy.

Footnotes

1 https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/location-data/

2 https://www.quadrant.io/resources/location-data

3 What is personal data? | ICO

4 http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

5 Ibid.

6 https://gdpr.eu/article-4-definitions/

7 Top 10 operational impacts of the GDPR: Part 8 – Pseudonymization (iapp.org)

8  https://gdpr.eu/article-4-definitions/

9 https://gdpr.eu/eu-gdpr-personal-data/

10 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 /  https://gdpr.eu/recital-30-online-identifiers-for-profiling-and-identification/

11 https://gdpr.eu/eu-gdpr-personal-data/

12 https://www.pwc.in/assets/pdfs/consulting/cyber-security/data-privacy/decoding-the-dos-and-donts-of-data-profiling.pdf

13 https://www.businessinsider.in/tech/news/how-smartphone-apps-extract-your-data-via-location-tracking/articleshow/81126311.cms

14 https://www.americanbar.org/groups/business_law/publications/blt/2019/04/geolocation/

15 ibid

16 https://www.legislation.gov.uk/uksi/2003/2426/pdfs/uksi_20032426_en.pdf

17 Reg. 14(2)

18 Reg. 14(3)

19 Reg. 16

Originally Published 29 September 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.