More than a decade ago the e-Privacy Directive mentioned “location data” in the context of telecommunications services. At the time that was almost entirely about mobile phone locations – data processed by just a handful of network providers – but nowadays many more organisations are able to gather location data about wifi-enabled devices in range of their access points. The law (and our own instincts) treats location as a relatively intrusive form of personal data – though it’s not included within the formal category of “sensitive personal data” – so organisations are rightly concerned to handle it correctly.
Although the e-Privacy Directive’s location provisions formally only apply to users of publicly available telecommunications services (Art.2(c)), the Directive is derived from general data protection law so provides at least good practice guidance for private networks as well. The Information Commissioner has recently published advice on wifi location data, though three different types of use are covered in three different documents:
- First a category that’s only mentioned in the Directive: location data that is traffic data (Article 9’s special rules only apply to “Location Data Other Than Traffic Data”). Where the location of the device is processed “for the purpose of the conveyance of a communication on an electronic communications network” (Art.2(b)) it can be treated in the same way as IP addresses and other traffic data. This would seem to cover things like knowing which access points a device is near in order to transmit its traffic from the best location. These are covered by the ICO’s general guidance on Traffic Data.
- Then there’s a range of location-aware services that can be offered to the user. These could range from “where is my (lost) device?” to “where is the nearest helpdesk/printer/bus?”. Legally, these are still relatively straightforward as location data only needs to be processed for the devices whose users have signed up to the service. Information about the data and processing involved can be provided to users as part of the signing up process: the ICO’s guidance on Location Data suggests how organisations can ensure they have valid consent for this processing. In particular location data shouldn’t be processed for anyone who hasn’t signed up to the service.
- Finally, some organisations are using the radio signals emitted by wifi devices to identify popular locations, how people move around an area, and so on. This is considerably more challenging from a legal perspective as it’s likely to capture and process locations of all live devices, including those that haven’t signed up to a service or connected to a network. Unless the system is only deployed in a physically secure area, it can’t even be assumed that all devices are carried by members of the organisation. As the ICO’s guidance on Wi-fi Location Analytics points out, the only way to inform individuals of this processing is likely to be through physical signs. With the only ways to opt-out of processing being to avoid the area or turn off your device – neither of which will be possible for some visitors – the ICO strongly recommends conducting a privacy impact assessment to ensure the activity can be justified, and using strong technical and organisational measures to protect all those affected by it.