The European Commission organised a workshop in Brussels to discuss current practices and legal challenges that operators and users are confronted with when offering location-based services.

At the heart of the discussion lies the “e-Privacy Directive” 2002/58/EC. Article 9 of this directive establishes specific conditions for the provision of certain location-based services.

The European Commission's aim was to learn what the industry and interested parties have to say vis-à-vis the current practices in offering location-based services, and specifically with regard to issues such as:

  • user consent;
  • informing the user;
  • the withdrawal of consent;
  • the processes for the gathering of this type of information.

The European Commission was also interested in finding out whether there are any user complaints at this point in time and if there is any guidance in the Member States with regard to the interpretation of the rules imposed by the e-Privacy Directive.

The complete European Commission issue paper can be accessed by clicking here.

Session 1 of the workshop revolved around the current practices in offering location-based services. Mr. Pat Walshe (Hutchison 3G UK - hereafter '3') and Mr Roberto García-Soto Retuerta (Telefónica Moviles España) presented cases, focusing on the UK and Spain.

Mr. Walshe indicated that there are currently only services whereby the user himself indicates that he wishes to be located. There are no third party services available yet on 3’s network. Mr. Walshe stressed that all location data is erased from 3's system once the service is delivered and, in view of recent events, this is subject to discussion in the UK in the context of anti-terrorism measures.

With regard to future passive services (where the user can be located by other people) 3 considers it a minimum requirement that these services should comply with the UK Code of Practice regarding these matters. This Code of Practice has been established by industry, in co-operation with interested parties.

3’s main message was that such industry-defined codes of practice are considered sufficient and that self-regulation by the sector should be promoted. No new regulations should be added or imposed.

Mr. García-Soto Retuerta presented the Spanish case, in which he differentiated between three types of services, ranging, in his view, from the fairly innocuous, to the more delicate. He presented the case of SMS or WAP navigation (where users want to find their location, or where they want to locate places such as restaurants or banks nearby), where the user initiates the finding of a location, which is within the public domain. The second case involves employee tracking services (such as fleet tracking), in which the use is strictly business, but it is unclear whether the subscriber or the user has consented to the tracking of the user. The third and last case is where users themselves are tracked by others (so-called Find a Friend services).

Telefónica Moviles' position is that the three types of services should not be regulated in the same fashion. It is unclear from the Directives if it is possible to differentiate in treatment between different types of services. Mr. García-Soto Retuarta agreed with the position of 3 that current regulations are sufficient, but he added that there is a risk of over-regulation in the implementation by Member States (citing the example of Spain, where a regulation has been introduced that the user must be given a prior notice of 30 days of all the conditions surrounding the service, thereby making it impossible for a user to use a large number of location based services (a user does not know 30 days in advance that he will want to hail a taxi for example)). Telefónica Moviles would therefore like to benchmark best practice.

Session 2 focused on the current challenges for the protection of consumer data. Presentations were given by Mr. Ioannis Maghiros from the European Commission, DG JRC, Institute for Prospective Technological Studies and Mr. Mathias Moulin of the French Data Protection Authority (CNIL).

Mr. Maghiros gave a general overview of the issues and raised a number of additional concerns, such as the use of emerging technologies such as RFID and IPv.6. In general Mr. Maghiros advocated that the number of actors who obtain user location data should be minimized and he proposed that there should be a role for a Trusted Third Party, to perform audits and to ensure that all parties adhere to the rules.

Mr. Moulin of the CNIL presented a set of recommendations which the CNIL has drafted for implementation in France. The CNIL has based these guidelines on the elements present in Article 2 of Directive 95/46/EC and Article 9 of Directive 2002/58/EC. These recommendations however did not seem to be entirely cast in stone yet.

In the discussions following the presentations, a number of questions were raised and not entirely answered, indicating that this is a brand new topic, and many of the issues have not as of yet settled. It became clear that there is no view on how to deal with trans-border location-based services and that there is no harmonisation with regard to how long the data should be retained. Ireland, for example, has introduced a three-year retention period for all incoming and outgoing data, across the board (i.e. not for targeted persons only).

It is also clear that the issue of consent is dealt with differently in the various Member States, especially where children are concerned. Remarkable in this respect was the recommendation of the CNIL, in which all users are treated in the same fashion: a user must consent to being tracked, also if the user is a minor, including small children.

There was also no consensus on where the liability for consent collection should reside (operators vs. service providers). Mobile operators appear not very inclined to allow third party service providers to provide location-based services on their networks. Current tests involve only a few third-party service providers and these have to undergo a very stringent auditing process by the mobile operators.

Mr. Peter Scott from the European Commission, who chaired the workshop, concluded the day's proceedings by confirming that the Commission has no intention to impose new or stricter regulations, but that the review of the directives is upcoming and that this is an opportunity to plug holes that may become apparent. Mr. Scott also asked if there was an opportunity for the Commission to assist in certain matters, such as, for example, the supranational co-ordination of national codes of conduct.

A follow-up workshop on these issues is not planned. However, if the Commission would issue guidelines in this area they would be tested against the opinion of interested parties.

For further information, please contact Alexa Veller.