OUT-LAW.COM posts about an opinion on privacy compliance from the EU’s Article 29 Working Party on Data Protection. The issue at hand is the growing ability to triangulate location data with the plethora of data services/devices we use in everyday life: cellphone with location tracking, GPS navigation systems, PDAs that recommend nearby restaurants – so called “location data services.” Its primary concern is that location data should only be processed if the user or subscriber of a service that relies on processing the data has consented to the processing. Overall, the opinon’s key principles should be embraced in the US context as well. These include:
- Informing users – the data subjects must be informed of matters such as the identity of the data controller, the reason for the data processing, the type of data processed, how it can be amended and the right to cancel the data. The information should be clear, complete and comprehensive.
- Consent – this must be obtained freely and should not be given as part of an acceptance of the general conditions of the service. Operators should ensure that they can verify and authenticate requests for location data made by third parties offering a value-added service, and that they are sure that the person to whom the location data relates is the same person who has given consent.
- The right to withdraw – consent can be withdrawn at any time and users must be able, easily and without charge, to temporarily refuse the processing of location data. If processing is ongoing, operators must regularly remind users that the device they are using can be located.
- Storage time – storage of location data is only permitted for the length of time necessary for providing the service. It cannot be stored after that, except for billing and payment purposes. If it is, it must be rendered anonymous.
- Security measures – the data must be held securely and only passed on to the person providing a service. All access should be logged.
[via Privacy Digest]