Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy Lukas Gundermann Independent Centre for Privacy Protection Schleswig-Holstein ld2@datenschutzzentrum.de

Basic Notions Self determination with regard to personal data: The right to control who gets which personal information at which opportunity Personal data (data relating to a person): Any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject). Data protection: Not protection of data but protection of people against unauthorised use of personal data (= privacy) Data security: means of data protection Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 2 / 13

Location Data as “Classic” Traffic Data in Telecommunication Traffic data: Information about the circumstances of a telecommunication process E.g.: Who called whom at which time? X While the phone is on stand-by(?) With the GSM standard also: In which cell is the mobile phone located X While a communication process is going on Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 3 / 13

Location Data as “Classic” Traffic Data in Telecommunication Consequences: There is already the danger of creating a profile of the movement of the user Due to the size of the cells it is only rough As far as it is known the telecommunication providers X X Store the location information about the active telecommunication processes (Legal competence?) Don’t store the mere stand-by signal Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 4 / 13

Additional Personal Data on the Internet With the internet (especially the www) new information emerge Traffic data contains additional information regarding the services customers use Without encryption that information can be easily tapped on the way through the net More important: It can be collected at the web server, a user profile can be created (especially with banner ad companies) Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 5 / 13

Bringing it all together: The Mobile Web For the intended services the location information must be much more precise Tracking user’s movements is part of the service, this can include creating a profile The services will be offered by third parties - There will be a greater number of recipients of data Conclusion: A greater volume of more precise location data will be spread to a larger number of persons and organisations Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 6 / 13

Solutions: Consent of the Users 1 Absolutely crucial: Users have to give their clear and unambiguous consent It must be an informed consent, meaning that users have to be well informed about which data will be collected, for what purpose they will be used when they will be deleted etc Problem: Is there a gradation of consent? Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 7 / 13

Solutions: Consent of the Users 2 Gradation of consent: Allowing some services to receive location data, others not Data processing is limited to the consented purposes; for different purposes a new consent would be necessary A special consent is necessary for transfer of data to third parties Users must have access to their own personal data and profile Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 8 / 13

Solutions: Consent of the Users 3 Important: Having the possibility to withdraw the consent at any time for the whole service or only for parts of it An appropriate legal framework is necessary but not sufficient. There also have to exist technical means for this kind of consent-management Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 9 / 13

Solutions: Anonymity / Pseudonymity For delivering the service it is not always necessary to know the users identity What is necessary is to link a profile to always the same user There are also more or less pseudonymous or anonymous techniques of payment available Pseudonymous profiling would also be permitted according to the German law (Teleservices Data Protecion Act) Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 10 / 13

Legal Framework 1 European law: The 1997 directive (97/66/EG) on protection of telecommunication data covers location data as subspecies of traffic data Processing of this kind of data is only permitted if necessary for the service itself or for billing purposes A proposal for a new directive makes it even clearer: It has special provision for location data According to that provision location data can only be processed if made anonymous or with the user’s consent. There is one exception that needs to be discussed Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 11 / 13

Legal Framework 2 German law: The 1996 Telecommunication Act (TKG) covers location data as traffic data in telecommunication Processing is only permitted if necessary for the service or for billing purposes and some purposes that are closely connected The 1997 Teleservices Data Protection Act covers the processing of personal data by ISPs It applies also on the web based services that work with location data. The provisions are alike the ones of the TKG, but in addition the Act allows pseudonymous profiling. Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 12 / 13

Conclusions There are first steps towards a legal framework for mobile web applications in Europe , nevertheless there is still some work to be done Most important at the time being is to develop mobile devices that give users control over their location data It is necessary not to have only a general option but to be able to give a graduated consent and withdraw it at any time Besides, technical means should be developed, that serve the principle of minimisation of data and allow the anonymous provison of mobile web services. Independent Centre for Privacy Protection Schleswig-Holstein Mobile Web Privacy - 13 / 13