back to article Spain, Austria not convinced location data is personal information

Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation. EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to …

  1. Anonymous Coward
    Anonymous Coward

    Start to publish politicians, judges and other "VIP" location data...

    ... and just see how they immediately become Very Personal Data.

    1. Tom 7

      Re: Start to publish politicians, judges and other "VIP" location data...

      They tend to have exclusions to various things - cant have people in a democracy talking to politicians!

    2. Phil O'Sophical Silver badge

      Re: Start to publish politicians, judges and other "VIP" location data...

      In this case, though, the argument isn't about publishing or selling the data, it's about providing it to the subscriber himself.

      The given argument, that the phone may have been with someone else, does make it trickier. As a few examples, what if the phone in question (or the SIM, which is the same thing) is being used in a car and the subscriber wants to check where some other family member has been? Or if it's a shared office phone and the company wants to track the employee it is currently loaned to?

      Essentially, what is being described here is the location data for the phone, not the subscriber, and GDPR does clearly say that it applies to data subjects which are "natural persons". There isn't necessarily a 1:1 correlation, so the court does have a valid point.

      1. NoKangaroosInAustria

        Re: Start to publish politicians, judges and other "VIP" location data...

        You wrote: "Essentially, what is being described here is the location data for the phone, not the subscriber, and GDPR does clearly say that it applies to data subjects which are "natural persons". There isn't necessarily a 1:1 correlation, so the court does have a valid point."

        I disagree. The court does not have a valid point because the issue is not if it a 1-1 correlation should be established between a phone and a person. The location data is being generated by *my* phone, which *I* own and hence, it is my PII. GDPR aims to protect Personally Identifiable Information (PII).

        Even if someone else used it temporarily, this is not any of the Telco's business. I registered the sim card with them, I am paying them the monthly bills, it's *my* PII data which enables anyone with live access to the generated location data to uniquely identify me.

        By the same logic, just for the sake of argument, why would the Telco ask this particular customer to pay a monthly bill for accessing the phone network? After all, it *could* have been someone else using the phone, right? I wonder if that would fly with the Telcos.

        1. Phil O'Sophical Silver badge

          Re: Start to publish politicians, judges and other "VIP" location data...

          I disagree. The court does not have a valid point because the issue is not if it a 1-1 correlation should be established between a phone and a person. The location data is being generated by *my* phone, which *I* own and hence, it is my PII.

          I can appreciate your logic, but I'm not sure if GDPR is written to consider data of something you own as being your data. It is explicit that data subjects are natural persons, i.e. not entities like corporations.

          As another example, imagine that you, as a conscientious parent, buys a phone for your teenage child so that they can contact you if they need to. You're undoubtedly the owner of the phone, and you pay the bill. Does that entitle you to get the phone's location, which is actually the location (and hence the PII) of your child, who also has rights under GDPR?

          I don't think it's a clear-cut issue.

        2. Justthefacts Silver badge

          Re: Start to publish politicians, judges and other "VIP" location data...

          So, if you’re the husband of a traditional Austrian household, who pays all bills including the phone bill, you are demanding the right to receive the full location track of your wife’s phone in electronic form so you can put it into a spreadsheet and see where she’s been?

          Hello Mr Fritzl.

          1. Anonymous Coward
            Anonymous Coward

            Re: Start to publish politicians, judges and other "VIP" location data...

            I'm pretty sure that technology in Austria has reached a point where a phone and its SIM can be registered to a different name than the one on the bank account paying for the bill.

            At least here in France, it has.

            1. Anonymous Coward
              Anonymous Coward

              Re: Start to publish politicians, judges and other "VIP" location data...

              That's neither here nor there, and the court's position, as a general principle, is sound and consistent with jurisprudence and forensic practice.

              The issue is that in this specific case, the interested party has testified in court that nobody else has handled the device in question and thus the location information relates to him alone.

              That is what NOYB are, sensibly, challenging, not the general principle.

              1. Anonymous Coward
                Anonymous Coward

                Re: Start to publish politicians, judges and other "VIP" location data...

                If he doesn't know where he's been, he has bigger problems.

      2. Jimmy2Cows Silver badge

        Re: shared office phone and the company wants to track the employee it is currently loaned to?

        Null condition. If the phone is owned by the company, it is free to install its own tracking software to locate it at any time.

        I find the "someone else might be using it" arguement tenous at best. Possibly true in some narrow band of cases, but it is still no reason to prevent the owner being granted all location data held by the telco.

        1. Phil O'Sophical Silver badge

          Re: shared office phone and the company wants to track the employee it is currently loaned to?

          If the phone is owned by the company, it is free to install its own tracking software to locate it at any time.

          Ah, but that's a very different scenario. If the employee knows the tracking app is there, then they are implicitly consenting to be tracked if they borrow the phone, and if they don't know it is there you're entering fairly murky waters of employment law.

          Neither situation is really covered by GDPR, which explicitly protects the PII of a person, not of an object which they may or may not have with them.

          it is still no reason to prevent the owner being granted all location data held by the telco

          If the telco definitely has location data on the owner, that would be true, but if the owner can't prove that the data identifies their location I would argue that GDPR doesn't require it to be released. It may be someone elses PII, and that's usually enough for the courts to arguable that there is reasonable doubt.

          1. Anonymous Coward
            Anonymous Coward

            Re: shared office phone and the company wants to track the employee it is currently loaned to?

            "which explicitly protects the PII of a person"

            Can people please stop using "PII" when referring to GDPR? GDPR is about "personal data". The 2 terms are not the same.

            https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/

            PII appears to be a predominantly USA term that is a *subset* of GDPR's definition of "personal data".

            The difference being that with GDPR if your organisation has, for example, a database entry for user "1234" containing an indication of what their religion is then that is "personal data" (indeed also "special category personal data"), even if your organisation has *absolutely no idea* who user "1234" actually is - whereas in the USA that would not be classed as PII if user "1234" is not identifiable by your organisation.

      3. Anonymous Coward
        Anonymous Coward

        Re: Start to publish politicians, judges and other "VIP" location data...

        Actually, they are trying to sell the idea they can do whatever they want with the data because they are not personal data. The fact the casus belli was the request of person to know what data they have matters little.

        The fact that someone else may have used the phone is irrelevant - in this sense a car may be driven by someone else, a computer used by someone else, an account used shared with someone else.... just the probability is low enough all of those data can be used to track a single person effectively - and the onus to demonstrate those data are not personal should be on those hoarding the data, not vice versa.

      4. heyrick Silver badge

        Re: Start to publish politicians, judges and other "VIP" location data...

        If the court has a valid point, I'm assuming the court will have suitable justification to refuse to provide the information in each and every case rather than just a blanket refusal "because".

        Our phones are increasingly used as our personal portal to the online world. Banking apps can nominate a phone as a "trusted device" (which is where the requests to authorise payment go). While phones can be stolen and/or used by other family members, I would hazard a guess that the number of such incidents is tiny compared to the number of people who have it in their pockets bleating "here I am" to all and sundry.

        You can't have it both ways.

        1. Phil O'Sophical Silver badge

          Re: Start to publish politicians, judges and other "VIP" location data...

          I'm assuming the court will have suitable justification to refuse to provide the information in each and every case rather than just a blanket refusal "because".

          Indeed, and that raises the issue of the burden of proof. Does the phone's owner have to prove that the phone's location is their location, and hence location data must be released, or must the telco show that there is sufficient doubt that it's entitled to say no?

          I would hazard a guess that the number of such incidents is tiny compared to the number of people who have it in their pockets bleating "here I am" to all and sundry.

          Even so, courts can't provide rulings based on "it's probably true". If the owner can't prove that the data in question is their PII, I do think that under GDPR the court may have to prevent its release.

          1. John Brown (no body) Silver badge

            Re: Start to publish politicians, judges and other "VIP" location data...

            Even so, courts can't provide rulings based on "it's probably true".

            In a civil case, that's exactly how it works :-) It needs to be a criminal case before "Beyond reasonable doubt" comes into play. Of course, I'm not a lawyer nor am I familiar with the Spanish or Austrian legal systems.

  2. hoola Silver badge

    It is personal

    The trouble is that as soon as you start to make exceptions it becomes too easy to aggregate other bits of data that are also not seen as personal to create a very accurate profile.

    Location data is going to be one of the main tools in joining up the dots.

    1. Anonymous Coward
      Anonymous Coward

      Re: It is personal

      Exactly. The biggest threat to privacy isn't specifically data, it's link-ability of data. People are always surprised that they get served with ads for things on their phone despite never searching for that thing on their phone, they just never consider that "innocuous" data can be combined.

  3. Piro Silver badge

    Hm, I'd say..

    .. That knowledge of a person's whereabouts at any time is some of the most personal data.

    1. Neil Barnes Silver badge

      Re: Hm, I'd say..

      I would agree. But the meat of the judgement seems to equate 'someone else could have used the phone' with 'therefore it's *not* personal data any more'.

      1. Mike 137 Silver badge

        Re: Hm, I'd say..

        "But the meat of the judgement seems to equate 'someone else could have used the phone'"

        Objectively, records of those instances where the data subject did use the phone are that data subject's personal data and are therefore subject to disclosure. The duty (if any) of unscrambling which location records pertain devolves on the data controller, and 'inconvenience' of doing so would not be a get-out. Furthermore, in any case where the location records are aggregated with other personal data (e.g. phone contract data) those records become personal data by virtue of the aggregation.

        'Someone else could have used the phone' therefore looks very like an excuse to circumvent the legislation (such a common phenomenon that the GDPR has become in many ways ineffective as a protection of data subject rights).

        1. doublelayer Silver badge

          Re: Hm, I'd say..

          Exactly this, because I can already tell you the next step. Since someone might use the phone, then it can't be your personal data. Since your IP address is shared, that's no longer personal data. Since your activity could be from a different user, it too is no longer personal data. Since the recording of your voice could be of someone else who sounds a lot like you, it's no longer personal. As long as they can claim some reason that it might not be you, they can argue it's acceptable for them to treat it as nonpersonal data, which even under the extreme arguments seen here wouldn't make sense. Mobile operators know the value of selling location data and they probably also know that the next step is to make them delete it or provide more information on how they're using it, neither of which they want to do.

        2. John Brown (no body) Silver badge

          Re: Hm, I'd say..

          "The duty (if any) of unscrambling which location records pertain devolves on the data controller, and 'inconvenience' of doing so would not be a get-out."

          On the other hand, isn't there a get-out clause where it would be too complex or too expensive to retrieve the relevant data? If so, then it would almost impossible to identify if a phone has been shared or loaned out and remove that data from the request. Now that we are aware of this data access request and the legal decisions reached so far, it's starting to sound a lot more complex than the "simple request" it seems to be on the face of it.

      2. Anonymous Coward
        Trollface

        Re: Hm, I'd say..

        Someone else could've used that axe, therefore it's not the murder weapon any more.

        1. Jimmy2Cows Silver badge

          Re: Hm, I'd say..

          More like: someone else could have used that axe, therefore it alone can't prove that I'm the murderer. The axe itself is still the murder weapon.

          As a side note, my internal grammar nazi appreciates the correct use of could've rather than the grotesque abomination that is could of, so thank you :)

      3. Jimmy2Cows Silver badge

        Re: someone else could have used the phone

        It's a ridiculously flimsy technicality. And it doesn't make the data any less personal, and therefore the phone's owner is entitled to that data on request.

        Whether or not the owner loaned the phone to someone else is of zero concern to the telco. They're simply using it as an excuse to avoid compliance, and should be hammered hard for that.

        1. Anonymous Coward
          Anonymous Coward

          Re: someone else could have used the phone

          They're simply using it as an excuse to avoid compliance

          What reason would they have for doing so? They have the data, they've said they would release it to duly authorised law enforcement, so why do you think they don't want to release it to the owner, other than they would be in breach of the law if they did?

          1. doublelayer Silver badge

            Re: someone else could have used the phone

            It would define it as personal data that the owner has rights over, meaning the owner can request other actions be taken, such as its deletion. They don't want to comply with those requirements, so they're trying to define it as data over which the owner doesn't have such rights. If they succeed, they will face fewer restrictions.

          2. John Brown (no body) Silver badge

            Re: someone else could have used the phone

            "they've said they would release it to duly authorised law enforcement,"

            If there is a court decision on record stating that phone location data is not personal information because it may not relate to the phones registered owner, then it strengthens an interesting legal defence whereby the location data has a lower value in evidence.

    2. Pascal Monett Silver badge

      Re: Hm, I'd say..

      Agreed, but if you want your mobile phone to be useful, the telco has to know which tower can contact you.

      This is going to be a thorny problem.

      1. John Robson Silver badge

        Re: Hm, I'd say..

        No objection to them having the data - but they should be required to:

        - Keep that data secure

        - Not share that data with any third parties who don't have a warrant for the information

        - Share that data with the subscriber

        1. DJV Silver badge

          Re: Hm, I'd say..

          Yes, and also, delete that data after an agreed time period.

          1. Jimmy2Cows Silver badge

            Re: Hm, I'd say..

            Why the downvote? This is a perfectly reasonable request for any sane data retention policy. There is simply no valid reason to hold onto everyone's location data forever.

            The tiniest chance that it might tie someone to a crime say 20 years after that crime was committed, is not a valid reason.

            1. Jonathan Richards 1
              FAIL

              Re: Hm, I'd say..

              I certainly agree, but I think that this is as good a place as any to say that if, in 20 years from now [1], a Spanish court tries to tie me to a crime on the basis of phone location data, my lawyer merely has to say, "Ahh, no, you see, because someone else might have been in possession of my client's phone". I think that then the prosecutor would have to prove without doubt that I had been in possession of the damn thing at the time. The baby in the bathwater is the probative value of the location data exactly for the purpose of tying a person to a crime scene.

              [1] or any time period at all, in fact.

              1. jmch Silver badge

                Re: Hm, I'd say..

                Criminal law requires a higher burden of proof then civil law.

                I can claim that the location of my phone is personal data and the network should provide me that data (under civil law), while still being able to argue that the location of my phone is not necessarily my location (as a defence in a criminal case)

        2. John Brown (no body) Silver badge

          Re: Hm, I'd say..

          I agree 100% with the first two, but I must admit I can't think of a valid reason WHY the phone owner would need to access that data other than "because it's mine". I can see the need for legally defining it properly and how it can be legally used, but why would anyone need it? This feels like one of those gray areas and someone wants to push the boundaries to see where the line actually is, or maybe someone else has an underlying agenda for good or ill.

          Also, as others have said, why do they even NEED to collect and store location data for more than a short length of time, eg days, weeks or even a billing period?

          1. jmch Silver badge

            Re: Hm, I'd say..

            "I can't think of a valid reason WHY the phone owner would need to access that data other than "because it's mine"."

            To start with, because I want to know what of my personal data is being stored, and no other reason is really required

            1. John Brown (no body) Silver badge

              Re: Hm, I'd say..

              Fair enough, that's a good reason. But if there was no reason, or even a law stating, that the location data could only be held for very limited time, eg to cope with billing disputes, say a month or two, would you care as much then? For that length of times, it would be *required* data. After then, it's not *required*, just something they feel it's "nice to have" and can sell on, supposedly anonymised, which I think is the real problem. I'm also not happy about EE or whoever knowing, possibly within a few metres, everywhere I've been over the last 5-10 years.

              On the other hand, I don't feel a need to see that data. I already know they have it, and requesting a copy isn't going to help me in any way. On the gripping hand, if someone with the time and resources to challenge this data retention wants a full copy so they can then use it evidence to challenge the need for telcos to even have this data, then IMHO that's a good reason to request it, That's why I made the comment about an ulterior motive, for good or ill.

      2. doublelayer Silver badge

        Re: Hm, I'd say..

        For my phone to work, the provider needs to know which tower can contact me right now. That means they will necessarily know my phone's general location at the moment. They have no need to know which tower was needed to contact me a week ago and could safely delete that data. Just as your router doesn't need to record each packet you send, just any information needed to route to the right device for active connections, the phone companies can provide the same service with the same quality without needing to collect all the data they do or retain any of it over a longer period.

        1. jmch Silver badge

          Re: Hm, I'd say..

          "without needing to collect all the data they do or retain any of it over a longer period."

          But in most (all?) countries they are legally required to hold on to that data for some period

    3. Wade Burchette

      Re: Hm, I'd say..

      This is one of the reasons why I keep my phone's GPS antenna off. The best the government, Google, and my mobile phone provider can do is see which towers my phone went to. That may provide a general idea of travel, but never my exact location.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hm, I'd say..

        Depends on where you are. In a rural area they can locate you to a few sq km, but in a city they can probably pinpoint the street/building. It's how emergency services locate accident victims.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hm, I'd say..

        "The best the government, Google, and my mobile phone provider can do is see which towers my phone went to. That may provide a general idea of travel, but never my exact location."

        The mobile operator knows exactly where all their cell sites are (postcode and location co-ordinates).

        In order for mobile networks to work in the 1st place the network needs to know which cell your phone is currently in. Signal strength will give an indication of distance from the centre of the cell. However as mobile phones are obviously mobile (at least some of the time) for seemless cell-to-cell handoff the network also needs to know a phone's signal strength with adjacent cells also. So combine those to give of an approximate location within the cell.

        Any change is signal strength with adjacent cells gives an indication of direction of travel. The rate of increase/decrease in signal strength gives an indication of approximate speed of travel.

        Combine all the above together to indicate approximate current location and, if moving, an indication of method of transport (walking/driving, based on speed). Overlay on a map to see things like roads and pavements to increase accuracy as to likely position.

        Obviously this is more accurate in a urban area as the size of cells tend to be smaller.

      3. jmch Silver badge

        Re: Hm, I'd say..

        Your phone's GPS is a receiver not a transmitter. Even when it's on, no one can use it to determine your exact location.

        What could, and maybe does happen is that your phone knows your exact location, which can then be used by some apps on your phone, which can then store and/or forward that data to someone else. I'm not sure if that's what you meant, but it's good to be clear.

        With respect to the general tower area vs specific location, each tower that can communicate with your phone keeps a track of how strong the signal is, and your phone is always contacting multiple towers at the same time to allow handover of calls while moving. Due to the hexagonal/honeycomb tower mapping typically used, your phone is usually in touch with at least 3 towers, allowing triangulation. Even if signal strength does not 100% correspond to distance (because of physical obstacles), it's probably good enough to triangulate your position to within probably 100-200m or so.

        Telcos are AFAIK legally obligated to store records of which tower your phone was connected to. Technically (and in most jurisdictions, I would also think legally) there is nothing stopping them from also recording signal strength samples from multiple towers and thus having a more detailed location map.

        If you don't want to be tracked, switch the phone off or leave it at home

  4. Potemkine! Silver badge
    Pint

    Go Max, Go!

    We need more people like you.

    1. OhForF' Silver badge

      Re: Go Max, Go!

      I hope you're not only cheering him on but although support noyb.

      It really seems to be an uphill battle to get all those "data controllers" to play by the rules and our politicians seem to be unable and/or unwilling to effectively tackle the problem.

      I wonder what the real reasons for the "data protection authorities" are to side with companies claiming data about where i have been is not personal data.

      That the data isn't 100% accurate for my location because somebody else might have used my phone is not a convincing argument.

  5. VoiceOfTruth Silver badge

    Some authorities in Europe

    Both countries having very much a state vs the people history and attitude. You have lots of rights in Austria, right up until a minister says you don't. Spain is not so different.

    1. OhForF' Silver badge

      Re: Some authorities in Europe

      > You have lots of rights in Austria, right up until a minister says you don't<

      If you believe that you give minister's way too much power.

      You have to stand up for your rights and bring it to the court though - moaning about it on el reg or at the pub won't help.

      When the law says you have the right and the courts agree it doesn't matter what the minister says (at least in the long run).

      As officials ignoring or trying to overrule laws happens more often than they used to we might have to think how to better deter them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Some authorities in Europe

      The issue is really that big companies have lost the GDPR round, and now are trying to lure privacy authorities to make it ineffective. The Irish DPC is trying to slow everything down so much any complaint is ineffective.

      Others like Spain and Austria look to take a stance that with much probability won't stand in courts, but it means you need someone like nyob to challenge such decisions in a court, because most citizens don't have the resources. And meanwhile they can do what they like with data.

      You also see the attempts to put ICO in UK under government control, denying its independence.

      1. Mike 137 Silver badge

        Re: Some authorities in Europe

        "now are trying to lure privacy authorities to make it ineffective"

        and are succeeding quite nicely. The latest from UK Govt brings this home very clearly. They're intending in many cases to do what they originally proposed despite a majority of responses to the initial consultation rejecting the proposal. And the proposal often weakens the protections the legislation offers to data subjects.

  6. Xair

    Nice article - thank you.

    Something else to consider. Here in Spain, to obtain a mobile phone from a store, you need some identification. It is the law that this identification is registered by the store with the phone you are buying. I think the Spanish case is going to prove rather interesting. Because right now there are difficulties faced by rather a lot of UK people in Spain having to prove they were in the country before 31/12/2020. And they have begun asking for their location data to prove their whereabouts to the immigration authorities. The argument raised in the Austrian case may not work here in Spain for the reason I describe above. The location data is locked to personal information. The individual was compelled to provide government-issued identification to obtain their phone. Therefore, the phone joins the family of personal information. An individual has a right to personal data under GDPR, especially when it has been married in this manner. It will be interesting to see this case make its way to Brussels.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like