Author: Robert Zammit
The fundamental principles of Data Protection legislation are to safeguard the individual’s right to privacy and the correct processing of personal data. These principles are however continuously challenged by the development of new technologies and the ease of data flow especially through the internet. One of the main challenges of service providers through the internet is be able to identify the location of their customers, especially in regulated businesses, to be able to decide whether they are in a position to legally offer their services to that customer in that jurisdiction.
To be able to identify the location of the customer, service providers may avail themselves of geo-location tools which collect data on the customer, such as the customers’ Internet Protocol (IP) address or GPS coordinates. However, the use of these geo-location tools creates some concerns from a data protection perspective, since the collection of such data constitutes processing of personal data and hence falls within the parameters of the Data Protection Act 2002, Chapter 440 of the Laws of Malta (hereinafter ‘the Act’).
The Act is clear that personal data may be processed only if –
- the data subject has unambiguously given his consent, or
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the requested of the data subject prior to entering into a contract, or
- processing is necessary for compliance with a legal obligation to which controller is subject, or
- processing is necessary in order to protect the vital interests of the data subject, or<
- processing is necessary for the performance of an activity that is carried out in the public interests or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed, or
- processing is necessary for a purpose that concerns a legitimate interests of the controller or of such a third party to whom personal data is provided
Under Subsidiary Legislation 440.01, Processing of Personal Data (Electronic Communication Sector) Regulations (hereinafter ‘Sub Leg 440.01’), the term location data is defined as “any data processed in an electronic communications network or by an electronic communication service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communication service”. Furthermore Sub Leg 440.01 lays down that the principle that location data relating to a user of public communication networks or of publicly available electronic communications services can be processed either when it is made anonymous, or with consent. However, this does not apply to the processing of similar location data in other sectors, as this principle is not applicable by analogy. Consequently, one is required to analyze the Act.
Furthermore the EU Article 29 Data Protection Working Party adopted Opinion WP13/2011, which related to Geo-location Services on smart mobile devices. The Opinion clearly lays down that many of the conclusions with regards to legitimate ground, information and data subjects’ rights also apply to other technologies when they are used to geo-locate people through their devices. The main principle derived from the Opinion with regards to the location data, is that prior informed consent is also the main applicable ground for making data processing legitimate when it comes to processing of locations of a smartphone.
On the basis of the above consideration, service providers are required to inform prospective customers in their terms and conditions of business about how the service provider will be processing their personal data.Once this is notified, the service provider would need to request the respective customer’s explicit consent to process his/her personal data. Thus, once consent is acquired, the service provider would be able to identify the location of the customer and take an informed decision as to whether he is able to provide the service to the customer in that jurisdiction.