Since the General Data Protection Regulation (GDPR) was implemented in the European Union a few years ago, a crucial question has arisen: how long should businesses retain the personal data of their customers and employees?
According to some European authorities, location information is not personal information as that term is used in the EU’s General Data Protection Regulation. Locational data may not be considered personal information in Spain and Austria.
Max “Angry Austrian” Schrems founded the EU privacy group NOYB (None of your business), which announced that it had appealed a Spanish data protection authority’s (AEPD) decision to support Virgin Telco’s refusal to provide location data it has stored about a customer. Despite Court of Justice (CJEU) rulings that forbid data retention, according to NOYB, the government of Spain still requires telcos to record the metadata of phone calls, text messages, and cell tower connections.
Do you only provide your location to law enforcement?
Some EU Member States, like Spain, continue to demand mobile network operators o record the metadata of all phone calls, short messages, and cell tower logins despite numerous Court of Justice (CJEU) decisions that forbid data retention. Everyone has the right to access personal data under the GDPR and the European Charter of Fundamental Rights. The mobile phone service Virgin Telco received a request for the customer’s location data from a Spanish citizen exercising his right to access information under the GDPR. The business declined to release the information, claiming that only law enforcement could have access during criminal investigations. Virgin Telco did not specify why the right to access is not a fundamental right in this situation. In addition, there exists no relevant and rational limitation under the law.
As permitted by the GDPR, a Spanish customer demanded that Virgin reveal his personal information. The right of individuals to obtain their data from businesses that process and store it is guaranteed by Article 15 of the GDPR.
According to the EU, “personal data is any information that relates to an identified or identifiable living individual.” Personal data also includes “different pieces of information, collected together can lead to the identification of a particular person.” The EU example specifically uses “location data” as an example. However, other laws, such as the ePrivacy Directive, permit limited situations in which location data may be anonymised, considered non-personal data, or disclosed to authorities—a move that can still cause privacy issues.
But when a complaint was made in December 2021, Virgin refused to give the customer’s location data, claiming that only law enforcement officials had the right to request it. The AEPD also supported the business.
AEPD dismisses the complaint without providing a reason.
Following a complaint from the client in December 2021, the Spanish authority supported Virgin Telco without giving any additional justification. It merely stated that it adheres to the company’s (false) logic.
“It’s very problematic if a DPA decides without providing any additional context or legal justification for this conclusion.” Felix Mikolasch, a data protection attorney at NOYB.
NOYB asserts that Virgin Telco failed to justify why Article 15 should not be applied, given that the law lacks such a restriction. According to Mikolasch, “the fundamental right to access is comprehensive and clear: users are entitled to know what data a company collects and processes about them, including location data.” “This stands apart from the government’s right to access such information. There isn’t a relevant exception to the right of access in this situation.”
The national court of Spain, the Audiencia Nacional, has received NOYB’s appeal. The organisation claimed it filed a comparable appeal in Austria last November, where that nation’s data protection agency also backed Austrian mobile provider A1’s refusal to provide customer location data. Because another person could have used the subscriber phone that generated the location data, A1 argued that it shouldn’t be considered personal information in that situation.
The value of location data could be in the billions. According to Fortune Business Insights, the location analytics market is anticipated to generate $15.76 billion in revenue in 2022 and $43.97 billion by 2029. Instead of a lack of access, the issue outside the EU is the availability of location data. The government is a significant buyer of location data in the US, where there is no federal data protection framework because it is more convenient than obtaining a warrant.
Companies with access to location data, frequently through mobile app SDKs, seem eager to make money from it. The FCC fined the four biggest wireless providers in the US in 2020 for breaking a 2018 agreement to protect customer location data.
The Austrian case is comparable.
The Austrian data protection authority confirmed the mobile operator’s refusal to grant its client access to their data, based on a highly dubious interpretation of domestic law, in a case similar to the one NOYB appealed in November 2021. Noyb wants to prevent other data protection authorities from making decisions that blatantly violate a fundamental right by filing an appeal with the Audiencia Nacional today.
Businesses seem to be having a lot of trouble due to multiple data protection complaints, and we understand that it isn’t easy to manage. Business leaders must consider the security and data protection frameworks in their organisation. Tsaaro assists businesses in setting up a strong, thorough, and efficient data protection policy and putting the required cybersecurity measures into place.
Look at our services here, or get in touch with our data protection experts to get you, your best possible solution for all things data privacy and cybersecurity.