Spain, Austria not convinced location data is personal information
Privacy group NOYB sues to get telcos to respect GDPR data access rights
Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.
EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.
In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.
A Spanish customer demanded that Virgin reveal his personal data, as allowed under the GDPR. Article 15 of the GDPR guarantees individuals the right to obtain their personal data from companies that process and store it.
"Personal data is any information that relates to an identified or identifiable living individual," as defined by the EU. "Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."
The EU example specifically cites "location data" as an example, though other regulations like the ePrivacy Directive allow limited circumstances when location data may be anonymized – which can still pose privacy problems – and considered non-personal data or disclosed to authorities.
Virgin, however, refused to provide the customer's location data when a complaint was filed in December 2021, arguing that only law enforcement authorities may demand that information. And the AEPD sided with the company.
NOYB says that Virgin Telco failed to explain why Article 15 should not apply since the law contains no such limitation.
- Campaigners warn of legal challenge against Privacy Shield enhancements
- Lawyers say changes to UK data law will make life harder for international businesses
- Europe's GDPR coincides with dramatic drop in Android apps
- Google chases sovereignty market with EU Workspace Data product
"The fundamental right to access is comprehensive and clear: users are entitled to know what data a company collects and processes about them – including location data," argued Felix Mikolasch, a data protection attorney at NOYB, in a statement. "This is independent from the right of authorities to access such data. In this case, there is no relevant exception from the right to access."
NOYB has taken its appeal to the Audiencia Nacional, Spain's national court. The group said it filed a similar appeal last November in Austria, where that country's data protection authority similarly supported Austrian mobile provider A1's refusal to turn over customer location data. In that case, A1's argument was that location data should not be considered personal data because someone else could have used the subscriber phone that generated it.
Outside the EU, the problem is the availability of location data, rather than lack of access. In the US, where there's no federal data protection framework, the government is a major buyer of location data – it's more convenient than getting a warrant.
And companies that can obtain location data, often through mobile app SDKs, appear keen to monetize it.
In 2020, the FCC fined the four largest wireless carriers in the US for failing to protect customer location data in accordance with a 2018 commitment to do so. ®