Location data means any data processed in an electronic communications network or by an electronic communications service that indicates the geographical position of the terminal equipment of a user of a public electronic communications service, including information relating to:
- the latitude, longitude or altitude of the terminal equipment;
- the direction of travel of the user; or
- the time the location information was recorded.
Regulation 14 does not apply to the processing of traffic data discussed in Traffic data.
Restrictions on processing
Location data relating to a subscriber or user of a public electronic communications network may only be processed if:
- the subscriber or user cannot be identified from that data; or
- where it is necessary to provide a value-added service with the consent of the relevant user or subscriber.
Location data must only be processed by the communications provider in question; the third-party provider of the value-added service; or a person acting on behalf of either of the above. The processing of location data to provide a value-added service must be restricted to what is necessary for those purposes.
The communications provider has ultimate responsibility for complying with the Regulations about processing location data, so they should observe the requirements of the seventh principle of the Data Protection Act, particularly for processing personal data carried out by a data processor.
Although the Act applies only to processing personal data, there is nothing to stop service providers imposing such contracts for processing location data from which an individual cannot be identified.
Consent to process
The public communications provider must get the prior consent of the user or subscriber to process location data to provide a value-added service (if the user or subscriber can be identified from that data). Before getting consent, the communications provider must give the user or subscriber the following information:
- the types of location data that will be processed;
- the purposes and duration of the processing of those data; and
- whether the data will be transmitted to a third party to provide the value-added service.
In the case of a corporate subscriber, a person making decisions on behalf of the company is likely to be able to give consent, unless the communications provider has reasonable grounds to believe otherwise.
The Regulations do not prescribe how service providers should get this consent. However, to get valid informed consent, the subscriber or user should be given enough clear information for them to have a broad appreciation of how the data is going to be used and the consequences of consenting to such use (see the first principle in the guide to data protection).
In light of this, the service provider will not be able to rely on a blanket 'catch all' statement on a bill or a website but must get specific informed consent:
- for each value-added service requested; and
- to market their own electronic communications services.
If a public communications provider offers a valued-added service with a third party, then in the interests of transparency the person who will be regarded as responsible for providing the service should get the consent to process location data for such a purpose. Whether this will be the service provider or the third party will depend on the circumstances. The point is that the way a service is provided should be consistent with the expectations of the subscriber or user.
If the user consents to one party to provide a particular service, they should not then be surprised when they are contacted by another party about that service.
If a user or subscriber has given informed consent to the processing of location data, they can withdraw that consent at any time – the communications provider should make them aware of this. The user or subscriber should also be given an opportunity to withdraw their consent each time they connect to the network or on each transmission of a communication.
The Regulations state that the service provider must give the user the opportunity to permanently withdraw consent. But there is nothing in those Regulations preventing the service provider also offering the user the chance to suspend their consent for a limited, specified period. If the user chooses to accept such an option, there is similarly nothing to prevent the provider reactivating their consent after that time has elapsed – provided they made it clear to the user when the user chose to suspend their consent for a limited period that this would happen.