[GSDI Legal Socioecon] 'Location Data' in the proposed new (revised) EC Data Protection Regulation

[Roger Longhorn]

As reported in the  EDRi-gram biweekly newsletter about digital civil 
rights in Europe (Number 9.24, 14 December 2011) (www.edri.org), last 
week, Europe got a lookat the "General Data Protection Regulation", 
thanks to a leak by Statewatch. Get a copy here - 
http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf

The new EC General Data Protection Regulation is due to be officially 
published on 25 January 2012 and will repeal the outdated Data 
Protection Directive from 1995. It keeps the Directive's key principles 
but takes into account technological developments since the 1995 
Directive was introduced. It aims at greater harmonisation and more 
"coherent" rules: "Differences in the level of protection of the rights 
and freedoms of individuals may therefore constitute an obstacle to the 
pursuit of economic activities at the level of the Union, distort 
competition and impede authorities in the discharge of their 
responsibilities under Union law."

The draft regulation introduces new rights and new definitions - now 
including 'location data', as well as genetic and biometric data, and 
the definition of a data subject is extended to a person who can be 
identified directly or indirectly by the controller or "any natural or 
legal person". New rights include clearer rights on data portability, 
and it introduces mandatory reporting of data breaches and new 
competences and powers for supervisory authorities in terms of 
independence and capacity. Moreover, the regulation (article 63) 
establishes a European Data Protection Board which is going to replace 
the existing Article 29 Working Party.

The extracts below indicate where 'location' now figures more 
prominently in the new Data Protecton Regulation. Note the specific 
refrences to 'location' and/or 'location data' in the Preamble and 
Articles 3, 18 and 30.

===============

Proposal for a Regulation of the European Parliament and of the Council
on the protection of individuals with regard to the processing of 
personal data and on the free movement of such data (General Data 
Protection Regulation)

Preamble

(22) Given the importance of the developments under way, in the 
framework of the information society, of the techniques used to capture, 
transmit, manipulate, record, store or communicate location data 
relating to natural persons, which may be used for different purposes 
including surveillance or creating profiles, this Regulation should be 
applicable to processing involving such data.

Article 3

Definitions

For the purposes of this Regulation:

(1) 'data subject' means an identified natural person or a natural 
person who can be identified, directly or indirectly, by means 
reasonably likely to be used by the controller or by any other natural 
or legal person, in particular by reference to an identification number, 
location data, online identifier or to one or more factors specific to 
the physical, physiological, genetic, mental, economic, cultural or 
social identity of that person;

Article 18

Measures based on profiling

1. Every natural person shall have the right not to be subject to a 
measure which produces legal effects concerning this natural person or 
significantly affects this natural person, and which is based on 
automated processing intended to evaluate certain personal aspects 
relating to this natural person or to analyse or predict in particular 
the natural person's performance at work, creditworthiness, economic 
situation, location, health, personal preferences, reliability or behaviour.

Article 30

Data protection impact assessment

1. Prior to the processing of personal data, the controller or the 
processor shall carry out an assessment of the impact of the envisaged 
processing operations on the protection of personal data where those 
processing operations are likely to present specific risks to the rights 
and freedoms of data subjects by virtue of their nature, their scope or 
their purposes.

2. In particular the following processing operations are likely to 
present such specific risks as referred to in paragraph 1:

(a) an evaluation of personal aspects relating to a natural person or 
for analysing or predicting in particular the natural person's 
performance at work, creditworthiness, economic situation, location, 
health, personal preferences, reliability or behaviour, which is based 
on automated processing and likely to result in measures that produce 
legal effects concerning the individual or significantly affect the 
individual;

<end extract>

Why introduce a Regulation? In the addenda to the document, we see:

"Lessons learned from similar experiences in the past

The present proposals build on the experience with Directive 95/46/EC 
and the problems encountered due to the fragmented transposition and 
implementation of that Directive which have blocked it form achieving 
both its objective, i.e. a high level of data protection and a single 
market for data protection."
<ends>

Note that Directives are implemented by EU Member States via their own 
national legislation, which often does not follow the principles and/or 
'rules' set out in a Directive (which is why EU states are then taken to 
court until 'transposition' is considered to be complete and adequate). 
However, in the case of an EC Regulation, it becomes law across all EU 
States as soon as published in the Official Journal (although there are 
typically stated time frames by which or within which the regulation's 
rules come into affect). In the case of the Data Protection Regulation:

Article 91 - Entry into force and application

1. This Regulation shall enter into force on the twentieth day following 
that of its publication in the Official Journal of the European Union.
2. It shall apply as from two years from the date referred to in 
paragraph 1.
<ends>

  So if the Regulation is published on 22 January 2012, it will come 
into effect from 22 January 2014.

It is also worth looking at the 'Legislative Financial Statement' at the 
end of the document (beginning p. 96) to see more about implementation 
and its impact.

Kind regards

Roger Longhorn
ral at alum.mit.edu
vice-Chair, Communications, GSDI Assoc. Outreach & Membership Committee
Member, GSDI Assoc. Legal & Socioeconomic Committee
www.gsdi.org
Editor, SDI Magazine
www.sdimag.com