Privacy considerations for location-based services

Location-aware mobile applications and services are on the increase. With growing reach and appeal, they are no longer just about personal navigation.

Location-aware mobile applications and services are on the increase. With growing reach and appeal, they are no longer just about personal navigation. From social networking to gaming to mobile advertising, location is fast becoming an integrated feature, writes Jan Willem van den Bos, senior associate at Denton Wilde Sapte LLP.

Advertising is seen as key to future mobile and online content, whether it concerns 'free' services or enhanced user experiences. This requires personalisation and targeting, which in turn require profiling based on preferences, location and other context-sensitive data. As privacy will increasingly become a new online currency, the need for and legality of user tracking is coming under greater scrutiny from regulators around the world.

Privacy invasion

Location data can pinpoint a person's whereabouts, especially if they use their mobile which they are unlikely to share with others. There is no denying that tracking people - what they do, where and when - can lead to misuse and other unfair or unlawful processing of data. The more location data is collected, stored and shared, the greater the risk of data breaches. And by its nature, location data presents an added risk to personal security.

Privacy is not a fixed concept, however. It means different things to different people in different circumstances, and in the eyes of the public it is as much about perceived risks as actual risks.

There is still plenty of scope for clearer and simpler rules. Technology has moved on, but many laws have not yet caught up. The EU e-Privacy Directive has just had an overhaul; the EU Data Protection Directive is due for one later this year. Tricky concepts such as "personal data", "location data", and "traffic data", on which much of the law turns, need review and then more consistent implementation across the EU.

It is very much about old concepts and new challenges. It is about making sure users know their data will be processed, and why, and knowing the identity of those handling their data. And the initiatives are not just about better formal, self- and co-regulation. They are also about better enforcement, such as initiatives to increase fines (up to £500,000 for serious breaches in the UK), use spot checks, and potential custodial sentences for knowing or reckless misuse of personal data.

User choice

With general guidance being that, in the e-data world, there is no longer such a thing as anonymised data, the compliance burden can be daunting. But much of it is about common sense - giving users genuine choice and control, with simple, easy-to-use browser and profile settings, allowing them to decide when, why and how their data may be used.

It is about building in enhanced technical security and data minimisation (only collecting and storing data that is needed). It is also about education, making sure users can give informed consent to use of their data, for if they fail to understand the implications, they cannot give informed consent. And that could make processing their data unlawful.

These are exciting times, with great potential for innovative location-aware applications and services that people want to use and which should generate revenue. Users are said to be more likely to adopt location services if there are common international standards and rules making the experience more uniform and reliable across different platforms and geographies. If users are concerned, rightly or wrongly, about how their data will be handled, they are more likely to stay away.

Taking privacy seriously is likely to create greater levels of customer trust, and it can give service providers a competitive edge. People may be more willing to allow use of their valuable personal data - accepting risks if they can see the benefits too - if they know their data is handled properly and securely.

This, in turn, could help service providers raise more cash by attracting investment and drawing revenue from behavioural advertising to pay for more innovative applications and services. So it could pay to give privacy greater attention. Bigger fines and possible custodial sentences are likely to focus the mind.

Read more on IT risk management