The “Laboratoire d’Innovation Numerique de la CNIL” or LINC in France has been assessing the risks associated with geolocation data. 

France’s digital innovation laboratory, known as “Laboratoire d’Innovation Numerique de la CNIL ” or  LINC secured a geolocation database from a data broker which was supposedly anonymized. The purpose of this was to test and evaluate the risk of re-identification using this data. LINC seeks to experiment with anonymisation methods with the intention of helping to limit privacy risks for users while maintaining the serviceability of the data. In particular, this report from LINC, gives a brief assessment of the risks associated with the possibility of re-identification of a specific type of data – geolocation data. 

Geolocation data is regarded as highly valuable due to its abundant and precise nature, which allows better tracking. 

The usefulness of smartphone geolocation data is undeniable. We have seen the benefits in the context of fighting disease outbreaks, optimising road traffic and many other applications. However, this data is also used for behavioral surveillance, and to track individuals for advertising purposes. The LINC questioned whether geolocation data should also be regarded as special category data. In its 2017 report, it states “geolocation and data flow are to personal data what stem cells are to cellular biology”. It goes on to say that geolocation data allows, “by its abundance of context to infer a considerable amount of data about behavior, habits, and lifestyle. Knowing where you live may allow someone to infer your income, where you go, to guess your lifestyle (hobbies, family circumstances…), your religious habits or sexual preference, even your health situation”. This accumulation of information is seen as highly valuable by data brokers, particularly those who specialize in the collection and resale of geolocation data. This data is regarded as much more valuable as it is abundant and very precise.

While geolocation data is highly valuable, it is regarded as personal data and must therefore maintain a level of protection. 

The issue lies in the fact that this determination to collect, use and sell extremely precise data may create issues of personal data protection for the people who contribute to these datasets. In many cases, these people are unaware of how much data they are passing on, as well as the precision thereof. There are cases in which companies have betrayed the trust of users by reselling geolocation data collected from children, people visiting abortion centers, or even giving context to a person’s sexual orientation. While geolocation data is most often anonymised, and sharing anonymised data allows one to be released from some GDPR restrictions, there are cases where the nature of this data allows for RE-identification. According to the GDPR geolocation data associated with a person, whether directly or indirectly, is considered to be personal data. As such, data controllers and data processors must respect strict rules regarding the processing of this data as well as the rights of the people whose location is collected.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.