How fragmentation in European law undermines consumer protection ...

How fragmentation in European law undermines consumer protection: the case of location-based services Colette Cuijpers and Bert-Jaap Koops∗ Consumer protection; Data protection; EC law; Electronic communications; Location data; Personal data

Better consumer protection regulation is mentioned as a priority in the EU Consumer Policy Strategy 2007–2013. Building upon this strategy, the Green Paper on the Review of the Consumer Acquis identifies fragmentation of legislation as the main problem in consumer protection rules. This fragmentation is caused, among other things, by inconsistent regulation between different directives. By analysing the data protection framework for location-based services (LBS), this article strengthens the argument that fragmentation leads to unclear and even inconsistent regulation and thereby diminishes consumer protection. Furthermore, the case of LBS demonstrates the need to extend the scope of the Review of the Consumer Acquis, in order to reach the Green Paper’s overarching aim “to achieve a real consumer internal market striking the right balance between a high level of consumer protection and the competitiveness of enterprises”.

Introduction1 The European mobile consumer and Collingridge’s dilemma European consumers are more mobile than they have ever been. Nowadays, they can benefit from useful and exciting new services and applications that can make their movements safer, smoother, and more attractive. Let us imagine the following scenario. A consumer steps in a brand-new car equipped with the latest security measure, a tracking service that allows real-time monitoring of the car’s whereabouts when it is stolen or hi-jacked. Fortunately, no such inconveniences occur, and the weather forecast she requests on her mobile phone is very good. A visit to a nearby museum is brightened * Dr. Colette Cuijpers is Assistant Professor of law and technology at TILT—Tilburg Institute for Law, Technology and Society of Tilburg University. Prof. Dr. Bert-Jaap Koops is Professor of regulation and technology at TILT. 1 This article is part of a project on law, technology, and shifting balances of power, funded by the Netherlands Organisation for Scientific Research. It builds on collaborative work within the EU FP6 Network of Excellence FIDIS (Future of Identity in the Information Society), which resulted in C. Cuijpers, A. Roosendaal and B.J. Koops (eds), D11.5: The legal framework for location-based services in Europe (FIDIS Deliverable, June 2007), available at http://www.fidis.net/ [Accessed October 2, 2008]. The authors thank the report co-authors Arnold Roosendaal, Martin Meints, Denis Royer, Eleni Kosta, Fanny Coudert and Maren Raguse, whose work has contributed to the insights we provide in this article.

880

(2008) 33 E.L. REV. December  2008 THOMSON REUTERS (LEGAL) LIMITED

AND

CONTRIBUTORS

Electronic copy available at: http://ssrn.com/abstract=1645524

Colette Cuijpers and Bert-Jaap Koops

881

up by a handheld device which reacts to each painting on the wall to which she points it. On the way to the hotel—easily found through the car’s navigation system—the new “eat on the spot” service rewards her with an interesting special offer on her mobile phone from an Italian restaurant just around the corner. As the “buddy finder” shows no friends in the neighborhood she might invite for dinner, she orders a pizza to go through her mobile phone. Such new services are based on location information. In order to flourish, their providers need a clear legal framework with a level playing field throughout Europe. At the same time, because location information can be quite sensitive, consumers should be protected from abuse of their personal data. Understandable and consistent rules safeguarding consumer protection will give them confidence to step into the emerging market of location-based services. Unfortunately, the legal framework for new services in Europe is not always clear, consistent, or understandable. One major cause of legal uncertainty is the fragmented approach that is visible in several areas of European law and policy-making. Fragmentation of rules, aiming to ensure a level playing field and safeguard fundamental values, is understandable and not always avoidable. Technical and market developments are so complex and fast, that the European legislator has to strike a balance between intervening at an early stage, with sector-specific or technology-specific rules that cannot yet completely grasp the consequences of the developments underway, and intervening at a late stage, with perhaps more general and mature rules, at the risk of being too late to influence the technology or market to move towards the desired direction. This so-called Collingridge dilemma of early versus late intervention to control technology2 is frequently solved by specific rules in different legal instruments dealing with separate developments. However, the resulting patchwork of rules gives rise to inconsistency, jeopardises the comprehensiveness of the relevant legal framework, and may ultimately undermine the very goals of regulation. European consumer protection and the review of the Consumer Acquis In the European Union, there is no comprehensive consumer protection law. Consumer protection provisions can be found in a multitude of directives.3 In spite of this, and without proper explanation, the current review of the European Consumer Acquis 4 only concerns eight Directives on specific issues of consumer law, namely contracts negotiated away from business premises, package travel, unfair terms, timeshare, distance contracts, prices, injunctions and sale of consumer goods. The Review must be seen in light of the EU Consumer Policy Strategy 2007–2013 which formulates five priorities, including 2 David

Collingridge, The Social Control of Technology (Pinter, 1980). in this respect the evolution of consumer policy, described in Stephen Weatherill, EU Consumer Law and Policy (Elgar European Law, 2005), pp.1–33. 4 The Consumer Acquis is currently under review because of differences in national implementation, inconsistencies resulting from the sector-specific approach, and possible outdatedness of certain directives dating from the 1980s and early 1990s. The need for this review was first recognised in Consumer policy strategy 2002–2006 COM(2002) 208 final. Information and documentation regarding the review can be found at http://ec.europa.eu/consumers/rights/cons acquis en.htm [Accessed October 2, 2008]. 3 See


AND

CONTRIBUTORS

Electronic copy available at: http://ssrn.com/abstract=1645524

882

Fragmentation of EU law and consumer protection: the case of LBS

better consumer protection regulation.5 In this respect, the Green Paper on the Review of the Consumer Acquis (hereinafter “GP”) identifies fragmentation of legislation as the main problem. This fragmentation is caused by the right enjoyed by Member States to adopt more stringent rules and because of inconsistent rules in different directives. The Review and subsequent measures for reform intend to contribute to achieving, “a real consumer internal market striking the right balance between a high level of consumer protection and the competitiveness of enterprises, while ensuring the strict respect of the principle of subsidiarity”.6 Following the Green Paper, the public consultation yielded over 300 responses, which were summarised in a staff working paper.7 Although the Green Paper was welcomed and viewed positively by the majority of respondents, the limited scope of the review—with only eight Directives—was criticised.8 Research aims and outline The aim of this article is twofold. First, to show, and thereby substantiate the Green Paper’s concerns, that fragmentation of consumer protection in European law does not contribute to achieving an adequate level of consumer protection, but instead threatens to undermine consumer protection in the first place. We shall do this by a case study that analyses in-depth consumer-protection rules for a booming new market, location-based services (LBS). We have chosen LBS because it is a very promising market, offering entirely new types of services for consumers, that is quickly gaining ground, but which also requires consumer protection because of the sensitivity of the detailed location data that LBS providers process. The second aim is to show the limitations of the restriction of the review of the Consumer Acquis to eight Directives. Therefore, our case study looks at two directives outside the scope of the Review: Directive 95/46 (the Data Protection Directive) and Directive 2002/58 (the E-Privacy Directive).9 These are not consumer-specific—they equally apply to citizens, and 2002/58 also applies to legal persons—but they are very important for consumers. Indeed, businesses nowadays process such vast amounts of personal data of consumers, that limiting and controlling this processing is vital for the level of legal protection that consumers enjoy. We have chosen these two Directives for two main reasons. First, they are important for consumers in the information society, as they show that the Consumer Acquis review should be broadened with other directives, or at least 5 Green Paper on the Review of the Consumer Acquis COM(2006) 744 final; EU Consumer Policy strategy 2007–2013, empowering consumers, enhancing their welfare, effectively protecting them, COM(2007) 99 final. 6 Green Paper on the Review of the Consumer Acquis COM (2006) 744 final, p.3. 7 Commission Staff Working Paper Report on the Outcome of the Public Consultation on the Green Paper on the Review of the Consumer Acquis (http://ec.europa.eu/consumers/cons int/safe shop/acquis/ acquis working doc.pdf [Accessed October 2, 2008]). 8 e.g. the reaction of BEUC, Mapping the future of Europe’s consumers—Comments on the Green Paper “Review of the Consumer Acquis” COM(2006) 744 final, pp.1 and 4, available at http://docshare.beuc.org [Accessed October 2, 2008]. 9 Directive 95/46 on data protection [1995] OJ L 281/31 and Directive 2002/58 on privacy and electronic communications [2002] OJ L 201/37.


AND

CONTRIBUTORS


883

take into account the findings of other evaluative studies.10 Secondly, they illustrate particularly well how fragmentation over only two legal instruments can create such confusion as to leave consumers completely deprived of protection because neither they nor the providers of the services understand the rights and obligations set out in the legal framework, hence creating a legal vacuum. The article is structured as follows. First, in order to give some insight into the phenomenon of LBS, it provides a brief technical overview of systems generating location data. Secondly, the European legal framework is outlined with special attention to problems which arise from the relevant Directives’ divergent and obscure terms. We will show the extremely complex interplay between the three legal regimes that are contained in the two Directives, as they apply to three different, overlapping, types of data. Finally, we will go into the lessons that can be learned from the case study of LBS for European law-making.

Location-based services11 Location-based services can be delivered by means of wireless systems and unique identification of communication devices, combined with location data. Examples of current uses of LBS relate to the positioning of cell-phones in case of emergencies; automatic payment services; traffic and fleet management; direct marketing services; tracking services for people such as children, persons with Alzheimer’s disease, employees and convicted felons. With developing techniques and increasing speed of communications, it is not hard to imagine that LBS will become more and more integrated in daily life over the next few years. The recent introduction of social networks with positioning features that enable users to find people, places and events anywhere in the world already constitutes a step in this direction.12 Location-based services use different types of techniques that process location data in various ways. This section will first introduce the different technologies used, and then outline the relevance of LBS for consumer protection, namely the need for data protection of the location information processed by LBS. Some understanding of these different technologies and parties involved is helpful to realise the complexity of applying the legal framework we outline further on.

10 e.g. the report on the transposition of Directive 95/46 and its follow-ups (http://ec.europa.eu/ justice home/fsj/privacy/lawreport/index en.htm [Accessed October 2, 2008]). Directive 2002/58 is currently under review itself. This review is unlikely to address the main concerns we outline in this article; the proposed changes are largely concerned with security-related provisions (e.g. spyware) and improving enforcement. Some clarification regarding scope and definitions might result from the review, e.g. regarding applicability to Radio Frequency Identification (RFID) and broadening the scope to (semi-)private networks. However, at this stage it is too early to anticipate any of these changes. See further Opinion 2/2008 on the review of the Directive 2002/58 00989/08/EN WP150; Opinion of the European Data Protection Supervisor on the Proposal amending, among others, Directive 2002/58 (http://www.edps.europa.eu [Accessed October 2, 2008]). 11 This section is based on the work of Martin Meints and Denis Royer in Cuijpers et al., D11.5: The legal framework for location-based services in Europe, Ch.3. 12 See http://www.gypsii.com [Accessed October 2, 2008].


AND

CONTRIBUTORS

884


Generating location information Location information can be generated by different technologies. Without trying to be exhaustive, especially in view of future techniques, we can mention the following positioning techniques as supportive of LBS: satellite-based positioning systems such as the Global Positioning System (GPS); sensor-based systems such as face recognition systems and license-plate scanners for vehicles; wireless technologies, such as Radio Frequency Identification (RFID), WiFi or Bluetooth; cell-based mobile communication networks such as GSM and UMTS; and chip-card-based systems, such as credit cards. Even though these technologies differ substantially in the way they work, location systems are similar in the sense that they need a static and a mobile component in order to pinpoint locations. In this respect, the positioning system will have static sensors and mobile devices or objects bearing or transmitting location information, or, conversely, the sensors will be mobile while the devices or objects bearing or transmitting location information are static. In the first case, the location information is given by the position of the identifiable sensor, while in the second case the location information is given by the identifiable object or device. Irrespective of the different characteristics of positioning technologies, they all share the fact that they generate and process several flows of data. First, mobile as well as static devices will send location information to the sensors. Secondly, the sensors will receive and transfer location and time information to backend systems. Thirdly, these backend systems will interpret and use the location information. Within positioning systems, location information can be generated automatically and continuously, in certain time intervals, or upon request. In addition to the technologies, the parties involved within positioning systems can differ as well. In some situations, there will only be a relation between the subscriber to a LBS and the provider of a LBS. In other instances, the LBS might be provided by more than one party, for example when the service is connected to data stored in a database controlled by another party, or when the subscriber to a certain LBS is not the same person as the user. Here, the way in which the backend system operates and processes the data is important, as in some cases the results of the processing of location data are transferred to another device. The link between location information and privacy Notwithstanding the obvious advantages of LBS, it is also clear that these services raise legal challenges to consumer protection, primarily related to the need to protect consumers’ privacy. In order to be able to assess the applicability of the various data protection regimes from EC Directives, we indicate here the possible links between location information and individual persons. In some cases, there is no link between location information and a person, especially when location information is used in the context of objects only. One example is location information in the context of a fully automated warehouse. Here, location information refers to places in the warehouse and is used by machines only. In most cases, however, there will be a link between a device or a sensor used for LBS and a person. This link (2008) 33 E.L. REV. December  2008 THOMSON REUTERS (LEGAL) LIMITED

AND

CONTRIBUTORS


885

can be direct, e.g. by using purpose-specific devices (e.g. mobile emergency phones) and very stable, e.g. physical properties of the person (biometric features) or implants (both of which cannot easily be changed). In many cases, the link will be indirect, for example when a person uses an object with an attached device that is part of the location system (e.g. a vehicle with GPS sensor, or a product equipped with an RFID tag). The question whether location information can be linked to natural or legal persons is relevant. As we will show in the next sections, the existence of such a link determines whether or not the data should be qualified as traffic, location, and/or personal data in the context of the applicable European legal protection regime. The European data-protection framework for location-based services The processing of location data with regard to the provision of LBS is governed by three European Directives, relating to the processing of personal data in general, the processing of personal data in the electronic communications sector, and data retention. As the complexity of the legal framework resulting from the first two Directives is already significant enough, we leave aside Directive 2006/24 (the Data Retention Directive) from the scope of this article.13 From the general and sector-specific Directive on data protection, it becomes clear that a distinction needs to be made between personal data, traffic data, and location data. However, this distinction is not always clear: all kinds of combinations are possible, e.g. personal data can be location data as well. This leads to a complicated picture regarding the applicability of the regimes laid down in the Directives with regard to the different types of data. This picture becomes even more complicated as different Directives are addressed to different parties and the applicability of their rules is technology-dependent. Personal data: Directive 95/46 The general framework with regard to the processing of personal data is Directive 95/46 (hereinafter Data Protection Directive).14 The applicability of the Directive depends on whether there is “processing” of “personal data”. The definition given to processing is very broad and it is fair to say that almost each handling of data, from their establishment to their destruction, can be considered processing in the meaning of the Directive. Whether or not data can be considered to be personal depends on whether or not the data identify a natural person. Identification can be direct as well as indirect. Direct identification means identification without the use of a third source. Indirect identification concerns for example identification on the basis of an identification number. In this case, a third source is necessary to link the identification number to directly identifiable factors 13 Suffice it to note that Directive 2006/24 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58 [2006] OJ L105/54, which regulates the mandatory storage of traffic and location data in conformity with Art.15 of the E-Privacy Directive, complicates the legal framework regarding LBS and diminishes harmonization of consumer protection. The large margin of appreciation left to the Member States—who can choose a retention period of 6 up to 24 months—constitutes the main concern. This has resulted in a wide variety of retention periods across the EU. 14 Directive 95/46 on data protection [1995] OJ L281/31.


AND

CONTRIBUTORS

886


such as a name and address. An identification number can be a national identification number as well as other numbers, such as an employee number or an IP-address.15 If the Directive applies, data processing must comply with its regime. This includes, for example, requirements that personal data can be collected only for specified, legitimate purposes and that they must be processed fairly and lawfully. The Directive gives various norms for when processing can be considered fair and lawful, for example, a legitimate basis, purpose limitation, and adequate information security measures. Also, data subjects must be informed of data processing, and they have various rights of access and complaint.16 E-privacy: Directive 2002/58 For the sector of electronic communications, the European Union has considered it necessary to supplement the general Data Protection Directive with a sector-specific dataprotection directive, which was part of a larger set of directives regulating the electroniccommunications sector (formerly known as the telecommunications sector). Directive 2002/58 (hereinafter E-Privacy Directive)17 is more specific than and complements the Data Protection Directive. Directive 95/46 is lex generalis which applies to the processing of personal data unless Directive 2002/58—the lex specialis—determines otherwise. The reason for creating a lex specialis and introducing traffic data and location data as distinct types of data is the acknowledgement that these types of data entail specific risks against privacy. Hence, extra protection was considered necessary, in order to guarantee confidentiality, prompt anonymisation, and consent. Moreover, while Directive 95/46 only applies to natural persons, Directive 2002/58 also covers subscribers who are legal persons,18 whose traffic and location data are also to be protected. Furthermore, some provisions create explicit rules in relation to interconnection and billing in light of the particularities of the emerging market of e-communication services, where business models may require more data processing of subscribers than in other markets. Article 2 of Directive 2002/58 states that the definitions of Directive 95/46, as well as those of Directive 2002/2119 concerning a common regulatory framework for electronic communications networks and services, shall apply. In addition to the definitions given in these measures, Directive 2002/58 provides for definitions of specific types of data that are of great importance to LBS: “location data” and “traffic data”. Now, the processing of data can be governed by neither Directive, by one of the Directives, or by both Directives simultaneously, depending on the type of data and data processing. The substantive regimes of both Directives differ in some respects, as 15 The Art.29 Working Group, established on the basis of Art.29 of Directive 95/46, has clarified the concept of personal data in its Opinion 4/2007, 01248/07/EN, WP 136, June 20, 2007, available at http://ec.europa.eu/ justice home/fsj/privacy/docs/wpdocs/2007/wp136 en.pdf [Accessed October 2, 2008]. 16 See, inter alia, Arts 6, 7, 10, 11, 12, 14, 16, and 17 of Directive 95/46. 17 Directive 2002/58 on the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L201/37. 18 See Art.1 para.2 of Directive 2002/58. 19 Directive 2002/21 on a common regulatory framework for electronic communications networks and services [2002] OJ L108/33.


AND

CONTRIBUTORS


887

the lex specialis provides, for example, stricter conditions for processing certain types of location data. We will describe the differences below (in the sections on processing of traffic data and Processing of (non-traffic) location data). Before we examine the substance of the regimes, however, we must examine precisely when a Directive applies to a certain type of data. After all, it is of the utmost importance for providers of LBS to be able to qualify the data being processed, in order to be certain as to which legal rules they have to comply with. The same holds true for subscribers and users of these services. Only if they are able to determine exactly what type of data are being processed, can they be certain about the rights they enjoy and the obligations with which the provider must comply. Therefore, we will analyse the relationship between the various types of data at issue, as well as the definitions used in both Directives, before discussing their substantive implications. As we will see, however, determining the applicability turns out to be a very complex exercise. Location data, traffic data, and their relation to personal data In Art.2 of the E-Privacy Directive, definitions are given of traffic data and location data, “(b) ‘traffic data’ means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; (c) ‘location data’ means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”. Since traffic data include data on the geographical position of the terminal equipment at the beginning and at the end of a communication, for instance a mobile phone call, some traffic data are also location data. Conversely, many location data in the electronic-communications sector are traffic data, namely if they are processed for the purpose of the conveyance of a communication. This does not necessarily apply to all location data, e.g. it is not certain that location data of a mobile phone in stand-by mode can be considered to be processed “for the purpose of the conveyance of a communication”.20 As to the relation between location data and personal data, the Art.29 Working Party has given the following interpretation: “Since location data always relate to an identified or identifiable natural person, they are subject to the provisions on the protection of personal data laid down in Directive 95/46/EC.”21 20 Even though the network processes the location of the mobile phone in stand-by mode so it knows where to transmit a potential communication, it does not process the location data for the purpose of conveying a specific communication. There might be no communication at all in a stand-by session. The categorisation of “stand-by” location data is, therefore, a fairly open issue that Member States have to decide upon when implementing the directive. 21 Art.29 Working Party, Opinion 4/2007 on the concept of personal data 01248/07/EN WP 136, June 2007.


AND

CONTRIBUTORS

888


However, it is questionable whether this statement is correct, since location data can also relate to objects that are not linkable to individual natural persons. The following figure illustrates the complex relation between personal data, location data, and traffic data. Figure 1: The relationship between personal, traffic and location data

6

5 2 traffic data

personal data

1 3

4 7 location data

This means that there are seven types of data, which we illustrate with some examples: (1) Location data that are also personal and traffic data, e.g. the location of the GSM cell in which an sms was sent by a mobile phone of an individual with a GSM subscription. (2) Traffic data that are also personal data but not location data, e.g. the duration of a call made by an individual with a GSM subscription. (3) Personal and location data, but not traffic data, e.g. the address of a fixed telephone of an individual. (4) Traffic and location data, but not personal data, e.g. the location of a public phone booth where someone made a call. (5) Traffic data, but not personal or location data, e.g. the date and time when an internaut using an anonymising service accessed a business website. (6) Personal data, but not location or traffic data, e.g. the account number of an individual. (7) Location data, but not personal or traffic data, e.g. the GPS location of a company car used by many employers; in the context of electronic communications, possibly the location of a stand-by mobile company phone used by several employers is an example of this category. This is a schematic representation, in which the size of the areas in the figure does not suggest anything about reality. Category 6, of course, is very large, whereas categories (2008) 33 E.L. REV. December  2008 THOMSON REUTERS (LEGAL) LIMITED

AND

CONTRIBUTORS


889

4 and 7, if we follow the opinion of the Art.29 Working Party, should be empty, since they consider all location data to be personal data. In our opinion, there are location data that do not qualify as personal data, but this category is probably quite small. Before we move on to indicating which directives apply to which areas of our Venn diagram, we analyse in more detail the definitions of the various categories of data. This is necessary as some elements within these definitions further complicate the Venn diagram. The main provisions in Directive 2002/58 with regard to the processing of traffic data and location data are also described to illustrate the legal differences that exist with regard to the processing of (personal) traffic and location data. Communication, electronic communications network, and publicly available electronic communications service Whether or not data are to be qualified as traffic data mainly depends on the question what is to be understood by a communication and by an electronic communications network. In addition to the definition of an electronic communications network, for the qualification of location data the definition of a publicly available electronic communications service is also of importance. These definitions determine whether the data generated by the various technologies identified above can be considered traffic and/or location data. The definitions of electronic-communications networks and services cannot be found in Directive 2002/58, but are explained in Art.2 of Directive 2002/21, “(a) electronic communications networks means transmission systems which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed and mobile terrestrial networks, networks used for radio and television broadcasting and cable television networks; . . . (c) electronic communications service means a service, normally provided for remuneration, which consists in the conveyance of signals on electronic communications networks. Services providing, or exercising editorial control over, content transmitted using electronic communications networks and services are excluded; (d) public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services”. A definition of communication is given in Art.2(d) of Directive 2002/58: “(d) ‘communication’ means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information”. It becomes clear that in order to qualify data used in LBS as traffic or location data, it is necessary to determine whether the technologies described above fit the definitions of electronic communications service and public communications network, and whether the (2008) 33 E.L. REV. December  2008 THOMSON REUTERS (LEGAL) LIMITED

AND

CONTRIBUTORS

890


purpose of processing these data relates to a communication. The table below provides insight into which technologies fall within the scope of Directive 2002/58. As shown by the table, some comments and question marks remain, which will be explained below. Table 1. Applicability of Directive 2002/58 to LBS technologies

Cell-

Chip-

RFID/

based

card-

Satellite-

Sensor-

WiFi/

mobile

based

based

based

Bluetooth

networks

payment

Electronic comm. network

Yes

No (2)

Yes

Yes

No (2)

Electronic comm. service

Yes

No (2)

Yes ? (4)

Yes

No (2)

Public

Yes (1)

? (3)

? (3)

Yes (1)

Yes

2002/58/ EC applicable?

Yes

No (2)

If public Yes

Yes

No (2)

(1) With regard to satellite-based positioning systems and cell-based mobile communication networks in general, it can be stated that these are public, in the sense that they are available to the public at large. However, it is technically possible, and probably already in effect for specific services, to restrict the access to these networks and services to such a confined group of users that ‘public availability’ no longer exists, so that Directive 2002/58 is no longer applicable. (2) Whether sensor-based systems and chip-card-based payment systems fall within the scope of the definitions of communication networks and services is highly questionable. In our view, if the ratio of Directives 2002/21 and 2002/58 is considered, as well as the recitals and provisions of these measures, the conclusion should be that they are not aimed at such systems. The Directives seem to target intentional communications in which the content of the communication plays an important role. However, an analysis of the definitions of electronic communications networks and services as well as the definition of communication shows that they are very broad in scope, leaving room for application to sensor-based systems and chip-card-based systems.22 22 cf. Art.29 Working Party, Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive 1611/06/EN, WP 126, at http://ec.europa.eu/ justice home/fsj/privacy/docs/wpdocs/2006/wp126 en.pdf [Accessed October 2, 2008], p.3, “both definitions ‘electronic communications services’, and ‘to provide an electronic communications network’ are still not very clear and both terms should be explained in more details in order to allow for a clear and unambiguous interpretation by data controllers and users alike”.


AND

CONTRIBUTORS


891

(3) There is no definition in EU law of what “public” in the context of the European regulatory framework for electronic communications exactly means. Member States may therefore interpret this term in different ways. The Art.29 Working Party has not clarified the scope of the term “public”, but in a recent opinion, they emphasised: “The fact that provisions of the ePrivacy Directive only apply to provision of publicly available electronic communications services in public communication networks is regrettable because private networks are gaining an increasing importance in everyday life, with risks increasing accordingly, in particular because such networks are becoming more specific (e.g. monitoring employee behaviour by means of traffic data). Another development that calls for reconsideration of the scope of the Directive is the tendency of services to increasingly become a mixture of private and public ones.”23 In light of the above, the requirement of “public” networks and services might be abolished in the future. Evidently, that would broaden the scope of the European legal framework regarding electronic communications to a large extent, and it is questionable whether that is warranted for small-scale private networks or services. (4) RFID, WiFi, and Bluetooth are fairly general technologies that transmit data in a wireless way. As such, they fall within the very wide definition of electronic communications network, since they concern a transmission system to convey signals by electromagnetic means. Often, applications using RFID, WiFi, and Bluetooth will also conform to the definition of electronic communications service, if the application can be considered a service. In most cases, these technologies are embedded in some sort of system that can be considered a service, if we go by the general meaning of this term. Processing of traffic data The main provisions in Directive 2002/58 regarding the processing of traffic data and location data are Arts 5, 6 and 9. Article 5 concerns the confidentiality of communications and the related traffic data. In particular, eavesdropping, wiretapping, storage, or other types of interception or surveillance of communications, by persons other than users without the consent of the users concerned is prohibited, except when legally authorised in accordance with Art.15(1) (which contains exceptions for security and law enforcement purposes). Article 6 of the E-Privacy Directive lays down the ground rule for traffic data “relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service”. These data must be erased or made anonymous as soon as they are no longer needed for the purpose of the transmission of a communication. Under certain conditions, an exception is allowed for traffic data that are necessary for the purposes of subscriber 23 cf. Art.29 Working Party, Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive 1611/06/EN, WP 126, p.3.


AND

CONTRIBUTORS

892


billing and interconnection payments, as well as for traffic data for the purpose of marketing electronic communications services or for the provision of value-added services. However, certain conditions apply to these exceptions: the duration of the processing must be restricted to what is necessary to perform the task or service; the subscriber or user must be informed of the types of traffic data which are processed and of the duration of such processing; and the processing is only allowed by persons acting under the authority of providers of the public communications networks and publicly available electronic communications services. Again, there may also be exceptions for security and law enforcement reasons. As described above, traffic data may be considered personal data in several instances. If so, the regime set out here supplements the rules laid down by Directive 95/46, meaning that these rules also need to be taken into account when processing the “personal traffic data”. Therefore, in addition to the specific rules of Directive 2002/58, the general provisions regarding the processing of personal data, such as the obligation to inform as laid down in Arts 10 and 11 and the rights to access and to object as described in the Arts 12 and 14 of Directive 95/46, also apply to personal traffic data. Processing of (non-traffic) location data Article 9 of Directive 2002/58 concerns the processing of location data other than traffic data. As described before, location data usually can be qualified as personal data. So, for these data the obligations and rights laid down in Directive 95/46 apply besides the specific provision in the E-Privacy Directive. For location data that are not personal data, e.g. relating to telecommunications subscriptions by legal persons, only Directive 2002/58 applies. Article 9 of Directive 2002/58 states that location data other than traffic data “relating to users or subscribers of public communications networks or publicly available electronic communications services” may only be processed if the data are made anonymous, or with the consent of the users or subscribers of the service to the extent and for the duration necessary for the provision of a value-added service. Paragraph 2 of this provision states that, if there is consent by the users, there has to remain the ability for the user to refuse the processing temporarily. In addition, the processing has to be limited to the duration necessary to provide this service. Therefore, with regard to location data other than traffic data, unnecessary processing is prohibited, unless the derogation of Art.15 applies to the situation. As already mentioned, Art.15 mainly relates to the use of traffic and location data by public authorities for purposes of safeguarding national security and law enforcement. It allows Member States to pass legislation to allow access of public authorities to such data and to mandate data retention, without consent of data subjects. Whereas Directive 2002/58 prescribes consent of the data subject or a legally authorised situation under Art.15, Directive 95/46 also offers a weighing of the relevant interests to justify processing of personal data (Art.7(f)). The absence of this ground in Directive 2002/58 means that this option does not apply to location data or traffic data generated solely because of electronic communications. Therefore, in private relationships as well as in government service provisioning, only consent can be a legal ground for processing location or traffic data. According to the definition in Art.2(f) of Directive 2002/58, (2008) 33 E.L. REV. December  2008 THOMSON REUTERS (LEGAL) LIMITED

AND

CONTRIBUTORS


893

“consent” by a user or subscriber corresponds to the data subject’s consent in Directive 95/46, meaning that consent must be freely given, specific, and informed. The data subject herself therefore has to give the prior informed consent. In hierarchical relationships, for example an employer–employee relationship, the requirement that consent must be given freely can be problematic.

Which Directives apply to which types of data? Above, we have sketched the complex relationship between personal data, traffic data, and location data as well as the Directives and provisions that apply to these data. Generally, the E-Privacy Directive takes precedence over the Data Protection Directive, but the latter supplements the protection of traffic and location data when these are not covered by specific provisions in the sectoral Directive. Under the E-Privacy Directive, different regimes apply to traffic data and location data that are not traffic data. The picture is compounded by the fact that the E-Privacy Directive provisions only apply to public communications. Traffic and location data generated by private networks or in private services are not covered by Arts 5, 6 and 9 of Directive 2002/58; if they relate to individuals, however, the general Data Protection Directive applies. This leads to the following, somewhat complex, picture of applicability of legal provisions to the various kinds of data.

Figure 2. Applicability of the directives to personal, traffic, and location data

B 6

5

A 2

personal data

traffic data A B

B

A 1

B

3

A A

4

B 7 location data

A B


AND

CONTRIBUTORS

894


In this figure,24 4A and 5A indicate applicability of Arts 5 and 6 of the E-Privacy Directive, while 7A indicates that Art.9 of this Directive applies. The entire ellipse of 6 indicates the scope of the general Data Protection Directive. Sections 1A, 2A, and 3A show that for some data, the specific provisions of the E-Privacy Directive as well as the general Data Protection Directive apply. As can be seen, and is furthermore explained below, this is only the case in public networks or services (indicated with an “A”). ‘‘A” denotes data generated in public networks or services, “B” data generated in private networks or otherwise outside the scope of the E-Privacy Directive, for instance because they do not relate to electronic communications at all. We shall explain the various types of applicability in Figure 2 in some more detail. (1) The category of traffic data that are also location and personal data, is divided in two subcategories. (a) For data generated in public networks or services, Arts 5 and 6 of the E-Privacy Directive apply, imposing requirements such as confidentiality, the legal grounds for processing, storing, and erasure. Other requirements under the Data Protection Directive also apply, when they relate to personal data and are not specifically covered by the E-Privacy Directive, such as several aspects of data quality and data security (Arts 6 and 17 Data Protection Directive). (b) For other data, i.e. those generated in private networks or services, only the general Data Protection Directive applies. (2) The category of personal and traffic, non-location data is divided in two subcategories. (a) The same as category (1)(a). (b) The same as category (1)(b). (3) The category of location and personal, non-traffic, data is divided in two subcategories. (a) To data generated in public networks or services, Art.9 of the E-Privacy Directive applies, as well as other requirements from the general Data Protection Directive not covered by the E-Privacy Directive.25 (b) To other data, only the general Data Protection Directive applies. (4) The category of traffic and location but non-personal data, e.g. relating to business subscriptions, is divided in two subcategories. (a) To data generated in public networks or services, only Arts 5 and 6 of the E-Privacy Directive apply. (b) Other data are not covered by any legal data-protection instrument. (5) The category of traffic, non-location, non-personal data is divided in two subcategories. (a) The same as category (4)(a). 24 This figure is easier to comprehend in colour—see Cuijpers et al., D11.5: The legal framework for location-based services in Europe, p.34. 25 For example, information-security measures (Art.17 of Directive 95/46) and the limitation of automated decisions about the data subject (Art.15 of Directive 95/46).


AND

CONTRIBUTORS


895

(b) The same as category (4)(b). (6) To personal data which are not traffic or location data, only the Data Protection Privacy Directive applies. (7) The category of location, non-traffic, and non-personal data is divided in two subcategories. (a) To data generated in public networks or services, only Art.9 of the E-Privacy Directive applies. (b) Other data are not covered by any legal data-protection instrument. It is clear that providers of LBS have to answer a lot of questions before they can determine what regime is applicable to the data they are processing in order to provide LBS. These include the following: Are the data to be processed “personal data” (see Art.2(a) of Directive 95/46)? Are the data to be processed “traffic data” (see Art.2(b) of Directive 2002/58)? Are the data to be processed “location data” (see Art.2(c) of Directive 2002/58)? Do the data relate to users or subscribers of public communications networks or publicly available electronic communications services (see Arts 6 and 9 of Directive 2002/58 and Art.2(a), (c) and (d) of Directive 2002/21)? • Is one of the exceptions applicable (see Art.13 of Directive 95/46 and Art.15 of Directive 2002/58)?

• • • •

This list of questions, and the ensuing assessment of which legal regime applies, is already quite complex to grasp. Legal uncertainty becomes even more pronounced when we recall, as shown in Table 1 above, that some of the answers are also difficult to give due to uncertainty about the precise scope and meaning of certain terms in relation to LBS technologies. We think that this gives sufficient ground for concluding that with the current fragmented legal regime, legal certainty is virtually absent, both for LBS providers and for LBS subscribers.26 As a result, enterprises developing LBS services may well choose not to offer these services on the European market at all. European consumers would then lose the opportunity to benefit from new and innovative services. Alternatively, and perhaps more likely, business will develop LBS and offer them on the market with disregard for the legal framework of consumer protection rules, and unaware of which rules apply in the first place. As to consumers, they are subjected to violations of their data-protection rights about which they, too, know nothing. For example, in the scenario which we described in the first paragraph of this article, a user of various value-added location-based services may not have been asked consent for processing precise location data (as required under Art.9 of Directive 2002/58), so that he is unaware that the provider knows exactly where he has been—the museum and an Italian restaurant in a certain town. Perhaps he does not mind his eating preferences 26 For a more detailed analysis, see Cuijpers et al., D11.5: The legal framework for location-based services in Europe, above fn.1, section 4.5, which outlines even more issues that complicate applying the legal framework in practice, such as problems regarding who should consent to what and in what way in order for the provision of LBS, differences resulting from direct and indirect provision of LBS, and different legal approaches concerning direct and indirect access to data needed in order to provide LBS.


AND

CONTRIBUTORS

896


to be known, but he may be embarrassed that someone stores his liking for kitschy art museums. He will also not have been aware of his right (also provided for under Art.9 of Directive 2002/58) to temporarily switch off the service, so that his in-between visit to the red-light district (which we were discreet enough not to mention in the introduction) is unregistered. Thus, since the legal framework is too complex and unclear to be fully embodied in the provisioning of innovative LBS, resulting in confusion over or ignorance of legal rights and obligations, it will be quite impossible for consumers to complain about and get compensation for violations of their rights. Conclusion In the case of LBS, the legal framework for processing data, whilst designed to facilitate the free flow of data in the internal market and protect consumers and other vulnerable parties, fails to achieve these goals. This is due to the complex patchwork of legal rules that apply to the provision of LBS. The fragmentation in this case is probably the result of the European legislator’s choice, in the terms of Collingridge’s dilemma, to intervene in the early stage of LBS (the E-Privacy Directive dates back to 2002, when LBS was in its infancy), when the technology and market were still quite steerable but when the consequences could not quite be taken in. Now the technologies and market have further developed, with unforeseen new supporting technologies like RFID and sensor-based systems, the fragmentation of protection rules, even in only two Directives, turns out to lead to complexities in the European legal framework that make the rules difficult to apply in practice, thereby jeopardising consumer protection. Moreover, the complicated, partly overlapping, definitions are susceptible to multiple interpretations, which, together with the margin of appreciation left to Member States, invites considerable variation in national implementations and therefore a lack of harmonisation.27 Consequently, fragmentation erodes both pillars of European law-making in the area of consumer protection: neither harmonisation nor a high level of protection is achieved. The legal uncertainty caused by fragmented rules both constitutes a disincentive to promising new technologies and services within the internal market and undermines an adequate level of consumer protection throughout the European Union. Although it is particularly illustrative, the case of LBS is certainly not unique in this respect; a fragmented legal framework, related to consumer protection rules, is also visible, for example, in financial services and in health care.28 27 This is illustrated in the several country reports in Cuijpers et al., D11.5: The legal framework for location-based services in Europe, above fn.1, pp.59, 76, 91–93 and 105. 28 See European Financial Services Round Table, Consumer Protection—Consumer Choice Deepening EFR’S Concept on Consumer Protection in Retail Financial Services (January 2006), p.3, available at http://www.efr.be/members/upload/news/23328EFRCPWP.pdf [Accessed October 2, 2008]. For an overview of the fragmented regime on patient’s rights in the EU, see T. K. Hervey and J. McHale, Health Law and the European Union (Cambridge University Press, 2004). See also the preamble and Art.3 of the Proposal for a Directive of the European Parliament and of the Council on the application of patients’ rights in cross-border healthcare COM(2008) 414 final.


AND

CONTRIBUTORS


897

Consumer protection rules are spread across a multitude of European legal instruments, and this fragmentation is widely considered to be one of the most fundamental problems today in achieving a truly adequate level of consumer protection in the European Union.29 The review of the Consumer Acquis, which promises to tackle the problem of fragmentation, is therefore very welcome indeed. However, if we look at the measures currently proposed for consumer empowerment, the review’s focus on only eight Directives will leave important gaps in specific situations in which consumer protection is of the utmost importance. We have shown in this article how the patchwork of protection rules in the Data Protection and E-Privacy Directives, which are not included in the list of eight directives in the Review, diminishes consumer protection in the emerging market of LBS. Again, LBS is just an example of a new application in which the two data protection directives fail to achieve adequate consumer protection. One can easily think of other developments that may have negative consequences for consumers and to which the data protection directives cannot so easily be applied, such as RFID, peer-to-peer systems, social network sites, and group profiling. If consumers are to act safely and be treated fairly in the information society, the review of the Consumer Acquis cannot overlook the Data Protection and E-Privacy Directives. A similar case can be made for Directives in other sectors with fragmented consumer protection rules, such as financial services and health care. The lack of comprehensiveness of the Consumer Acquis review does not necessarily mean it will not be beneficial to consumers’ position in certain respects that go beyond the scope of the eight Directives under review. The proposed Horizontal Instrument does concern some issues of a more general nature, such as clarifying the definitions of consumer and professional.30 Nevertheless, the above analysis clearly demonstrates a need for broadening the scope of the Review of the Consumer Acquis. Only then will it be able to reach its main aim to, “achieve a real consumer internal market striking the right balance between a high level of consumer protection and the competitiveness of enterprises, while ensuring the strict respect of the principle of subsidiarity”.31

29 Green Paper on the Review of the Consumer Acquis COM(2006) 744 final; EU Consumer Policy strategy 2007–2013, empowering consumers, enhancing their welfare, effectively protecting them, COM(2007) 99 final. 30 The Horizontal Instrument consists of adopting “one or more framework instruments to regulate common features of the acquis, underpinned whenever necessary by sectoral rules”: see Green Paper on the Review of the Consumer Acquis COM (2006) 744 final, pp.7–9. 31 Green Paper on the Review of the Consumer Acquis COM(2006) 744 final, p.3.


AND

CONTRIBUTORS