Privacy and security are hot topics relative to the use of location data. While there are several bills circulating in Congress, and some initiatives in the Executive Branch, not much has changed in the U.S. over the last five years because the law and policy environment is so much more reactive than proactive in the U.S. Unfortunately, the U.S. is playing catch up with the technologies. Internationally there are more efforts to regulate certain areas and to regulate location privacy. For example, in the past couple of years European privacy regulators have focused on Google Street View, RFID technology and mobile applications. We were pleased to speak with Kevin Pomfret of the Centre for Spatial Law and Policy on his perspective of the legal and policy landscape, the burning issues for providers and users of location, and the future of best practices and guidelines.
LBx: Is there something particularly special about geodata?
Pomfret: One unique aspect of geodata is that it is so versatile. It can be used for a variety of purposes – both positive and negative – which can create more risks. For example, in an emergency, knowing the exact locations of individuals can save lives; but that same technology could also be used to stalk someone without proper controls. From a consumer perspective, lawmakers are very concerned with the potential of geospatial technology to stalk people.
However, they are struggling with how to define what privacy is from a location perspective. Privacy from a location perspective is not as simple as protecting a social security number or medical records (areas of privacy law that are already protected). For example, what is it that is private relative to location? Is it within a few feet or within a zip code? Is there a temporal component to it? One of the challenges will be defining what location privacy is in the United States.
LBx: Who owns the data of an individual’s location?
Pomfret: Some argue that the individual should own the data, determine how it should be used and give consent to how third parties use the data. Others believe that whoever collects the data should own it. However, in either case, the key issue is what right does a third party have to use the data.
LBx: What are the most important concerns for companies that provide location data?
Pomfret: There are three areas of exposure that providers should pay attention to:
- Privacy It is not always obvious to a company that a dataset may be subject to privacy concerns because the provider may view the data as innocuous or publicly available. However, companies need to pay attention to the bills currently before Congress because one of the issues being addressed is the privacy implications associated with the aggregation of data and whether individuals can be identified or targeted.
- Intellectual Property Most geospatial data products and services are based on a compilation of various datasets that are subject to different licensing arrangements. Often this is not well understood within an organization beyond a legal department. It is critical that companies understand the restrictions and limitations on their right to use data, and how these impact existing and future products and services.
- Data quality In a world where millions of people are accessing location information for a variety of different reasons, providers of location information must recognize that the users of their data or applications are not always experts in geospatial technology. Moreover, consumers often receive greater protection under the law than businesses. Businesses will need to consider various scenarios in the design of products and services to mitigate against the consumers’ potential misuse.
LBx: Similarly, what is the most important concern for users of location data?
Pomfret: Business users need to make sure that they have the rights to use the data. This means understanding the rights under the various license agreements under which they received the data and how terms are defined. When combining various databases, the first question a user needs to ask is, “do I have the right to do this under my license agreements?”
Secondly, understanding the allocation of risk in every location information transaction is becoming increasingly important. There is risk associated with usage and data quality. Is the dataset being relied upon complete? Is it sufficient for the intended use of the product or service, especially if the user is reselling it? Usage rights are not fully appreciated in the community right now. There needs to be attention to how the data will be used. For example, if the data is being used for navigation purposes then the provider needs to make sure that the data is not going to be used in a manner that runs afoul of state or national laws. Providers must comply with the laws and make sure that the data is not collected in a way that violates privacy laws.
LBx: How do cloud-based services factor into these considerations?
Pomfret: The cloud complicates things. There is always increased complexity when a third party is involved, such as a provider of cloud services. Whenever there is someone or an organization outside of your control, there is increased complexity and therefore increased risk. Location data is inherently multi-dimensional – which also creates uncertainty.
Usage rights are not fully appreciated in the community right now.
LBx: How does the law treat companies and individuals differently when it comes to location data and privacy versus security and confidential information?
Pomfret: The approach to companies and individuals will be different. The concerns about individuals using location data are regarding the ability to track other individuals, especially within a relationship of concern. In other words, from an individual perspective, the greatest concern right now is the ability to use location data to stalk another person. In a business relationship, the concern is the ability to aggregate datasets and make decisions that impact an individual’s privacy based on that data – for example, using location information for making decisions on insurance rates or for personalized advertising. The ability to aggregate data with a broader range of datasets, integrate it into multiple applications, and distribute it across multiple technology platforms, subjects the use of the data to greater uncertainty.
LBx: Are there any best practices in the space?
Pomfret: There are a few efforts to develop best practices. For example, CTIA (The Wireless Association) has developed best pract-ices for mobile devices; Australia and New Zealand have developed guidelines for the use of government data. Although these are a couple of examples of best practices for privacy, they are not necessarily complete as they reflect a narrow constituency. Nonetheless, they are starting points and worth reviewing.
LBx: What about best practices on the business side?
Pomfret: It’s difficult to comment on that as the business situations vary so much. However, I do believe that we will see geospatial audits in the near future as a means of ensuring compliance with licensing agreements, adequate quality control, ensuring that customers are using the data appropriately, and protecting against foreseeable misuse. My sense is that its use will evolve depending on the company and the importance of the respective issues. For example, it may come from the finance office to make sure that all of the revenue is being collected from customers under license agreements. As location becomes an important component of products and services, best practices and legal frameworks will evolve as compan-ies will require processes to understand all of their location information transactions, potential liability and privacy implications.