A few days ago, the European privacy group NOYB (None of your business) filed an appeal against a decision of the Spanish Data Protection Authority (AEPD) regarding the phone provider Virgin Telco refusal to provide the location data it has stored about a customer after this person asked for it in December 2021. Now the case is in the hands of the Audiencia Nacional (Spain’s national court).
Even though The European Charter of Fundamental Rights and the GDPR grants the right of everyone to access his or her personal data on its Article 15, Virgin Telco argued that only authorities during criminal investigations may have access to location data and gave no explanation as to why the fundamental right to access would not apply in this client’s case. Furthermore the law doesn’t contain such limitations when specifying that authorities have access to this information, broadly understood a person would also have access to their own information..
“The fundamental right to access is comprehensive and clear: users are entitled to know what data a company collects and processes about them – including location data.” said Felix Mikolasch, Data Protection Lawyer at NYOB. “This is independent from the right of authorities to access such data. In this case, there is no relevant exception from the right to access.”
The European Union defines personal data as “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.” And, when it gives examples about data that is considered as personal, location is one of them.
Moreover, the GDPR defines it as “‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” on its Article 4.
Nevertheless, The Spanish DP authority refused the report and sided with Virgin Telco has led us to question their decision and think about if there really is a uniform classification at a European level when it comes to defining location as personal data.. Now it is time to see what the Audiencia Nacional thinks about it.
There was a similar case in Austria, where NOYB filed an appeal in November 2021 when the Austrian data protection authority confirmed the refusal of the mobile operator to give its client access to their data, based on a questionable interpretation of national law.
Based on the European regulations, Eticas considers location as personal data to which a user has the right to access when it is collected.
Having the location data from people, gives us much more information than where they are. By having their location at night, we can find out where they live. By knowing their location during the day, we guess that this is where they work. And, when their location is presented alongside someone else’s location we may understand who they talk to, sleep with or spend time with.
That is quite a lot of very sensitive information, right?
It is time to see if the Spanish court aligns its decision with the current European regulation. It is not surprising that there are more and more voices calling for more uniformity and assertiveness when it comes to applying the GDPR with the same rigor throughout Europe.