Kein Folientitel

1
Mobile Web Privacy Lukas Gundermann Independent
Centre for Privacy Protection Schleswig-Holstein l
d2_at_datenschutzzentrum.de
2
Basic Notions

• Self determination with regard to personal data
  The right to control who gets which personal
  information at which opportunity
• Personal data (data relating to a person) Any
  information concerning the personal or material
  circumstances of an identified or identifiable
  individual (the data subject).
• Data protection Not protection of data but
  protection of people against unauthorised use of
  personal data ( privacy)
• Data security means of data protection

Mobile Web Privacy - 2 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
3
Location Data as Classic Traffic Data in
Telecommunication

• Traffic data Information about the circumstances
  of a telecommunication process
• E.g. Who called whom at which time?

Mobile Web Privacy - 3 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
4
Location Data as Classic Traffic Data in
Telecommunication

• Consequences There is already the danger of
  creating a profile of the movement of the user
• Due to the size of the cells it is only rough

X

• Store the location information about the active
  telecommunication processes(Legal competence?)

• Dont store the mere stand-by signal

Mobile Web Privacy - 4 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
5
Additional Personal Data on the Internet

• With the internet (especially the www) new
  information emerge
• Traffic data contains additional information
  regarding the services customers use
• Without encryption that information can be easily
  tapped on the way through the net
• More important It can be collected at the web
  server, a user profile can be created(especially
  with banner ad companies)

Mobile Web Privacy - 5 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
6
Bringing it all together The Mobile Web

• For the intended services the location
  information must be much more precise
• Tracking users movements is part of the service,
  this can include creating a profile
• The services will be offered by third parties -
  There will be a greater number of recipients of
  data
• Conclusion A greater volume of more precise
  location data will be spread to a larger number
  of persons and organisations

Mobile Web Privacy - 6 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
7
Solutions Consent of the Users 1

• Absolutely crucial Users have to give their
  clear and unambiguous consent
• It must be an informed consent, meaning that
  users have to be well informed about
• which data will be collected,
• for what purpose they will be used
• when they will be deleted etc
• Problem Is there a gradation of consent?

Mobile Web Privacy - 7 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
8
Solutions Consent of the Users 2

• Gradation of consent Allowing some services to
  receive location data, others not
• Data processing is limited to the consented
  purposes for different purposes a new consent
  would be necessary
• A special consent is necessary for transfer of
  data to third parties
• Users must have access to their own personal data
  and profile

Mobile Web Privacy - 8 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
9
Solutions Consent of the Users 3

• Important Having the possibility to withdraw the
  consent at any time for the whole service or
  only for parts of it
• An appropriate legal framework is necessary but
  not sufficient.
• There also have to exist technical means for this
  kind of consent-management

Mobile Web Privacy - 9 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
10
Solutions Anonymity / Pseudonymity

• For delivering the service it is not always
  necessary to know the users identity
• What is necessary is to link a profile to always
  the same user
• There are also more or less pseudonymous or
  anonymous techniques of payment available
• Pseudonymous profiling would also be permitted
  according to the German law (Teleservices Data
  Protecion Act)

Mobile Web Privacy - 10 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
11
Legal Framework 1

• European law The 1997 directive (97/66/EG) on
  protection of telecommunication data covers
  location data as subspecies of traffic data
• Processing of this kind of data is only permitted
  if necessary for the service itself or for
  billing purposes
• A proposal for a new directive makes it even
  clearer It has special provision for location
  data
• According to that provision location data can
  only be processed if made anonymous or with the
  users consent.
• There is one exception that needs to be discussed

Mobile Web Privacy - 11 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
12
Legal Framework 2

• German law The 1996 Telecommunication Act (TKG)
  covers location data as traffic data in
  telecommunication
• Processing is only permitted if necessary for the
  service or for billing purposes and some purposes
  that are closely connected
• The 1997 Teleservices Data Protection Act covers
  the processing of personal data by ISPs
• It applies also on the web based services that
  work with location data.
• The provisions are alike the ones of the TKG, but
  in addition the Act allows pseudonymous
  profiling.

Mobile Web Privacy - 12 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein
13
Conclusions

• There are first steps towards a legal framework
  for mobile web applications in Europe ,
  nevertheless there is still some work to be done
• Most important at the time being is to develop
  mobile devices that give users control over their
  location data
• It is necessary not to have only a general option
  but to be able to give a graduated consent and
  withdraw it at any time
• Besides, technical means should be developed,
  that serve the principle of minimisation of data
  and allow the anonymous provison of mobile web
  services.

Mobile Web Privacy - 13 / 13
Independent Centre for Privacy Protection
Schleswig-Holstein