The USA is ready to match the toughness of rules in Europe and elsewhere, governing retention and use of location-based data, which is collected primarily from smartphones.
The FCC launched an investigation into the matter in late August this year. This coincided with action by the Federal Trade Commission (FTC) against Idaho-based data broker Kochava for “selling geolocation data from hundreds ofms of mobile devices that can be used to trace the movements of individuals to and from sensitive locations”. Such locations include abortion clinics, rehabilitation centers and domestic violence shelters.
Data brokers have come under greater scrutiny in many countries, partly as a result of increased retention and resale of location-based data, as well as other information relating for example to personal or corporate credit ratings. This touches on other issues such as the role of anonymization in severing associations between data and individual beyond the point of recovery.
Data brokers, also known as information brokers, have grown up in the Internet era as collectors of, and traders in, personal data relating to income, credit worthiness, political beliefs and most recently geolocation, derived from multiple sources including public records, social media sites and indeed telcos. They are currently subject to tighter regulation in the European Union and UK, under GDPR data privacy laws, than they are in the USA, where there is no federal regulation as yet ,and it has been left to individual states to enact laws (only a few have done this yet). The current FTC action could well lead to federal legislation more closely aligned with GDPR.
The data broker issue touches on MNOs as providers of location data, and subject to rules over its subsequent use. But the bigger concern in the USA is the investigation by the FCC, since that will almost certainly impose additional constraints and also expose MNOs to complaints and possible legal actions from their own customers. FCC chair Jessica Rosenworcel opened the investigation by sending questions to the country’s top 15 MNOs and MVNOs, and publicizing some of the responses about how they collect, store and use subscribers’ location data.
As Rosenworcel pointed out: “Our mobile phones know a lot about us. That means carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected.”
She also asked the FCC’s own Enforcement Bureau to open an investigation into mobile carriers’ compliance with its existing rules, requiring them to disclose fully to consumers how they are using and sharing geolocation data.
Questions posed to operators included what geolocation data they collect and retain, why they collect it, for how long and where it is stored. They were also asked how customers were informed about their data collection policies and any available opt-outs.
Naturally, most carriers claimed to be upfront and transparent with consumers about what data they collect and how it is used. They purported to offer customers choice and to be very concerned over whether they can be trusted with that data.
Where some of the Tier 1 operators became uncomfortable was over the question of data retention, with Verizon stating vaguely that it was kept for “the period for which it is needed for business purposes”. T-Mobile USA was more precise, stating that while some data was only stored briefly, other geolocation data, particularly that related to emergency calls, was stored for two years. The latter resonated with regulations in other countries, such as the UK where emergency 999 or 112 calls are exempt from rules over location data. In the UK, only providers of public communications or value-added services can process location data, and then only if it has been either anonymized or consent has been given by the user concerned.
The need to track location in the event of an emergency is generally considered to trump privacy concerns in those situations. But it is less clear-cut and more contentious when it comes to law enforcement. Responding to these questions from the FCC, MNOs admitted they gave location data, as well as other subscriber information, to law enforcement agencies when they ask for it.
But such obedience to all law enforcement requests may not continue as the issue is coming to the boil in the USA amid some high-profile cases. One concerns a specialist broker called Fog Data Science, which has created a search engine called Fog Reveal that allows law enforcement agencies to browse through location data rather like Google Maps. No warrant is currently needed to track users from unique identification numbers based on location and other data extracted from large numbers of mobile applications, for subscriptions below $10,000 a year. Searches can identify which people were close to the scene of a crime from their mobile location data, as well as being able to correlate this with behavioral and lifestyle information culled from other sources.
Privacy advocates contend quite reasonably that this relatively unrestricted access to such information violates constitutional protections against unreasonable searches. Congress seems to agree, as it is considering a new law that would impose more restraints on use of such data. This is in the American Data Privacy and Protection Act (ADDPA), which has gained bipartisan support but not yet enough to reach President Biden’s desk. It would impose greater restrictions on a range of sensitive data, including browsing history, health information and biometric data, as well as location.
It is highly likely the ADDPA will come into force, which will be welcomed by MNOs because it would bring the USA more into line with the EU under GDPR, and therefore many other countries that have adopted a similar model, while uniting a fragmented data privacy landscape that has significant variations between states at present.
There are some differences from GDPR, such as lack of specific law enforcement obligations at the federal level, still leaving that to individual states. The EU is not a federal country, but at least GDPR violations are prosecuted at a country level.
Over location data, ADDPA is in one sense stricter than GDPR, because precise geolocation would fall under the heading of ‘sensitive covered data’ subject to tight restrictions. By contrast, geolocation is not currently considered a special category of personal data under GDPR, although that may change.