On April 29, 2020, the Agency for Access to Public Information (the “AAIP”, by its Spanish acronym) issued a statement through its website informing how personal data should be processed in the use of geolocation tools, especially in the context of the health emergency due to the COVID-19.
In this connection, the AAIP communicates that the Personal Data Protection Law No. 25,326 (“DP Law”) and Convention 108 for the Protection of Persons with regards to the Automated Processing of Personal Data, approved in our country by Law No. 27,483, do not prohibit monitoring the location of people, but the data processing measures that are implemented must be carried out regarding the human right to privacy of people.
Then, the AAIP outlines the fundamental principles of the current data protection regulations that apply to the use of geolocation and tracking tools, whether these tools are used by the public sector, the private sector or both in collaboration:
Point 1. All information referring to the location of persons and/or their movements constitute personal data, protected under DP Law. In order to collect and further process this category of information, it is necessary that the controller relies on the legal bases set forth in Article 5 of the DP Law. The collection of location data may be performed when:
- The data subject has given his prior, express, and informed consent. Consent may be obtained through the acceptance of terms and conditions in an application or web platform.
- Data are obtained from sources of unrestricted public access.
- Data are collected for the exercise of functions proper to the powers of the State or by virtue of a legal obligation.
- Data arise from a contractual, scientific or professional relationship of the data subject and is necessary for its development or fulfillment
Point 2. Location data is defined as information collected by a network or service about where the user’s phone or other device is or was located. For example, it would be possible to track the location of a mobile phone from the data collected by base stations on a mobile phone network.
Point 3. Location data can be inferred by GPS (global positioning system), cell towers (mobile phone operators), Wi-Fi networks, Bluetooth, or a combination of signals.
Point 4. These data may be held by:
- Telecommunications service providers (provide central service to have a connection).
- Internet service providers.
- Value-added services, such as applications downloaded by the user who consents to the processing of traffic data or location data.
Point 5. The State agencies will be authorized to carry out the monitoring as long as they do it within the scope of their specific competence. Said competence must be interpreted strictly and not broadly. When they do not have this authorization, monitoring must be based on another alternative legal basis, such as consent.
Point 6. For the assignment of data referring to the location of a person and/or their movements between public agencies, the consent of the data subject is not required to the extent that the assignor has obtained the data in the exercise of their functions, the assignee uses the data intended for a purpose that is within the framework of its competence and, finally, the data involved are adequate and do not exceed the limit of what is necessary in relation to this latter purpose (Criterion 5 of Resolution No. 4/2019 of the AAIP).
Point 7. Controllers may carry out monitoring activities if the data are dissociated, in which case Law 25,326 is not applicable because dissociated data is not personal data. The location data will be considered dissociated when the procedure that must be applied to achieve the identification of a person requires the application of disproportionate or unviable measures or deadlines (Criterion 3 of Resolution No. 4/2019 of the AAIP).
Point 8. When monitoring is authorized by the consent of the data subject, the controller of the processing of personal data must give the data subject the opportunity to withdraw it at any time.
Point 9. In order to monitor or follow the geolocation of a person, those controllers of the processing of personal data must at all times respect the principle of data quality provided for in Article 4 of the DP Law. This implies that:
- The personal data collected for the purpose of processing must be true, appropriate, relevant, and not excessive in relation to the scope and purpose for which they were obtained. In the specific case of geolocation monitoring or tracking, this should be limited to purposes associated with mitigating the effects of the COVID-19 and should not arbitrarily interfere with the privacy of the person who is being monitored.
- The data collection cannot be done by unfair, fraudulent means or contrary to the provisions of DP Law. Monitoring should be done in the open, informing the population.
- The data object of monitoring cannot be used for purposes other than or incompatible with those that motivated their collection. Monitoring cannot be extended to other purposes that are not related to mitigating the effects of the COVID-19.
- The data must be accurate and updated if necessary. It is essential that the tool is accurate and that it does not give rise to mistakes that could generate a negative effect or harm a right of the data subject.
- The total or partially inaccurate data, or incomplete data, must be deleted and replaced, or, if necessary, completed, by the data controller when there is knowledge of the inaccuracy or incompleteness of the information.
- The data must be stored in a way that allows the exercise of the rights of access, rectification and suppression of personal data established in Articles 14 and 16 of the DP Law.
- The data must be destroyed when no longer necessary or pertinent to the purposes for which they were collected. When monitoring has been withdrawn by the data subject or when its purpose has been fulfilled, for example, because the COVID-19 pandemic has concluded, the data should be deleted. The storage must allow personal data to be identifiable to facilitate the subsequent suppression.
Point 10. The controller must also comply with the principle of information provided in Article 6 of the DP Law. This means that the controller must clarify how and why he/she/it tracks people, where the information is stored, with whom that data is shared, the consequences of the processing, and the possibility that the data subject has to exercise their rights to access, rectification or suppression.
Point 11. Likewise, the data must be stored so that the principles of security and confidentiality provided for in Articles 9 and 10 of the DP Law are complied with. For these purposes, it is recommended to adopt the security measures established in Resolution N°47/2018 of the AAIP.
Point 12. Given that monitoring the location and/or movements of a person have the potential to affect both the privacy and other rights of the data subjects, it is recommended that the controller carry out an impact assessment prior to the application of the tool, in order to control and mitigate its risks, as well as assess its viability. Said impact assessment may be carried out in accordance with the Data Protection Impact Assessment Guideline, which was jointly prepared by the highest data protection authorities in Argentina and Uruguay, the AAIP and the Regulatory and Personal Data Control Unit, respectively.
Likewise, the AAIP notes that (i) anyone who considers that their privacy or personal data are being affected, can file a complaint within the AAIP (ii) public and private institutions that apply or plan to apply a geolocation tool can make inquiries about the scope of the DP Law before the AAIP.