New Recommendations from Agency of Access to Public Information on Use of Geolocation Apps

On April 29, 2020, the Agency of Access to Public Information (the “Agency”) published a series of recommendations for the use of geolocation apps, in accordance with Data Protection Law No. 25,326 (“DPL”) and the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”).

Although these recommendations were published as a result of the emergency caused by COVID-19 and the use of geolocation apps to counteract it, they are applicable to other cases of geolocation in general.

In the first place, the recommendations reinforce the concept that the monitoring of the location of individuals is not prohibited, provided that such monitoring is carried out respecting the human right to privacy. In this regard, they list fundamental principles on data protection applicable to geolocation tools, whether they are used by the public or private sector, or both in collaboration. These principles are:

• All information regarding a person’s location and/or movements constitutes personal data protected by law, and therefore its processing must comply with a legal basis (Article 5, DPL).
• Location data is defined as “information collected by a network or service about where the user’s phone or other device is or was located.” Similarly, the Agency understands that location data can be obtained by GPS, cell phone towers, Wi-Fi, Bluetooth or combination of signals.
• This data may be held by telecommunication service providers, internet service providers, or value-added services (i.e. the same applications).
• Geolocation data may be processed by State agencies without the consent of the data subject to the extent that they do so within their specific powers – which must be understood in a strict and restrictive sense. Otherwise, they must have the consent of the data subject. The same principle applies to transfers of data between State agencies.
• The dissociation of location data excludes the application of the DPL as it does not qualify as personal data.
• The data subject must have the possibility to revoke his/her consent to monitoring at any time.
• Those responsible for processing personal data related to location or monitoring the location of a person must do so in compliance with the principle of quality of the data (Article 4, DPL).
• The data controller must inform the data subject how and why the data is being monitored, where the information is stored, with whom it is shared, the consequences of the processing and the possibility for the data subject to exercise his or her rights of access, rectification or deletion.
• The storage of data must respect the principles of security and confidentiality (Articles 9 and 10, DPL).
• It is recommended that a privacy impact assessment be carried out prior to the implementation of this type of tools to control and mitigate its risks, as well as to assess its feasibility.

Finally, the Agency provides a complaint channel for any person who considers their privacy and/or personal data to be affected by the use of geolocation apps, and provides a source of consultation for public and/or private institutions with an interest in these apps.