General Data Protection Regulation and the Locus Charter

This entry is part 4 of 5 in the series June 2022

Helping geospatial professionals to work ethically with location data

Responsible data use is key to many professionals, not just in the geo and location industries. Data and privacy has been on our radar for a number of years now, and in recent years it has come to the forefront with the advent of General Data Protection Regulation (GDPR) in the UK and the European Union. There is no equivalent federal law in the U.S., but a number of states have laws that cover similar areas. For example, the California Consumer Privacy Act (CCPA) and the Nevada privacy law.  

While most consumer data laws cover data about individuals, there is relatively little in them to do with location. Even GDPR, the most comprehensive of the various data protection laws, only mentions location in that someone’s location is their personal data, and so it is covered by the law. However, we all know that location data is really useful and certainly could be used to very easily identify an individual.  

Mobile phones accelerated the quantity and detail of location data that is available. With a significant proportion of the population carrying around a piece of technology, all day every day, that has the ability to track their location to the nearest 10 feet or so, there is potentially a huge amount of location data about individuals available. This has clear benefits, with being able to get satellite navigation directions on your phone or find the nearest gas station. But, there is also a clear risk as well—people may not want their location data shared for a whole range of different reasons.  

With the Coronavirus pandemic, the need for contract tracing has emerged and the necessity for mobile phones to do this. A number of different approaches were developed and discussed, with many countries using a decentralized approach to manage this.  

Ethical use of data is a fundamental underpinning of GDPR and most privacy regulations. However, location data doesn’t often get an explicit mention so it can be hard to know how GDPR applies to location data. We all know “with great power comes great responsibility,” but knowing what we need to do when working with location data can sometimes be tricky. This is where the Locus Charter comes in, which outlines best practice for working with location data.  

The Locus Charter is a set of proposed common international principles to support responsible practice when working with location data. It was developed by the Benchmark and EthicalGEO initiatives and released in 2021. The idea is to provide a framework of principles to help understand and manage the potential risks of working with location data. There are no rules or laws, but it is an approach to working with location data to help people who want to do the right thing and work with data in the right way. It can be used as a checklist of things to think about and as a conversation starter to talk about ethics in using location data.  

The main vision for the Locus Charter is, “A world where location data is utilized for the betterment of the world and all species that live in it.” This covers a huge range of topics and is intentionally broad and all encompassing. It is very much a framework. There are no easy answers as to how to use location data ethically. The charter acts as a list of questions or things to think about when working with location data. It consists of these 10 founding principles . 

1. Realize Opportunities: Location data offers many social and economic benefits, and these opportunities should be realized responsibly.

2. Understand Impacts: Users of location data have a responsibility to understand the potential effects of their uses of data, including knowing who (individuals and groups) and what could be affected, and how. That understanding should be used to make informed and proportionate decisions, and to minimize negative impacts.

3. Do No Harm: Physical proximity amplifies the potential harms that can befall people, flora, and fauna. Data users should ensure that the individual or collective location data pertaining to all species should not be used to discriminate, exploit, or harm. Rights established in the physical world must be protected in digital contexts and interactions.

4. Protect the Vulnerable: Vulnerable people and places can be disproportionately harmed by the misuses of location data and may lack the capacity to protect themselves. In these contexts, data users should take additional care, act proportionately, and positively avoid causing harm.

5. Address Bias: Bias in the collection, use, and combination of location datasets can either remove affected groups from mapping that conveys rights or services, or amplify negative impacts of inclusion in a dataset. Therefore, care should be taken to understand bias in the datasets and avoid discriminatory outcomes.

6. Minimize Intrusion: Given the intimate and personal nature of location data, users should avoid unnecessary and intrusive examination of people’s lives and the places they live in, that would undermine human dignity.

7. Minimize Data: Most business and mission applications do not require the most invasive scale of location tracking available in order to provide the intended level of service. Users should comply with practices that adhere to the data minimization principle of using only the necessary personal data that is adequate, relevant, and limited to the objective, including abstracting location data to the least invasive scale feasible for the application.

8. Protect Privacy: Tracking the movement of individuals through space and time gives insights into the most intimate aspects of their lives. In the rare cases when aggregated and anonymized location data will not meet the specific business or mission need, location data that identifies individuals should be respected, protected, and used with informed consent where possible and proportionate.

9. Prevent Identification of Individuals: As an individual’s mobile location data is situated within more and more geospatial context data, its anonymity erodes, measures should be put in place to prevent subsequent use of the data resulting in identification of individuals or their location.

10. Provide Accountability: People who are represented in location data collected, combined, and used by organizations should be able to interrogate how it is collected and used in relation to them and their interests, and appeal those uses proportionate to levels of detail and potential for harms.

These founding principles cover a lot and have some very good ideas behind them. However, what does this mean from a practical point of view for people who work with location data? How can it help data users understand what they can, cannot, should, and should not do with their data? What actions can we take to help with this? 

The Locus Charter is a starting point; and this is a key bit—there are no cut and dried answers. What we as practitioners have to do to be “ethical” when working with our data very much depends on what data we are working with and what area we are working in.  

The first step is to be open to a conversation about what we are doing and what is ethical. This could be an internal discussion over a dataset you produce and sell. It could be a discussion with a client over their data, or what they want to do with a set of data. Currently, many organizations don’t do anything in this area, so the act of thinking about it is a great starting point.  

Some companies implement this across many different sectors. For example, by talking about ethics in their recruitment process and having a checklist of what the company does and does not do. Prospective employees are asked to consider this, and the aim is for the employees’ ethics to match the companies’ ethics. This was developed from a long-term discussion within the company about what they want to do—and this is something we can all do, whether we are a one-man band or a large multinational company. Be open to talking about ethics.  

Geospatial ethics is not a separate discussion to wider data ethics. It is part of a bigger picture, and we need to remember this. In some ways geospatial data are a key part of this, and the discussions we have are sometimes more important because location data can often have more power than other data, which makes these conversations and discussions more important and have a higher impact. Particularly important are vulnerable populations who are specifically identified in one of the principles. Ethics are also included as a part of many CPD programs, and I am sure the Locus Charter will become a key part of these as well.  

The most important key principles are the first four: 

Principle 1, Realize Opportunities: It is easy to fall into the trap with ethics for it to become a list of what you must not do. The Locus Charter attempts to avoid this by focusing on the opportunities of using location data—and there are many opportunities. Then the focus is on realizing these opportunities responsibility.  

Principle 2, Understand Impacts: The responsible use of location data is built on by understanding the impacts of using location data. Many clients we work with collect lots of data but have little idea of what it is or what it could be used for. As users of location data, we have the responsibility to understand the potential effects of uses of location data, to explain this to our clients if needed, and then use this to make informed and proportionate decisions and to minimize negative impacts.  

Principle 3, Do No Harm: Do no harm is one of the key principles of the charter and this is very much a conversation starter. What harm could our data potentially do, and what can we do to manage this? A nice example of this is when working with protected species, it might be that a remote sensing company has the potential to know rhino locations, potentially even to the detail of tracking individual animals in real time. However, they would probably decide not to share this data publicly because of the risk of poachers using this data to know where to target their activities. A compromise might be to release lower resolution data on location, which still provides some useful information about where rhinos are found but not the detail that will endanger specific individuals.  

Equally, there is much to be said about how we define harm. Different people will give different responses to this, and these need to be managed appropriately. For this, we can gain knowledge from different sectors. For example, in the area of refugee aid this is well understood: getting the help to provide aid but being aware of the risks to refugees if this data is misused.  

Equally, when looking at refugees crossing borders, this very quickly involves politics, which makes things more complicated. Initially, the key element is to be aware of the variation of definitions, and being open to a conversation within your company or with your clients.  

Principle 4, Protect the Vulnerable: Additionally, a key principle is to recognize that there are some groups who can be disproportionally harmed by misuse of location data, and we need to identify who these groups are and act proportionately to address these.  

Moving Forward 

There are many things we can do to realize opportunities and minimize harm of location data, and the Locus Charter helps outline the first few steps. The charter is continually being developed and improved. Find out more at the website www.ethicalgeo.org/locus-charter/ and you can join the community to find out new developments and help this charter evolve. ′

Explaining General Data Protection Regulation?

The General Data Protection Regulation is a law on data protection and privacy brought in by the European Union in May 2018. It sets the provisions and requirements for companies who process individuals’ personal data. The location of the individual is important. For example, if an organization based in the U.S. holds an individual’s data who lives in the UK, then the GDPR applies to them. 

There are seven key principles to the General Data Protection Regulation: 1) that data is used lawfully, fairly, and transparently; 2) for a specific purpose with opt in consent; 3) only the required data is stored; 4) the data is accurate; 5) the data is only stored for a limited period; 6) the data is stored securely; 7) those holding the data are held accountable. 

General Data Protection Regulation is similar in scope to the California Consumer Privacy Act and has also been adopted by a range of other countries, including Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya. GDPR also applies to the UK as it was part of the EU when the law was implemented. As a part of the Brexit process in 2020, all existing laws were adopted (including GDPR). Currently, GDPR in the UK is identical to GDPR in the EU, but this doesn’t stop the UK government altering the law in the future if it chooses to do so. 

The key consideration around General Data Protection Regulation is informed consent, that the individual knows what companies are holding their data, what they are going to use it for, and they can withdraw that consent if they wish to. Many companies have the arrangement that individuals provide their data in exchange for a service, and this is perfectly allowable under GDPR. The key bit is ensuring that the individual is aware of this and has opted in to this.

Series Navigation<< No Barrier Between Land and Water

Leave a Reply

Your email address will not be published. Required fields are marked *