The limits of access to personal data in the digital age

• The US Supreme Court will review a case involving police access to mobile phone records obtained through requests to mobile operators.
• The discussion arises after authorities used information from mobile phones located near a bank during a robbery, identifying devices present in the area and then linking them to possible suspects.
• The case opens a relevant discussion: How far can access to our data go without affecting the right to privacy?

What are "geofence warrants" and why do they matter? 

The case before the Supreme Court goes beyond mobile operator records. At the centre of the debate are so-called "geofence warrants": law enforcement requests directly targeted at technology companies like Google, requiring them to analyse location data of millions of people to identify devices present in a specific geographic area at a specific time.

In the specific case before the Supreme Court, the police asked Google to identify which phones were within 300 metres of a bank at the time of a robbery. The level of accuracy of this data is significant: it can locate a person to within three metres, updated every two minutes. It is not simply a matter of knowing whether someone has been in a neighbourhood, but of reconstructing their exact movements in detail.

 Who is not a suspect can be affected?

This is the critical point from a data protection point of view: geofence orders do not target an identified suspect, but a wide universe of people who simply happened to be in a certain place at a certain time. Anyone passing near the bank, whether as a passer-by, customer, employee or neighbour, could have their location data exposed to the authorities without being suspected of anything.

This connects directly to the principle of proportionality in data processing: access cannot be unrestricted just because there is an ongoing investigation. The question that the Court will have to resolve is basically the same as the one posed by any data protection impact assessment: was it necessary to affect the rights of so many people in order to achieve the objective pursued?

Considering the recent regulatory changes in Chile, why is this case relevant from a data protection perspective?

Because a mobile phone does not only contain messages or calls.

It can also be used to access information such as:

• Geographic location
• Movement history
• Call logs

This data can be used to reconstruct people's behaviour, routines and links.

How does Chile specifically address geolocation data? 

Law No. 19.628 as amended by Law No. 21.719 incorporates a specific regulation for geolocation data in its article 16 sexies. In Chile, the law already explicitly recognises geolocation data as a special category of personal data.

"The data owner must be informed in a clear, sufficient and timely manner of the type of geolocation data that will be processed, the purpose and duration of the processing and whether the data will be communicated or transferred to a third party for the provision of a value-added service". 

The rule sets out two central elements that connect directly to the debate in the case before the US Supreme Court:

• Sources of lawfulness: the processing of geolocation data requires an enabling basis as set out in Articles 12 and 13 of the law. It is not enough that the data is available or that the individual uses a service that generates it: there must be a specific legal justification for processing it. This is precisely what is at issue in the US case: is the use of the GPS-enabled phone a sufficient basis for third parties to access such data?
• Clear and timely information: the data subject must be informed of the type of data that will be processed, the purpose, the duration of the processing and whether the data will be disclosed to third parties. In the case of the "geofence warrants", none of these elements is fulfilled with respect to the persons whose data are handed over to the police: they do not know that their data were requested, nor for what purpose, nor for how long they will be kept.

This case provides us with important lessons on how to deal with this type of processing in our country.