The use of mobile location data interfaces and sometimes collides with data privacy principles, and quite understandably there is an ongoing and evolving debate as to where to draw the line.
So-called "location-based mobile messaging" is currently under investigation of the Norwegian Data Protection Authority (Datatilsynet). Location-based mobile messaging can be used as a tool for communicating with the population during major incidents, such as the COVID-19 outbreak. In Norway, the Directorate of Health (Helsedirektoratet) is using such messaging in efforts to provide travel guidance during the pandemic and to inform citizens about increase of infections in certain regions. The delivery of the messaging services involves several players including the customer, the supplier, as well as electronic communication service providers.
In September, Datatilsynet issued letters to several companies utilizing location-based mobile messaging services. In the letters, Datatilsynet requests further information in order to investigate closer how the services work, the allocation of the responsibilities under the GDPR and how the rights of data subjects are protected.
The use of mobile messaging by public authorities would normally require procurement of services from ecom and content suppliers, as well as compliance with rules on provision of electronic communication services. However, in the event of location-based collection of personal data, the public authority and its suppliers may also have obligations under GDPR. Thus, the use and setup of the service should be verified to avoid any compliance gaps, which in turn could lead to sanctions or claims for damages.