As part of its technological monitoring, the CNIL noted that it was easy to obtain people’s geolocation data.
He thus identified a platform that connects sellers and buyers of data and allows you to get free samples from data brokers (data intermediaries). He then asked, under the same conditions as any potential customer, to receive a data sample corresponding to France. Transmitted data is presented as anonymised by the data vendor.
After a quick analysis, the CNIL believes that at least part of this data is authentic. It will check whether, on the basis of this data set, it can re-identify individuals and, if so, inform them individually.
The main objective is therefore to make the public and professionals aware of the issues related to the collection of geolocation data by mobile applications.
The affected dataset is a file containing timestamped geolocation data with location points associated with nearly 5,000,000 smartphone advertising identifiers (Android and iOS) for a period of approximately one week in 2021. The analyzes Preliminary tests performed did not have established the authenticity of the advertising identifiers provided in the dataset.
It is a string of characters associated with a single smartphone and which allows advertisers to recognize it in order to send it advertising. As the name suggests, this data is identifying: it is therefore personal data. An actor with two data sources sharing the same advertising identifier is able to link the information and build a more complete profile of the person with which the identifier is associated. In this way, a data broker will be able to link usage data collected from different applications installed on the same smartphone. The more this identifier is stable over time, the more information it allows to accumulate on the habits of smartphone owners. We therefore recommend that you renew this identifier regularly.
In this study, the advertising identifier will be used only to make the connection between the location points corresponding to the same smartphone. The CNIL will not use the identifier value to associate it with other data (for example data on the use of mobile applications) as an advertiser could do. The re-identification work will be carried out on advertising identifiers for which there are at least ten location points. That’s about 850,000 different advertising IDs.
In addition to the data contained in the file sent by the data provider, publicly accessible data will be treated, such as:
- open diaries of public figures;
- data on attendance at parliamentary sessions;
- density maps of France;
- data from universal directory;
- venues for public sporting events.
How are people’s rights respected?
In case of re-identification of individuals, the processing of their data will be suspended until they are individually informed.
If you would like more information on this treatment or if you wish to exercise your rights, you can contact ip[at]cnil.fr or send a letter to the CNIL for the attention of the LINC department.
How is this project structured?
This project is part of the public interest mission entrusted to the CNIL in application of the general data protection rules and the amended data protection law. It is part of the CNIL’s information mission as defined in article 8.I.1 of the Data Protection Act, but also in the mission of monitoring the evolution of information technologies as defined in article 8.I.4.
Special measures have been taken to ensure the confidentiality of the data, which can only be accessed by the team of the Digital Innovation Laboratory (LINC) of the CNIL in charge of this study.
How long will this study last?
This project will last 15 months after which the data will be deleted. As with the CabAnon study conducted in 2017, this project will also result in several publications on the LINC website.
Will the CNIL be able to take repressive action if the practices are not compliant?
Although this study is not linked to a control or sanctioning procedure, it is nevertheless part of one of the priority control topics since in 2022 the CNIL “will screen industry professionals for GDPR compliance [de la prospection commerciale]especially those who resell data, including the many intermediaries in this ecosystem (also called data brokers) ».
Innovation: one of the main missions of the CNIL
As part of its innovation and forecasting activity, the CNIL is interested in weak signals and emerging subjects. Thus participates in social debates on data ethics issues. It is also a point of contact and dialogue with digital innovation ecosystems (researchers, start-ups, laboratories).
Finally, it contributes to the development of technological solutions to protect privacy by advising companies as far upstream as possible, in a logic of privacy by design.
Find out more about the CNIL’s mission of anticipation and innovation