There’s a certain irony to the fact that the National Society of Professional Surveyors (NSPS)’ “Day on the Hill” on April 11 was also the day Facebook founder and CEO Mark Zuckerberg testified before Congress on his firm’s policies and procedures on personal privacy. Once again, privacy concerns raised elsewhere could affect geospatial professionals.
There has long been an intersection between GIS data and privacy, but recent revelations about Facebook, the work the firm Cambridge Analytics did for the 2016 Trump campaign, and other news reports about data disclosures involving large numbers of individuals should cause surveyors and other geospatial professionals to evaluate their data policies.
Brian X. Chen, a consumer technology writer for the New York Times, demonstrated the kind of concern data privacy has created for the general public. He wrote, “When I downloaded a copy of my Facebook data last week, I didn’t expect to see much. My profile is sparse, I rarely post anything on the site, and I seldom click on ads (I’m what some call a Facebook ‘lurker.’)” He continued, “But when I opened my file, it was like opening Pandora’s Box. With a few clicks, I learned that about 500 advertisers ... had my contact information, which could include my email address, phone number and full name.”
This raises a question in both surveying and GIS: What geospatial data is considered personal?
This issue initially arose in 2010 when the first privacy bill in Congress included “precise geolocation information” in provisions on “sensitive information.” It was followed that same year by the draft Federal Trade Commission (FTC) report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, which proposed to limit the “collection, storage or use” of “precise geolocation data.”
As I wrote in POB in 2013, the final FTC report cautioned, “With respect to use of geolocation data for mapping, surveying or similar purposes, if the data cannot reasonably be linked to a specific consumer, computer, or device, a company collecting or using the data would not need to provide a consumer choice mechanism. Similarly, if a company takes reasonable measures to de-identify smart grid data and takes the other steps outlined above, the company would not be obligated to obtain consent before collecting or using the data.”
It would not be unusual for a surveyor to be retained for a highway agency to provide property surveys and topographic mapping for the planning, right-of-way acquisition, and ultimately, the design of a major new highway. All the initial processes require address, parcel and location information. But the highway bureau has not yet decided its final alignment or location, so it is not yet ready for a public announcement or notification of property owners.
Is that address, parcel and survey plat information considered personal? Does the homeowner have a right to know that information about his or her property is being collected? Does the surveyor have to notify the property owner or get his or her permission to collect the data?
To help surveyors comply with the final 2012 FTC report, a guideline on best practices on privacy of geospatial data was approved by several national organizations, including the NSPS.
On May 25, a new European regulation, known as the General Data Protection Regulation, or GDPR, took effect. While it technically impacts only residents and companies in the European Union (EU), U.S. firms operating in the EU must also comply. It may also foretell new regulations coming to the United States.
That will already be the case in California beginning Jan. 1, 2020, when the California Consumer Privacy Act of 2018 takes effect. It was signed into law by Governor Jerry Brown (D) on June 28.
The bill specifically mentions “geolocation data” in its definition of “personal information,” as well as “name … postal address, unique personal identifier … electronic, visual, thermal … or similar information.”