Tracking Technology, Privacy and Accountability: Regulatory Challenges in the EU Multilevel Framework

In 2017 the European Commission published a draft regulation in order to replace ePrivacy Directive 2002/58/EC. In this draft, the Commission proposes a first attempt to regulate the use of tracking technologies for commercial purposes. Tracking technologies, mostly based on the Global Positioning System (GPS), make the local position of a device visible for the users and others who have access to the data. The widespread use of mobile devices connected to the internet, e.g. smart phones and tablet computers, has massively expanded the number of applications based on GPS. Many applications not only facilitate the users’ orientation, but also track where the device and its user have been in the past. The use of tracking technology therefore produces data that has become interesting for big data analysts, e.g. in order to know how customers move in shops. Secret services and law enforcement agencies are also interested in access to this data, for example, in order to know where a person suspected to be involved in terrorist attacks or to have committed a crime has been during a relevant period of time. Therefore, the use of tracking technology leads to the question of how privacy, data protection and accountability can be adequately taken into account regarding the use of tracking data. The paper asks which national, European supranational and international regulatory approaches can be developed in order to allow security agencies to use the data in order to combat (only) serious security threats, while protecting individuals against the misuse of tracking data for surveillance purposes by private actors and state agencies. It is based on the hypothesis that “classical” regulation (i.e. by law) and technological solutions should be combined in order to protect the individuals’ rights adequately when they use tracking technologies.