INE, telecom operators and personal data protection
We were surprised today by the announcement made in certain leading newspapers that between 18th and 21st November and on 24th November, 20th July, and 15th August 2020 the National Institute of Statistics (INE) is to analyse the movement of mobile phones in Spain. This initiative, in which Movistar, Vodafone and Orange is to take part (and get paid), has been called an innovative and ground-breaking initiative in Europe, given that no other Member State has conducted a similar study to date.
Over these days, the telephone companies will obtain the positions of mobile phones in areas of around 15,000 inhabitants and, according to the INE, under no circumstances will it receive personal data associated to line owners. The importance of this study lies in the fact that information will be provided on the population of a certain town, and the population known as the “floating” population (living in one place and working in another). Some of the so-called benefits include the possibility of improving certain infrastructures or transport networks.
In the eyes of the INE, this initiative has no legal obstacles, as the data it receives will be completely anonymous and under no circumstances will the personal data of the mobile phone line owners be given. The debate is open.
Anonymisation of personal data
It is well known that anonymising personal data is almost impossible in most cases. There are now many different studies to confirm this. The Spanish Data Protection Agency (AEPD) published an extensive, complex report to define the manner in which personal data must be anonymised, and in most cases it is as easy as cross-checking a couple of items of data to be able to specifically determine their owner.
The AEPD indicates that the anonymisation process “(…) must lead to a break in the personal identification chain” Although it is true that the circumstances in which this access to the movements of mobile phones in Spain will be conducted, it is very likely that we will be unable to categorically confirm that personal data will neither be provided nor accessed. Furthermore, access to this data seems like a completely intrusive initiative in terms of the inspiring principles of the General Data Protection Regulation (GDPR), which is totally applicable to this case.
What sector-based regulations say
Article 64 of the Spanish Royal Decree on the conditions for the provision of electronic communications services, universal service and user protection defines the concept of added value as “any service requiring the processing of movement data or location data different to movement that goes beyond that necessary to send a notification or bill”. Article 65 states that “operators may process movement data (…) to provide value-added services to the extent and during the time required to provide such services or their commercial promotion, provided the subscriber has given his or her informed consent”.
Article 65 states that “operators may process movement data (…) to provide value-added services to the extent and during the time required to provide such services or their commercial promotion, provided the subscriber has given his or her informed consent”.
On analysing the sector-based regulations and the GDPR, it can be concluded that the informed, express consent of mobile phone users (remember that tacit consent is not accepted following the new personal data protection directives) is an essential requirement for the processing described to be valid. This would, in practice, involve an exercise of transparency by the INE when explaining to citizens why, for whom, and how their data is to be processed.
In all cases, citizens would be able to object to this processing (simply look for this right in the long Privacy Policies of mobile phone providers). Hiding behind so-called anonymisation without giving any more details is questionable to say the least, in a world in which we are generating endless “anonymous” data every day that businesses use to their benefit.
Or perhaps one of the purposes of the GDPR was not to increase the levels of knowledge of citizens regarding their rights in the digital era and for them to have actual and effective control over their personal information?
Erika Henao Hoyos (Lawyer) and Victor Roselló Mallol (Lawyer)