The telecoms firm, which owns O2 in the UK, said that its 'Smart Steps' scheme could help retailers decide on the "best locations and most appropriate formats" for new stores and that it could also enable council bodies to "measure how many more people visit their high street after the introduction of free car parking, farmers markets, or late night shopping".
A company spokesperson told Out-Law.com that "mobile network data" it would collect from customers for this purpose relates to the "records of when and where phones communicate with the network".
The spokesperson said that mobile networks regularly communicate with customers' phones "in order to provide a service". Examples of the information they gather include "when and where a call is initiated or a call is terminated". The spokesperson said that the information-gathering is part of the company's "business as usual operations".
"The data used is part of the core process of running a mobile network," the Telefónica spokesperson said. "The phone won’t work without it."
Telefónica will gather the information even if its mobile customers disabled the location settings on their devices, meaning customers will be unable to opt out of being tracked, the spokesperson said. Individual customer's identity is "removed" from the data the company uses in the Smart Steps programme, they added.
"[After the individual customer's identity is removed] the remaining data is then aggregated with the information derived from other anonymised customers," the spokesperson told Out-Law.com. "Trends are then extrapolated from the combined data. It will never be possible to identify individual customers. There is no disclosure of a customers’ personal identity to 'opt out' from."
"Smart Steps is about trends and crowds, not individuals and personal data. It is like the Census, or to use another analogy an election. You can see how many votes candidates or parties receive, and what the ‘swing’ was from the last election, but you never find out who an individual votes for in the privacy of the ballot booth," the spokesperson added.
Users of the tool, such as retailers or town planners will not be able to see a "count" of how many O2 customers are in an area, the Telefónica spokesperson said. Instead, those users would be provided with a "scientifically calculated and reliable estimate of the number of people from the total UK population who are in the area". The spokesperson said that the calculation was "based on a count on the number of O2 customers, but [that] the count itself is not shared with the user."
Telefónica will analyse the mobile network data "using proprietary algorithms and data science extrapolation techniques," the spokesperson added. The company is "selling insights" it derives at from analysing the data but does not provide users of Smart Steps with access to the underlying data from which "the insights have been extracted from".
"O2 only has circa 25% market share in the UK so to ensure we provide the user (a retailer or town council) with a picture that is truly representative of the entire population we extrapolate," the spokesperson said.
In May the Information Commissioner's Office (ICO) published new guidance that stated that organisations that fully anonymise personally identifying information do not have to comply with data protection laws in order to disclose the altered information.
The watchdog said that in order to fall outside of the scope of the Data Protection Act, organisations that anonymise personal data must ensure that it is not "reasonably likely" that the anonymised information will lead to the identification of individuals when matched with data available elsewhere.
However, in its guidance the ICO said that organisations may need to obtain the consent of 'data subjects' in order to conduct anonymisation of their personal data in order to later disclose the anonymised information, because the activity constitutes "processing" of those individuals' information in the first place.
Earlier this year the Government acknowledged that anonymising data does not always ensure individuals' privacy.
Privacy campaigners and academics have previously expressed concern with an approach that relies too heavily on anonymisation of data to protect individuals' privacy.
"So long as individual's personal information cannot be identified from this service, we don't have any problem with it," an ICO spokesperson said of Telefónica's Small Steps scheme, according to a report by the BBC.
Last year an EU privacy watchdog published an opinion on data protection issues around "geolocation services on smart mobile devices". Although the opinion did not touch on the kind of recording of mobile network data that Telefónica and other mobile network providers engage in, the Article 29 Working Party said that so-called 'geolocation' data should be classed as personal data and be protected under data protection laws.
"It is a fact that the location of a particular device can be calculated in a very precise way ... Such a location can point to a house or an employer. Especially with repeated observations, it is possible to identify the owner of the device," the Working Party said in its opinion.
The group said that location services should be turned off on devices as a default and that companies that control the data need to obtain consent from device users before giving the information out.
However, earlier this year the Information Commissioner's Office (ICO) told Out-Law.com that geolocation data can be collected without consent in circumstances where the individual to whom the data relates cannot be identified. This, the ICO said, was in accordance with the terms of the UK's Privacy and Electronic Communications Regulations.