The Open Rights Group (ORG) called for new EU data protection laws, currently being worked on by EU law makers, to require consent to anonymised data sharing. The ORG made the recommendation after it raised concerns with the practice of anonymisation.
"Anonymising datasets rarely prevents re-identification," Jim Killock, executive director of the ORG, said in a blog. To resolve the "problem", organisations should be "legally required" under data protection laws to "ask for users' permission before offering their anonymised data", he said.
The ORG made the suggestion following reports in the media that consumer personal data collected by telecoms firm Everything Everywhere (EE) was being offered for sale to the Metropolitan Police by research firm Ipsos Mori. The Sunday Times reported that information about EE customers' gender, age and postcode, as well as what websites they had visited, the time of day text messages had been sent and the location of customers when making calls had been offered for sale by Ipsos Mori.
However, both EE and Ipsos Mori have insisted that their activities are in line with the UK's Data Protection Act (DPA). EE said that Ipsos Mori only has access to "anonymised and aggregated" data which had been grouped into dataset samples of at least 50 people. The company said the information "cannot be used to identify the personal information of individual customers", according to a report by the BBC.
In a statement Ipsos More said it "absolutely refutes the suggestion that it is offering access to individual personal data for sale".
"In the cutting edge research that Ipsos MORI is doing with EE, the UK’s largest mobile operator, our mobile analytics explore user volume, demographics and mobile web use from anonymised and aggregated groups of people," the research company said in a statement. "In conducting this research we only receive anonymised data without any personally identifiable information. We have taken every care to ensure it is being carried out in compliance with all relevant legal and regulatory requirements."
"In particular, we can make the following assurances: Ipsos Mori only receives anonymised data without any personally identifiable information on an individual customer. We do not have access to any names, personal address information, nor postcodes or phone numbers. We can see the volume of people who have visited a website domain, but we cannot see the detail of individual visits, nor what information is entered on that domain. We only ever report on aggregated groups of 50 or more customers. We will never release any data that in any way allows an individual to be identified," it added.
Under the DPA organisations must ensure that personal data is processed fairly and lawfully. They are obliged to ensure that personal data is only collected for "one or more specified and lawful purposes" and that it is not "further processed in any manner incompatible with that purpose or those purposes".
One legal basis that firms can rely on in order to process personal data for a set purpose is where they have received individuals' consent to do so. However, data protection law is said not to apply to personal data that has been anonymised.
In a code of practice on anonymisation issued last year, the UK's data protection watchdog – the Information Commissioner's Office (ICO) – said that data anonymisation techniques do not have to provide a 100% guarantee to individuals' privacy in order for it to be lawful for organisations to disclose the information. Organisations that anonymise personal data can disclose that information even if there is a "remote" chance that the data can be matched with other information and lead to individuals being identified, it said. The watchdog said that the DPA "does not require anonymisation to be completely risk free".
Killock said that the EE and Ipsos Mori example "reveals a massive loophole in UK data protection law".
EE is not the only telecoms firm to make anonymised data available to others.
Vodafone offers mobile data analytics services, whilst Telefónica last year confirmed to Out-Law.com that its 'Smart Steps' scheme involved selling "analytical insights" about individuals' behaviour in shopping centres and other areas on the basis of location data it gleans from its mobile network customers. The information can help retailers decide on the "best locations and most appropriate formats" for new stores and also enable council bodies to "measure how many more people visit their high street after the introduction of free car parking, farmers markets, or late night shopping", the company said.
"For businesses thinking about how they can leverage mobile data going forward, the key is to take a fresh look at their data protection policies and procedures and assess are they sufficient to cover any changes in how data is going to be used, particularly if that change is novel, or significant in scale," technology law expert Sean McAninly of Pinsent Masons, the law firm behind Out-Law.com, said.
Under potential reforms to the EU's data protection framework consumer groups could be given the right to bring a complaint about a personal data breach to regulators or to court on behalf of affected consumers.
McAninly said that, from a consumers' perspective, group litigation could be viewed as "an extra layer of protection". He warned companies that the provisions would allow "motivated groups of claimants who want to change business behaviour with regard to data protection and ensure their rights are adhered to". He said it could be more difficult for groups of consumers to win financial compensation because they would need "to show a clear financial loss" had occurred as a result of a personal data breach.