Phone-tracking systems are used in some shopping centres and in other environments such as at stadium concerts and in refugee camps. The system helps to build up a picture about the mass movement of people, the chief executive of a company that operates such technology told Out-Law.com.
Data protection law only applies to information that qualifies as 'personal data'. The information these systems gather is unlikely to qualify as personal data when read on its own but could identify individuals when combined with information from other sources, according to Kathryn Wynn, an expert in data privacy at Pinsent Masons, the law firm behind Out-Law.com.
This means that operators should inform mobile users when the technology is in use, she said, because some of the information gathered could later become personal data, depending on the processing of it.
"If the company is just tracking customers' movements on a single visit to a shopping centre and is not able to collect shopping habit information about individuals on a long term basis it would appear that the information collected is more like geolocation data rather than technology which is akin to a [website] cookie," Wynn said.
“However, if that company is able to combine that information with other information about that individual, via, for example, CCTV, bluetooth locally-targeted advertising systems; wi-fi networks and Facebook location-login systems, this could constitute personal data. The company would then need to notify customers about the way in which and the purposes for which their personal data is being processed," she said.
EU data protection laws are about to change, and Wynn said that if current proposals were adopted then the operators of premises using these systems would need to go further than merely posting notices in order to have lawfully obtained mobile users' consent to use the technology.
"Shopping centres should consider how tracking aligns with the shoppers' expectations," she said. "They should ask whether shoppers would be happy with being tracked or if they would deem it as too intrusive, particularly if the information is combined with other data. Although an opt-in consent may not be currently required it may be required at a later date and shopping centres may have to think how they will obtain that opt-in consent from shoppers."
New EU data protection laws are due to be proposed later this month. Draft proposals thought to be under consideration at the European Commission were leaked last month and, if enacted in their current form, would change the requirements for obtaining consent to the processing of personal data.
Organisations would generally be required to obtain individuals' "freely given specific, informed and explicit" consent in order to process their personal data. Consent could not be inferred through silence or inactivity, the leaked proposals said.
There would also be no legal basis for saying consent had been given "where there is a significant imbalance in the form of dependence between the position of the data subject and the [organisation]," it said. Certain forms of personal data processing may also require prior consent to be obtained.
Under current data protection rules processors of personal data must generally obtain "freely given, specific and informed" consent in order to do so.
Sharron Biggar, chief executive of Path Intelligence, told Out-Law.com that its FootPath system uses signals sent from mobile phones in order to track the movement of those devices in locations such as shopping centres. Biggar said the technology does not invade individuals' privacy.
She said that it was not fair to draw an analogy between the collection of this location information and 'cookies' in web browsing. These are small files stored within users' web browsers that tell websites about a user's internet activity.
FootPath system's collection of data "is in no way analagous to cookies" because the technology neither stores nor accesses information from user devices, Biggar said.
The information collected using FootPath is not personally identifiable and is not stored or accessed from user devices, Biggar said. The EU's Privacy and Electronic Communications Directive requires consent from users in order to place or access files that allow user activity to be tracked. The company consulted with the UK's Information Commissioner's Office (ICO) in order to ensure privacy was protected, Biggar said
"Cookies are downloaded onto your device. We do not interfere with the device in any way at all. We passively detect signals that are being broadcast. It is more like walking past a radio. The radio is broadcasting music/voice over signals and I am picking those up as a human receptor - in picking up the signal I am in no way interfering with the radio," Biggar said.
The information "provides organisations with the ability to optimise the layout of their space and improve their productivity, by understanding how people are moving around within it".
Although signs are displayed within centres to inform consumers that their movements are being tracked, privacy groups have expressed concern that the system does not enable mobile phone users to opt-out unless they switch their phones off. However Biggar said that providing individuals with the option of opting out would involve the company attaching identifying traits to the data it collects; something she said the company currently does not do in a bid to ensure privacy.
"When a mobile phone communicates with a network a number is remotely generated so that they can 'talk' to one another. The number is not encrypted. Our system passively receives these radio signals and collects information a bit like dots. We cannot take out personal information from these dots. If we were to move to an 'opt out' basis we would be required to associate these dots with individuals, which to our mind is more risky," Biggar said.
Biggar said the networks often change the number associated with each device, a process which Path Intelligence "has no control over". This means that whilst the company is generally able to track a device throughout the duration of a user's visit to a shopping centre, it is unable to identify whether that is the same device when it is next brought to the centre or if it is taken to another centre where the system operates in a different location, she said. Biggar said the range that its receivers are able to operate in "depends on the architecture of the area".
A spokesperson for the ICO confirmed to Out-Law.com that the watchdog had given advice to Path Intelligence regarding its FootPath system, but said that it had not approved the system as such.
"We think it is unlikely that the system collects personal data. It is our understanding that the system associates a temporary number to the data which is not linked to a person. There is an argument that the data constitutes geolocation data, but even if it is the e-Privacy regulations allow the collection of geolocation data [without consent] if the user or subscriber cannot be identified."
EU privacy watchdog body the Article 29 Working Party last May called for geolocation data to be classed as personal data in order that the information would be protected under data protection laws.
Path Intelligence altered the way it stores the data it collects after a suggestion by privacy groups, Biggar said.
"Mobile networks must know where each phone is and who that phone belongs to. They can associate the number that they broadcast with an individual. Privacy groups were concerned that the police may request our data and then match it back with the mobile network information. The groups suggested changing the identification of the dots we collect when we store the information on our database. They were concerned that police or other law enforcement bodies would contact us to obtain the raw information and link it to other identifiable data," she said.
"Any signal from the phone or the network will be picked up on multiple receivers of ours and then we triangulate between our own devices. As soon as our system detects the number it changes it. We cannot tell you what the original number is. It is not important to us," Biggar said.
Biggar also said that the data collected is aggregated and that movement of device data is not individually monitored. She said the technology had been used to inform stadium operators about the movement of music fans in entering and exiting concerts and helped quantify the number of refugees in refugee camps in order to deliver adequate provisions of medical supplies.
Biggar rejected claims that the FootPath system breaches the UK's Regulation of Investigatory Powers Act (RIPA). Under RIPA the interception of communications is unlawful other than in select circumstances. Biggar said that the signals the company detect are broadcast 'in the clear' prior to the point they are encrypted and are therefore not intercepted.
"The signal we detect is broadcast by the phones and network as opposed to intercepted. The signal can be picked up on multiple devices. For example, your landline phone detects the signal and makes beeps when a phone is next to it," Biggar said.
RIPA permits law enforcement agencies, such as the police and MI5, to tap into phone, internet or email use to protect the UK's national security interests, prevent and detect terrorism and serious crime or to safeguard the UK's economic well-being, subject to approval by the Home Secretary.
Telecoms firms are also allowed to unintentionally intercept communications in line with RIPA if the interception "takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services".