A story was published in the Irish Times yesterday about a long running debate between the Central Statistics Office (CSO) of Ireland (the state agency for government statistics) and the Data Protection Commissioner (the state agency for the protection of personal data) in regards to a request that the CSO had submitted to get Irish mobile telephone operators to hand over roaming data on tourists visiting the country, including such information as the dates and times of calls made by the visitors.
This has actually been going on, quietly in the background, for some 9 years at this stage and is certainly the first I have heard about it … and it concerns me greatly.
The CSO state that the reason for gathering the data is such that it “may significantly enhance our statistics on tourism and international travel”. How does knowing when a visitor to our country makes a phone call enhance tourism statistics? I don’t know.
Gathering such call details would require them to also capture some unique identifier for that handset, as otherwise they would have no way of identifying whether a call was a single call made by one tourist or whether it was one of twenty calls made by that same tourist. Guess what? Every mobile phone has a unique identifier. The International Mobile Equipment Identity (IMEI) and this ties back to a person, and so is personal data.
Also noted in the article was
… the Court of Justice of the European Union held that traffic and location data was liable to allow ‘very precise conclusions’ to be drawn about the private lives of individuals.
in other words knowing where somebody is at all times is effectively spying on somebody … state sponsored surveillance even.
The CSO had even gone as far as having a Statutory Instrument drafted by the Attorney General’s office (another state agency), which would have enabled the government to sign off on it, thereby compelling the mobile operators to hand over the personal data on visiting tourists, without their knowledge or permission. Fortunately the DPC raised concerns
The “extraordinary” project would, in effect, “track the movements of visitors to this country and will in turn, affect tourists’ privacy rights, in that their entire holiday will have been recorded and analysed, albeit anonymously”.
The CSO still appear to be continuing with this “project” as stated at the end of the article, but Helen Dixon, the current Commissioner with the DPC, has stated her office would expect to be consulted before any Statutory Instrument is signed off.
In this, the era of the General Data Protection Regulation (GDPR), I would expect that state agencies have to follow the same rules that apply to all other businesses in the EU. I cannot for the life of me think of a single legal justification for the CSO to gather such granular data on private citizens (no matter what country the come from).
This could be the thin end of the wedge … what’s next … if they can do it to tourists, will Irish residents be next?
<googles “tinfoil hat creation”>