There is a responsibility, usually legally and always ethically, to protect any personal data about individuals that is collected, stored, or otherwise processed.
The definition of personal data and the regulations that govern the use and protection of personal and sensitive data vary globally and, in some places, there may not be any specific legislation concerning personal data. Furthermore, data protection regulations may apply on the basis of where an individual resides, not where the organisation processing their data is. On an international level, the 54 parties to Convention 108 (1981), later modernised as Convention 108+ in 2018, stands as the only legally binding commitment on a global level regarding the protection of personal data and serves as the starting point for different pieces of well-known data protection legislation worldwide, including the European Union’s General Data Protection Regulation, known as ‘GDPR’.
First and foremost, therefore, we want to highlight that the content in this section is not a substitute for legal advice on the processing, analysis and use of mobile network operator data. Each party processing mobile operator data has different interests and requirements depending on the role they play, and the scope of this content is to provide an overview of some general considerations only.
What are personal data?
There is no single, worldwide definition of personal data as this can vary by region. Furthermore, the definition is not static and can change over time.
In general, personal data can be understood to be information that relates to an identified or identifiable individual. This may be limited to just information that could be used to identify an individual either directly or indirectly which may include name, date or place of birth or biometric data. This information does not need to by itself uniquely identify an individual if it contributes to their identification, just a few pieces of such information may be sufficient. For example, as much as 87% of the US population can be identified by the combination of their gender, date of birth and ZIP code alone.
However, personal data may also include any information that is related to an identifiable individual but does not directly identify them. This may include data on individuals’ activities, such as purchase histories, bank statements or phone logs. Whether data are considered to be related to an individual may also be affected by considerations such as the purpose of processing the data and the potential impact the process may have on an individual.
The specifics of what is and is not considered personal data can depend on the definition(s) in the applicable pieces of legislation and on regulatory authority and court decisions interpreting that legislation. These may vary in the expansiveness, and the scope of the definition of personal data applied in the organisation’s privacy programme must account for all of these differences. However, the definitions given in the legislation should be considered a minimum and a broader interpretation of personal data may be best practice.
Principles of data protection
A range of principles may underpin the regulations for the protection of personal data and may be framed differently in different pieces of legislation across the world.
However there are some common themes, the adherence to which is good practice regardless of regulatory requirements, including those in Convention 108+.
- Fairness: Personal data should only be processed in ways that an individual could reasonably expect, or unexpected processes explained and justified, and individuals should not be misled or deceived about the purposes for which their personal data are processed. Furthermore, the possible impacts of the processing on individuals have been considered and any potential adverse impacts justified.
- Lawfulness: Any processing of personal data must always be for lawful purposes. Furthermore, some regulations may require the processing of personal data to satisfy a defined lawful basis, such as protecting a person’s life or public interest.
- Transparency: The purposes and ways in which the personal data will be processed should be clear to individuals and communicated in an open and honest manner. This also includes how long the data will be retained for and who else the data may be shared with.
- Purpose limitation: There is a clearly defined and documented purpose for the processing of the personal data which is clearly communicated to individuals from the start. Any new processing must be consistent with the stated purpose or new permissions must be granted.
- Data minimisation: The personal data must be sufficient to fulfil the stated purpose of the processing, be relevant to that purpose and no more personal data processed than is required for the stated purpose.
- Accuracy: The personal data must be accurate and not misleading, which may require the data to be updated. Any inaccurate or misleading data may need to be corrected.
- Storage limitation: Personal data should not be stored indefinitely. This can include being able to justify how long the data needs to be retained and the erasure or anonymisation of personal data after a defined period of time. Individuals may also have a right to request that their data be removed if they are no longer necessary.
- Security: All personal data must have suitable security measures. This includes conducting risk assessments, organisation policy and physical and technical security measures. Personal data must be kept confidential (private and secret, with only authorised access), have integrity (not tampered with to ensure the data can be trusted) and available (timely, reliable access to the data when needed). The security must also be resilient, such that they can continue to operate during and may be recovered after an incident.
Individual mobility data is personal data
While many types of personal data can be anonymised by removing identifying or identifiable information, individual mobility data, meaning individuals’ locations in time at an individual granularity are themselves personal data. Human movement patterns are highly unique and regular, like a fingerprint, meaning that there is a risk that an individual could be identified from their mobility data.
Individual-level mobility data can be anonymised by grouping, or aggregating, the data of many individuals spatially and temporally. This is described further in the section on Data Security.
Legislation relating to mobile operator data
At the national level, 71% of countries currently have data protection and privacy legislation and a further 7% have draft legislation, as of April 2022. Some countries have multiple pieces of legislation regarding data protection and privacy, including supranational regulations such as GDPR in the EU. While the specifics detailed in each piece of legislation may vary, each will dictate the use of personal data. Beyond the laws specifically relating to personal data, there may also be those which relate to mobile network operators generally, without specifically mentioning personal data at all.
However, even in countries with no specific data protection and privacy legislation, there may be sector-specific legislation which impacts the use of mobile network operator data. This is also the case in countries or jurisdictions which do have data protection and privacy laws, in which case both types of regulation must be adhered to. Common types of legislation regulating the use of mobile network operator data include:
- Communications or telecommunications regulations
- Information or cyber security regulations
- National security legislation
Furthermore, it is important to be aware of the broader legal landscape which might impact the processing of mobile network operator data. Misuse or abuse of personal data may have penalties under criminal law which must be understood. Furthermore, constitutional rights or international conventions may be important to the interpretation of the relevant legislation or, in the absence of legislation, form the grounds for legal challenges to the processing of personal data such as mobile operator data.
Regulatory authorities with authority over mobile operator data
As with legislation, depending on location and the type of data, there may be different types of regulators with a mandate regarding mobile network operators and the data they hold. Additionally, there may be regulators operating at the national or sub-national level, or in the case of EU GDPR a supranational regulator.
For jurisdictions with specific data protection and privacy legislation, there will often be a data protection regulator with a mandate to enforce regulations on the processing of personal data such as mobile network operator data. However, there may be other regulatory agencies which have a mandate which includes mobile network operator data; these could include a telecommunications regulator, an information regulator or a security agency, in particular one concerned with domestic communications or signals intelligence.