A project by the Central Statistics Office proposing to track tourists and Irish residents travelling abroad using mobile phone roaming data has been described as “surveillance at its worst” by a world-renowned privacy expert.

The statistics office wants to compel mobile operators to transfer to it monthly the details of phones or users roaming on the networks, as well as the dates and times of their calls.

It has been in a stand-off with the Data Protection Commissioner for almost nine years on the legality of the proposal, but said last week it had found an “innovative technical solution” to anonymise the phone records.

The commissioner’s office has described the project as “disproportionate” and “extraordinary”.

Dr Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University in Toronto, and former information and privacy commissioner for Ontario, said she was “appalled” by the proposal, particularly given the “negative messaging” from the commissioner.

“They don’t seem to realise that both direct and indirect identifiers may be used to track the activities of individuals, in this case via their cell phones, which can then be linked to personal identifiers, creating a detailed picture of one’s activities and whereabouts,” Dr Cavoukian told The Irish Times by email.

She described the project as “surveillance at its worst, especially for tourists”.

Dr Cavoukian is the originator of the “privacy by design” concept, which is considered the gold standard for privacy protection and is central to the new EU General Data Protection Regulation.

“If they think they have an ‘innovative technical solution’ to anonymise the phone information, they should lead with it and have it tested by experts working in the field,” she said.

“Privacy is all about control: personal control over the uses of one’s data, and I certainly wouldn’t want my cell phone accessed in this manner if I was visiting Ireland. ”

Open and transparent

A privacy impact assessment prepared by the CSO in 2014 said the exercise will be undertaken in “an open and transparent manner proportionate to the individual’s fundamental right to data protection and cognisant of relative needs and costs”.

Daragh O’Brien, managing director of data protection consultancy Castlebridge Associates, who has worked in and who advises the telecoms sector, said that if the project was implemented as proposed, “it is inevitable that the State and a telco will be sued”. This will be a particular risk after May 2018, when the EU regulation comes into force.

Mr O’Brien said any anonymisation of the phone data would have to be done on the telco side. To process the data for this purpose, they would have to have a specific basis, which would have to be disclosed to their customers.

“None of this is free for the telcos, who are all operating in financially constrained markets. So either the State pays for it and indemnifies the telco or the customer pays for it,” Mr O’Brien said.

Confidentiality of communications was a fundamental element of EU law, he added.

“There’s nothing inherently wrong with doing any of this stuff if it’s done the right way, but this is not the right way. The single-minded data-centric zeal that often affects organisations is the reason we have data-protection law,” he said.