Many apps collect location data from our mobile phones.  Some companies specialise in selling the data on to interested third parties.  Normally this data is anonymised but is a useful indicator of footfall in shopping areas for example.

Even though this data is anonymised it is identifiable with an individual mobile phone when collected and the subject of the data should be given a privacy notice.  Investigations have revealed that individuals are not always told how their data will be used  and that some sales involve the data being used for an entirely new purpose. A UK company, Huq, is under investigation by Danish data protection authorities for collecting location data and then repurposing it without consent.

Repurposing without consent means that the privacy notice provided at the time did not cover Huq’s subsequent sale of the data to third parties for other purposes.  In such a situation consent of the individual to the repurposing is required.  The Danish data protection authorities are also considering whether Huq can establish a legal basis for the processing of the data.  The most obvious legal basis would be that the processing is in the legitimate interests of Huq and its clients but that ground is subject to a balancing test against the rights of individuals whose data is processed.  Failing to observe the limitation of use principle (repurposing without consent) denies Huq and its clients the legitimate interests grounds as it is clear that the rights of individuals were not considered at all.

Another recent case involves UK company, Tamoco, another reseller of location data collected from phone apps.  It has been established that raw location data purchased from Tamoco allowed the movements of individuals to be tracked including movements of personnel on army bases in the UK.  There was sufficient detail to allow individuals to be identified from their movements.

Even where consent is obtained to use of data collected via a phone app, it is likely that the user simply accepts the terms provided to gain access to the app without reading the privacy notice and considering the implications of its content.  Maybe it is time that individuals were paid for use of the data they create.  If the technology allows streaming services to collect payments and remit portions to artists, surely there is a way to record data use and remit payments to data subjects.  The traditional barrier has been the cost of banking transactions but blockchain applications in financial transactions is opening up the way to manage small payments cost effectively.  Regulators should stop putting the responsibility on individuals to read and agree to privacy terms instead requiring businesses that harvest data to pay for the data they harvest.

Mandy P Webster, Data Protection Consultant