This seems a bit exaggerated. I work for one of these ISPs, but I'm not involved in this project.
GDPR explicitly states that no permission is required if the data is anonymised. The data shared with the INE will be movement of batches of at least 5000 people. The movements will be between 3500 zones. There are more than 60.000 cell phone towers in Spain, so they could have made the movements much more precise if they wanted (at the cost of anonymity of course). If less than 5000 people cross from a zone to another it will not be shared. No IMEI/IMSI/MSISDN will be shared.
I understand that there might be concerns of de-anonymisation, but it makes no sense. If the Spanish government wanted to track someone they already can, with a court order. Spanish phone providers are required by law to store this data for 6 months minimum up to 2 years maximum. (https://www.boe.es/buscar/doc.php?id=BOE-A-2007-18243). The government is going to receive data from 4 working days, 1 weekend day, a holiday and two days in Summer. Tying this with Tsunami Democratic is a bit strange. There is an ongoing investigation, so they can already track people tied with the movement as long as they have some form of personal information (IMEI, IMSI, MSISDN). Honestly, a massive protest one of those days might throw off the statistics in Catalunya.
And by the way, this data is already being sold to third parties for profit:
> I understand that there might be concerns of de-anonymisation, but it makes no sense. If the Spanish government wanted to track someone they already can, with a court order.
GDPR explicitly states that no permission is required if the data is anonymised. The data shared with the INE will be movement of batches of at least 5000 people. The movements will be between 3500 zones. There are more than 60.000 cell phone towers in Spain, so they could have made the movements much more precise if they wanted (at the cost of anonymity of course). If less than 5000 people cross from a zone to another it will not be shared. No IMEI/IMSI/MSISDN will be shared.
I understand that there might be concerns of de-anonymisation, but it makes no sense. If the Spanish government wanted to track someone they already can, with a court order. Spanish phone providers are required by law to store this data for 6 months minimum up to 2 years maximum. (https://www.boe.es/buscar/doc.php?id=BOE-A-2007-18243). The government is going to receive data from 4 working days, 1 weekend day, a holiday and two days in Summer. Tying this with Tsunami Democratic is a bit strange. There is an ongoing investigation, so they can already track people tied with the movement as long as they have some form of personal information (IMEI, IMSI, MSISDN). Honestly, a massive protest one of those days might throw off the statistics in Catalunya.
And by the way, this data is already being sold to third parties for profit:
https://www.orange.es/empresas/grandes-empresas/internet-of-...
https://www.vodafone.es/c/empresas/grandes-clientes/es/soluc...
https://www.business-solutions.telefonica.com/en/products/bi...
Sometimes, unfortunately, it's being sold without anonymisation too and leaks have happened. Just one example in the USA:
https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...