EDPS: New privacy issues in relation to intelligent transport systems

By EDRi · July 29, 2009

This article is also available in:
Deutsch: [EDPS: neue Datenschutzthemen im Zusammenhang mit intelligenten Transportsystemen | http://www.unwatched.org/node/1484]

Peter Hustinx, the European Data Protection Supervisor (EDPS),
issued on 22 July his opinion on the European Commission’s proposed plan,
adopted in December 2008, to accelerate and coordinate the deployment of
intelligent transport systems (ITS) in road transportation in Europe, and
their connection with other modes of transport . The deployment includes an
Action Plan establishing priority areas for action and a Directive proposal
laying down the framework for their implementation.

Intelligent Transport Systems (ITS) are applications using Information and
Communication Technologies embedded in different modes of transport that
interact between them (such as GPS systems), meant to make transport safer
and cleaner and to reduce traffic congestion. ITS applications and services
are based on the collection, processing and exchange of a large range of
data and allow for the tracking of a vehicle and the collection of personal
data such as driving habits. As such, they raise several privacy and data
protection issues.

“The problem is not what the data tells the state, but what happens with
interlocking information it already has. If you correlate car tracking data
with mobile phone data, which can also track people, there is the potential
for an almost infallible surveillance system,” said Simon Davies, director
of the watchdog Privacy International.

While welcoming the fact that the proposed ITS deployment plan aims at
harmonising the data processes throughout Europe, the EDPS however warned
that the proposed plan raised a series of issued related to privacy and data
protection.

Hustinx believes there is a lack of clarity of the proposed legal framework
that might create diversity in the implementation of ITS in Europe thus
leading to different levels of data protection in Europe. “The EDPS
emphasizes the need for further harmonisation on these issues at EU level to
clarify outstanding issues (such as definition of the roles and
responsibilities of ITS actors, which specific ITS applications and systems
must be embedded in vehicles, the development of harmonised contracts for
the provision of ITS services, the specific purposes and modalities of use
of ITS etc).”

One important aspect in his opinion is that data controllers must be clearly
identified “as they will bear the responsibility to ensure that privacy and
data protection considerations are implemented at all levels of the chain of
processing.”

Also, the data controllers providing ITS services should implement
appropriate safeguards “so that the use of location technologies is not
intrusive from a privacy viewpoint. This should notably require further
clarification as to the specific circumstances in which a vehicle will be
tracked, strictly limiting the use of location devices to what is necessary
for that purpose and ensuring that location data are not disclosed to
unauthorized recipients”.

The interconnection of the systems and applications must also be done “with
due respect for data protection principles and practical safeguards on
security,” and personal data must be processed only if necessary “for the
specific purpose for which ITS is used and pursuant to an appropriate legal
basis”.

The EDPS emphasizes the importance of not using the processed personal data
“for further purposes that are incompatible with those for which they were
collected” and he recommends the introduction of an explicit reference to
the notion of ”privacy by design” for ITS applications and systems saying
that data “may not be used for purposes other than the ones for which they
were collected in a way incompatible with those purposes.”

The EDPS recommends that privacy and data protection should be considered
during the early design stages of any ITS. “Privacy and security
requirements should be incorporated within standards, best practices,
technical specifications and systems.”

His final recommendation is that data protection authorities, such as
Article 29 Working Party and the EDPS should be closely involved in all the
initiatives related to the deployment of ITS “through consultation at a
sufficiently early stage before the development of relevant measures.”

European Data Protection Supervisor Opinion on the Communication from the
Commission on an Action Plan for the Deployment of Intelligent Transport
Systems in Europe and the accompanying Proposal for a Directive of the
European Parliament and of the Council laying down the framework for the
deployment of Intelligent Transport Systems in the field of road transport
and for interfaces with other transport modes (22.07.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-07-22_Intelligent_Transport_Systems_EN.pdf

Big Brother is watching: surveillance box to track drivers is backed
(31.03.2009)
http://www.guardian.co.uk/uk/2009/mar/31/surveillance-transport-communication-box

Intelligent transport raises privacy concerns (23.07.2009)
http://www.euractiv.com/en/infosociety/intelligent-transport-raises-privacy-concerns/article-184309