Privacy Protection for Smart Mobility Organizations in the Digital Age

On September 16, 2020 the Israeli Privacy Protection Authority (IPPA) published a new Guide -“Privacy Protection for Smart Mobility Organizations in the Digital Age”

Herein is a summary of the guide’s content.

_____________________________________________________________________

Mobility Organizations are defined as entities that provide mobility infrastructure, public mobility services, additional services to the mobility ecosystem, start-ups in the smart mobility vertical and operators of mobility vehicles in the city space.

Preamble

In 2017, the Israeli government passed the Government Decision 2316, aiming to promote Israel’s global leadership in this sector through 2 vectors: 1/ promoting and developing the Israeli industry and 2/ promoting solutions to mobility challenges. The main entity in the government activity in this space is the Ministry of Transportation (MoT) that is both directly in charge of mobility services and is active in the ecosystem of the private industry.

A visible trend in this regulatory space is that regulators are moving from being operators to being active enablers, promoting development of new solutions by the non-governmental entities. This is exemplified by the fact that Ministries no longer create their own databases of mobility data, but they promote different actors in the market to establish and manage these, while transferring the responsibility for the user’s privacy to them.

MoT is acting for the inclusion of technology and innovation in both infrastructure and vehicles. Collecting and sharing data are crucial to planning, monitoring and market development, for the “Mass Mobility as a service” revolution in Israel. Data is required for policy makers in developing infrastructure, as well as to developers of applications for mobility. 

The IPPA states that this raises significant ethical and legal challenges to people’s privacy. The guide is aimed at clarifying ways of achieving the right balance in this space.

Chapter 1: Smart Mobility Ecosystem

In this chapter the guide lists the variety of participants in the mobility ecosystem: public sector; vehicle services; infrastructure; business-technology including tech giants like Google and Facebook; public and shared mobility.

The guide lists major technologies of importance in this ecosystem: 5G Cellular networks, Big Data analytics and Internet of Things.

The guide also lists major developments in the ecosystem: Mobility as a Service which includes Car Sharing, Ride Sharing, Carpooling, Ride Hailing; P2P decentralized on demand services; Last Mile solutions including Micro Mobility; ACES (Autonomous, Connected, Electric, Shared); Shared Data Hubs; Traffic Management and Control Optimization Systems.

Chapter 2: Includes general information about the IPPA

Chapter 3: Privacy Challenges in Smart Mobility

The guide describes that a user will be subject to constant surveillance by cameras and sensors connected to control centers. It will be possible to analyze the data, profile, learn preferences and statistics of specific people and the public in general. Though users will be sharing data for better service and personalized service, their privacy will be infringed upon.

Potential privacy challenges include: 

1. Preventing the expansion of the data use purposes

2. Collection of excessive data

3. Data Security

4. Targeted advertising

5. Privacy regulation restricting innovation

6. Privacy by Design Implementation

7. Implementation of privacy requirements in procurement contracts and tenders

8. Abundance of entities involved in data sharing

9. Lack of sufficient knowledge of privacy protection methodologies and implementation in organizations

August 2019 Survey Findings:

1. 62% of surveyed users are very concerned about privacy protection when using mobility applications and sites

2. Over 60% of surveyed users think that privacy is not protected well enough and mobility organizations should seek consent from them for data processing

3. 85% of users are worried and 84% don’t trust mobility organizations

4. 1/3 of users don’t wish to share personal data for targeted services and over 40% partially agree to share

5. Over 50% of smart mobility services believe there is danger of personal data breach. A 1/3 believe there is danger of breach of personal habits and preferences, payment details or location data

6. 17% are worried of harassment, extortion or harm as a result of the improper use of personal data

7. The vast majority are interested in advice on better protecting their data and think the government should provide them with that 

Chapter 4: Privacy Challenges in Smart Mobility

Describes general duties of all controllers and processors according to Israeli Privacy protection law and regulations, specifically describing the Data Security Regulations.

Chapter 5: Principles of implementing new technologies

Accountability – It’s recommended a mobility organization adopts accountability measures that will support its commitment to minimizing the consequences of technology on users’ privacy. The guide mentions this is mandatory in other jurisdictions, for example when subject to the GDPR. 

It’s recommended to appoint a responsible senior manager of a privacy protection program. It can be a Data Protection Officer if the organization has one, but not the Chief Information Security Officer, which has different responsibilities. It is also optional to appoint a Privacy steering committee or senior staff team.

It’s recommended to conduct a Privacy Impact Assessment and adopt Privacy by Design principles when designing and implementing personal data processing activities. 

Ex. Is a toll road fee charging system based on face recognition or body heat to conduct passengers count for statistical purposes. 

It’s required by law to be transparent and give notice to data subjects.

Contracts and tenders for outsourcing partners must include detailed provisions for privacy protection (this is according to IPPA Guidelines on the use of Outsourcing Services for personal Data Processing ). It’s advisable that these decisions receive senior management attention.

Chapter 6: Focal Topics

1. Privacy Impact Assessment General Questionnaire (based on a previously published IPPA template).

2. General description of de-identification tools for Big Data governance.

3. General tools for using CCTV in a privacy considerate manner (based on previous IPPA guidelines).

4. Mobility in the Municipal sphere – general description noting implementing smart mobility projects in municipalities entails privacy risks. Pages 36-37 provide a Table mapping privacy risk levels in smart mobility applications (see below).

5. Privacy in Payment Apps for public transportation – 

The IPPA stresses that when it comes to public transportation, it is a public infrastructure and essential to citizen’s freedom of movement in the public space. It is especially important to populations with limited power such as minors, elderly, low income people or people with disabilities who do not own cars. Therefore, using apps as payment methods in this space is allowed, but should be done in a way that is reasonable, transparent and while balancing the purpose of using the personal data and the protection of privacy. Special emphasis should be given to the issue of consent and to the availability of an anonymous alternative. The chapter offers a detailed analysis of the privacy risks in this context and recommendations on mitigating them. 

6. Description of data points and types in the smart mobility ecosystem.

Mapping of Privacy Risk Levels in Smart Mobility Applications