by Michelle Specktor, Researcher and Prof. Yoram Shiftan, Head director – The Israeli Smart Transportation Research Center
Technion – Israel Institute of Technology
Privacy issues are strictly related with our daily activities, such as the use of digital applications for our mobility, health, purchases and so on. With the continuous growth of population and ongoing urbanization, Smart Transportation and Digital Mobility have become the pressing issue of modern life.
Speeding up the mobility transition with Big Data, privacy risks are inherent in the use of smart transportation services and digital mobility applications in the digital age. With the integration of modern technologies into smart transportation systems people are under (almost) constant surveillance, whether by mobility and transport applications installed on their cell phones, the widely deployed sensors and camera networks, smart and connected infrastructure, and data-driven traffic management systems.
To foster digital mobility in Israel, the Israeli Privacy Protection Authority (the “PPA”) published guidelines on the protection of privacy by transport entities in a digital environment called the “Handbook”. The role of this guide is to define the risks to privacy in transportation in the digital age and provide with accessible methods for dealing with these risks. The purpose of the Handbook is to help define the right balance between the efficiencies achieved by using large volumes of collected data in the age of smart transportation, with the right to privacy of individuals. It contains information sheets, best practices and more.
Aiming to balance the advantages of using Big Data with the severe implications for privacy, the Handbook addresses themes that are universal and applicable mutatis mutandis to individuals’ right to privacy globally. The specific provisions of the Israeli privacy regimen are resonant of the regulations of the European General Data Protection Regulation (GDPR), which is recognized as the gold standard for protection of privacy.
The Handbook is directed to all transport and mobility providers that are active in any of the various aspects of transportation. These entities include public transportation providers, transportation infrastructure providers, various urban mobility and transport service operators (e.g carpooling, shared micromobility etc.), providers of digital mobility applications, startups and companies in the field of intelligent transportation, parking, fleet management, Mobility as a Services (MaaS) and more.
These providers collect large volumes of data such as departure point, destination, and mode choice, to optimize and enhance their services. In addition, this data can be used for secondary purposes, such as profiling and statistical learning of travel habits and users’ behavior.
Under the Israeli Privacy Regime, notice is required prior to the collection of personal data and the notice must disclose the purpose for which this information is being provided and to whom this information will be passed, or let the user know that providing his information depend on this will and agreement. Information collected must only be used for the purposes for which it was collected. Databases need to be registered at the “Israeli Registrar of Databases”, and secured in accordance with the Protection of Privacy Regulations (Data Security). The more sensitive the data collected into the database, the more stringent are the data security requirements. Subject to certain conditions, an individual has the right to access and correct the data collected.
The Handbook’s specific recommendations for dealing with the particular data privacy risks associated with the use of Big Data by transport and mobility providers, are as following:
- “Accountability” – transport and mobility providers must take organizational, technological, and legal steps to improve their level of responsibility and commitment to reducing the consequences of its use of technology on the privacy of users.
- Data Privacy Officer (DPO) – every company should appoint a dedicated DPO, which is different form Data Security Officer (DSO) or similar officer.
- Privacy Impact Assessments should be undertaken in advance of the use of technology to assess and mitigate any possible data privacy risks.
- Privacy by Design (PBD) and the concept of Privacy by Default should be incorporated. These advocate optimal protection of privacy, reduced data collection and processing of information to the minimum necessary, already from the early planning stage and throughout the life cycle of data collection and its use.
- Transparency – the Handbook proposes that transport and mobility providers be transparent, and provide information regarding data being collected, how it is secured, what use will be made with the data, to who it might be transferred, etc.
- Captive users – emphasizing on public transport commuters not having the ability to avoid using the service or infrastructure involved in collecting personal information, the transport provider must be extra circumspect with regard to data handling and share.
In case of INDIMO P3, the Galilee Ride-Sharing pilot, the Handbook indicates it involves high risk to users’ privacy, given it involves direct connection to the users’ mobile device, route information, payment details, and other personal information. Accordingly, both users and non-users of proposed ride-sharing service indicated their concerns about data privacy, and unwillingness to provide their name, address, and credit card info. Given a “privacy-preserving” alternative, they are willing to use service only with minimal data collection, limited to ride schedule and based on points of interest origin to destination route plan.
Read our most recent deliverables: