On September 16, 2020, the Israeli Privacy Protection Authority (the “PPA”) published a handbook on the protection of privacy by transport entities in a digital environment (the “Handbook”). The Handbook is based on the specific provisions of the Israeli privacy regime, however the themes that it addresses are universal and applicable mutatis mutandis to privacy the world over. In fact many of the recommendations are resonant of the regulations of the European General Data Protection Regulation, commonly known as the GDPR.
The Handbook is directed to parties that are active in any of the various aspects of transportation from transport infrastructure providers to providers of public transportation, from providers of services ancillary to transportation to startups in the field of intelligent transportation and more (“Transport Providers”).
The purported purpose of the Handbook is to define the privacy dangers inherent in the use of transportation in the digital age and to help define the right balance between the efficiencies achieved by using large volumes of collected data in the age of smart transportation, with the right to privacy of individuals.
The use of large volumes of data (such as departure point, destination, travel habits) (“Big Data”) by Transport Providers enables them to optimize and develop their services. Big Data is collected automatically by sensors and cameras, as well as received from the public, including via applications downloaded by them onto their smart phones. There are also sensors built into vehicles themselves, enabling the capturing and sharing many types of data, including geolocation, vehicle performance, driver behavior, and biometrics data, with vehicle manufacturers and others.
In addition to the use of this information for its initial purpose whatever that may be, this information will be used for secondary purposes, such as profiling and statistical learning of behavior of users and the public in general.
3. The current legal regime
Data bases. Under the Israeli Privacy Regime, databases (in general) still need to be registered at the Israeli Registrar of Databases. Information collected must only be used for the purposes for which it was collected, notice is required prior to the collection of personal data and the notice must state whether the provision of information is mandatory or not. In addition this notice must disclose the purpose for which this information is being provided and to whom this information will be passed. Subject to certain conditions, a person has the right to access and correct the information collected.
Data Security. The owner of a database and/or any of its processors are responsible to keep a database secure in accordance with the Protection of Privacy Regulations (Data Security), 5777-2017 in effect as of March 2018 (the “Regulations”). The Regulations provide very detailed and specific requirements for security of databases, and amongst others a database specification must be drafted, physical security requirements must be met, a data security office must be appointed, data security protocols designed and more. The more sensitive the information stored in the database the more stringent the information security requirements.
Chapter 5 gives specific recommendations for dealing with the particular risks associated with the use of Big Data by Transport Providers. The first recommendation is that of “Accountability” and that Transport Parties take organizational, technological, and legal steps to improve their level of responsibility and commitment to reducing the consequences of its use of technology on the privacy of users. It suggests that a company appoints a DPO (or such similar officer) if it does not have such. It also recommends that Privacy Impact Assessments be undertaken in advance of the use of technology and that the principles of Privacy by Design and the concept of Privacy by Default, be incorporated. It further proposes that Transport Providers be transparent and provide information regarding the information being collected, the use to be made of such information, how it is secured, to who it is transferred, etc. The terminology and the concepts here are very suggestive of the GDPR.
In situations in which users are a captive audience (for example with regard to public transport) the Transport Provider must be extra circumspect with regard to any cooperation with commercial organizations. As an illustration it refers to an application for payment and tracking of public transport that would inherently involve the collection of significant amounts of personal and sensitive information. It indicates that if the Transport Ministry and any other government body should employ such applications in the provision of vital services, then it is for making sure that the use of such applications complies in full with the provision of the Israeli privacy regime, and that privacy be taken into account at every stage of the collection and processing of personal data. In additions, it provides that a “privacy-preserving” alternative should be provided, in this case it offered payment in cash or purchase of an anonymous travel card.
With the integration of modern technologies into our transportation systems people are under almost constant surveillance, whether by the sensors and camera networks activated by motor vehicles and in their motor vehicles, the applications installed on their cellphones, smart infrastructure and data driven traffic management tools. It is important to balance the advantages of using Big Data with the severe implications for privacy.
In providing its recommendations the PPA has incorporated GDPR terminology and its recommendations echo in large those of the GDPR. I see this as tacit acceptance of the GDPR as the gold standard for protection of privacy and supportive of Israeli Companies, many of which export or seek to export their technologies and services around the world.
Article provided by: Beverley Zabow (BL&Z Law Offices and Notaries, Israel)
Dr. Tobias Höllwarth (Managing Director INPLP)