Data use fuels fundamental debates for the future of mobility as a service 'smart' transport

Data is central to a successful mobility as a service (MaaS) system. Platforms and ecosystems are heavily reliant on access to large amounts of high-quality data. As a result, a lot of value is attached to data. But there is often a misunderstanding around data ownership. People want to own data, but what does this mean? 

European law

In European law, there is no real concept of data ownership, although this often comes as a surprise for companies or other stakeholders. There are parts of European law where a kind of ownership of data can be seen. For example, copyright law or database protections, but these are subject to high and specific prerequisites. Outside these isolated areas, there is no general concept of ownership of data.

Privacy law does not provide for a concept of data ownership either. This is also often misunderstood. Privacy law defines a data controller, but many think it relates to owning the data. It is not. No one owns data in Europe; as a result, access to or control over data is crucial – but the law does not automatically help on this.

What is personal data?

The experts debate of what actually constitutes personal data under European privacy law which has been around for decades, with only one landmark decision from 2016 (dated 6 December 2016 – file C-582/14). A lot of information qualifies as personal data, as long as someone is able to link this information to a person. However, in practice, companies often misunderstand the definition and believe that, if there's no name or face in a picture – or such like – then it's not personal data. Unfortunately, the definition of personal data is far reaching with a lot of information qualifying as personal data.

For example, a licence plate from a car would be deemed personal data, although anyone driving behind the car would not immediately be able to tell who the holder is or the location data. A Global Positioning System (GPS) track from a car on another side of a city would be deemed personal data as well, although it may not be immediately clear who is the person behind the GPS signal.

Anonymised data

Data that is truly anonymised is outside the scope of the General Data Protection (GDPR) and applicable data protection laws. Anonymising data is a valuable approach because, instead of finding a legal basis to process personal data, it takes the data out of the scope of privacy law. Companies are often keen to seek advice on how to anonymise data rather than find a legal basis for processing the data. A lot of data can be anonymised easily, especially by aggregation. For example, research into road congestion might require information on the number of cars on a road over a period of time, but not the names or licence plates of individual drivers. The data can be anonymised and aggregated to just a single figure that explains how busy the road is; in this instance, anonymising data would work well. 

Anonymising data depends on the input data and the purpose and how the information is intended to be used. However, there are a lot of different scenarios involved in anonymising data, and it is not always straightforward because of the far-reaching scope of privacy law. Just taking names away is unlikely to be enough in many circumstances. A lot of information is likely be deemed personal data, and this cannot be anonymised without impairing its value.

Cross-border challenges

Now that the UK is no longer in the European Union, this fortunately did not trigger additional limitations when making personal data available to the UK since, the European Commission and UK have deemed each regime to be adequate in terms of the protection afforded to personal data which means that personal data can transfer freely without additional restrictions (such as standard contractual clauses). 

Within the EU, the challenge is that privacy law is not completely harmonised. The idea behind the GDPR was to have one harmonised and identical privacy law across Europe. Before the GDPR, there were different laws in each Member State. But there are so many open clauses in the GDPR – around 40 or 50 depending on what is defined as an opening clause – that almost every Member State now enacts their own local law around certain privacy questions and the interaction between GDPR and existing Member State law (such as employment regulation or trade union rules). Those local laws do not change fundamental principles but they often provide for additional - for example, there are differences in the EU when handling employee data and over the minimum age for consent. Having said that, the rules around the technical measures in place for cross-border data transfers are uniform across the EU, although regulators may have different priorities in terms of enforcement action and priorities.

The constraints of consent

Lawful grounds are needed to process personal data under the GDPR. Sometimes consent might be appropriate, but it is not the only option. At least one legal basis is needed to process personal data and companies often believe that consent is the best way to go. But consent isn't always. It has high requirements. It needs to be given voluntarily – so there is always the need for an alternative. And what happens if someone doesn't grant consent? Also, consent can be revoked – and what happens then?

Moreover, consent must not be coupled with other elements – for example, a service should not be conditional on an individual consenting to the service providers use of their personal data. There are a lot of downsides around consent which means it is not the best tool to rely upon (unless you are handling special category personal data as there are more limited legal bases available to you). An obvious legal basis that is often being overlooked is a contract. If a contract is entered into with a data subject – that is, the person whose data is going to be processed – then processing that person's data may be allowed to the extent that it is necessary to fulfil the contract. 

Balancing of interest

Another useful legal basis is legitimate interests, which is a mechanism in which one person's interest in processing the data is balanced against the data subject's interest and fundamental rights. Often this is a good legal basis to process data even outside contractual obligations.   

Privacy law has a defined list of information that it considers to be more sensitive; for example, healthcare and disabilities – neither balancing of interest nor contract would form a legal basis for either of these and consent would need to be relied upon.

Osborne Clarke comment

When a mode of transport is chosen using MaaS, information – for example, about user's disabilities – might be directly provided or inferred through requests made in relation to the transport modes selected. Moreover, a MaaS app needs location data to provide services, such as live updates; for example, if a connection is going to be missed due to a delay, it can change the connection and help the user get from A to B as quickly as possible (not all MaaS apps will do this but it is a solution that is widely under consideration in the industry). 

If a user is tracked and, for example, they regularly visit a hospital or a religious venue, it's possible to start to aggregate these special categories and sensitive personal data and infer that the user has specific health issues or religious views. By just looking at location data, such as where they went to hospital or worship, a lot of information and knowledge around sensitive data could be derived and built up. This raises a potential issue in MaaS provision – and around the need for consent to access data. But addressing these and other legal issues around MaaS solutions and data sharing in its emerging ecosystems are fundamental for its evolution as a part of urban transport landscapes internationally.

This is part of a series of articles drawn from Osborne Clarke's recent set of podcasts looking at the legal and wider issues surrounding the development of MaaS. The next article will look in more depth at some of the international challenges and opportunities for MaaS in cities and markets around the world.