The spread of technology in public transport systems creates growing concerns about our privacy as passengers. Particularly, with electronic ticketing systems (e.g. the Oyster card in London), which register each entry, exit and journey of every passenger, but also with other privacy issues, such as in Closed-Circuit Television (CCTV). In some cases, individual monitoring can be useful for the passengers : There are certainly positive effects stemming from the integration of technology in with public transport, with a lot of innovation that we can access from our computer or our smartphone, and similarly for transport operators :

  • It becomes easier to travel and to book, more flexible
  • Direct information can be provided to passengers in case of travel disruptions : individual needs of passenger are considered (research with rail passengers shows that lack of interpersonal contacts between companies and passengers produces lack of trust from passengers to the company.
  • There are important expectations about safety, protection from physical aggressions or even terrorism, and often people feel safer if they know that the public space is monitored, so that potential aggressors may be easily identified.

DSCF0030

Public transport has become more and more integrated with electronic ticketing

But in other cases, it can be a real cause for concern...

  • Privacy is already a sensitive issue for air travel : there is still debates about US/UE Passengers Name Record agreements for air travel, which implyed that air companies send a lot of passengers personal data to many not-very well identified organizations, such as government authorities, travel operators, third companies.

  • The European regulation about Data Protection is not yet stabilized. The old 1995 directive is being replaced by a new proposal, based on reports by MEPs Jan-Philipp Albrecht and Dimitrios Drouts, for enforcement of personal data protection. These include, for example the "right to erasure" of personal data from company's databases, but the directive is not yet in force. See the current regulation proposal and this memo for more details. This means that currently there are no strong regulative frameworks to prevent abuses.
  • Any company may thus share information about us between one another. This leads to possible abuse of advertising, for example targeting us with commercial offers on the basis of our travels, without opt-out options from such offers. How far can this go into our lives ?

  • While Open Data policies help us gain access to public data, the private life of the citizens should remain protected. Open Data is about transparency of government. Paradoxally, privacy protection measures should be transparent. Metro companies : don't just ask us to trust you, show us we can trust you !

  • It looks the national data protection authorities (see list here) have not always enough resource to implement data protection policies : few staff, many national barriers.

  • All this raises a huge democratic concern : the PRISM scandal reminds us that in an internet-based society, Big Brother is not under the control of Governments anymore.

security services privacy

Which of these three priorities is most important ?

Context “Free movement of persons” is a fundamental right in the European Union (see art 3:2, Treaty on the Functioning of the European Union). Personal privacy also is a fundamental right, as established by the Charter of Fundamental Rights (article 8 says "Protection of personal data : 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified."). This implies the freedom to move anonymously, without an obligation or a need to provide explanations or justification to public institutions or service providers. Many of us, 75% of European citizens in fact, expect a better privacy protection (Eurobarometer survey n.359, November 2011). Starting in the late 1990s, electronic ticketing systems for local public transport are now spreading. The first large application, the Octopus Card in Hong Kong (1997), has become an accepted means for all kinds of small payments in the city. Important early uses in Europe of such a system are London’s Oystercard, Calypso standard (used for Paris' Pass Navigo or Brussels Mobib), and now first trials are taking place in German cities like Oldenburg, Dresden and Berlin. Large-scale applications are in place in the Netherlands, where the OV Chipkaart covers all of the country’s public transport, and soon in Denmark and Sweden. Electronic ticket systems are a common European experience today. Our issue :

  • How to combine a positive transport - technology integration with a tough protection of citizens privacy ?

Our proposal:

  • Develop a charter, protecting passengers' privacy, that responsible organizations would sign. A more constraining measure would be better, such as a standard, or a certification, as a second step.

The characteristics of this charter would be to, in particular :

  • 1. List in clear language the responsibilities of each stakeholder in public transport in personal data protection (mainly : operator, authorities, third parties such as retail and advertisers, users)
  • 2. Tell users they can independently control if their privacy rights are effectively implemented
  • 3. Explain to staff of local transport operators and authorities the duties of their organizations and of the staff

The goal of this charter would be to facilitate a good implementation of existing privacy rights, whatever they are at the current moment. Instead of leaving people with complexe regulation texts, this charta should explain in a very simple way what must be done by whom, and how everyone has the possibility to control that this is effectively carried out. Former European projects on the issue :

Further organizations involved on data privacy include :

We submitted a project candidature to the European Commission in March 2014, with a partnership gathering passengers organizations, transport operators, research, public agencies from various European countries : Assoutenti, Athens Destination Agency, TrainOSE, Fondation Sophia Antipolis, Voxcracy, IGEB, Nexus Institute, Rover. The official answer has been announced (9 July) for August 2014. Last update : 9 July 2014

120px-Flag_of_Europe.svg