TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Spanish Supreme Court overturns PHV data-sharing obligation Related reading: Human Rights court: Hidden video surveillance did not violate convention

rss_feed

""

""

In July 2020, the Spanish Supreme Court voided the Royal Decree that imposes on private hire vehicle licensees the obligation to register in real-time, in a national register managed by the Ministry of Transport, all services provided, including specific data, such as the name and ID number of the passenger, time and date of the service, and points of origin and destination of each trip. This is one of the first rulings by a high national court on data-sharing in urban transportation.

Public authorities are increasingly imposing data-sharing obligations in urban transport. These obligations can be imposed on traditional service providers but also on digital platforms that intermediate a transport service. The scope of the obligation can be to share data with governmental authorities with other players in the transport ecosystem and also with consumers. There is a growing debate about the limits of these data-sharing obligations. There are concerns about the proportionality of the obligations and the impact they have on both the passengers’ and drivers’ privacy.

In December 2017, the Spanish government adopted Royal Decree 1076/2017. The decree established a national electronic register managed by the Ministry of Transport and also imposed data-sharing obligations on all entities with a PHV license that were active in Spain. PHV is the service intermediated by digital platforms in competition with traditional taxi services, which are not subject to any data-sharing obligation, even though it is often argued PHV and taxi provide users a competing service. PHV licensees were obliged to submit data in electronic form, in a standardized format, before each service would start in real-time. The specific data to be shared with the registry were the same as those that licensees previously had to include in their contracts with passengers (trip waybill), which must be retained for 12 months and made available to the authorities at their request: name and ID number of both the passenger and the service provider, date and hour of the provision of the service, point of origin and point of destination, and license plate of the vehicle.

In March 2018, the Spanish antitrust authority, Comisión Nacional de los Mercados y la Competencia, asked the Supreme Court to decide on the proportionality of the data-sharing obligation. The Comisión acted not as an antitrust authority but as the authority in charge of the application of the Act on Unity of the Market (Act 20/2013), which is based on the freedom to provide services, inspired by the Treaty on the Functioning of the European Union. Uber raised a parallel claim.

On March 10, 2020, the Supreme Court concluded the data-sharing obligation was adequate to enforce the regulatory obligations imposed on PHV services, particularly the geographic restriction of the PHV licenses and the obligation not to hail the vehicles on the streets (as taxis), but to previously contract them through applications, telephone or other means.

However, the Supreme Court also ruled the data-sharing obligation was not necessary nor proportionate — that is, strictly limited in the restriction of privacy that is necessary to ensure the public policy objectives. According to the court, “the data required to be sent go beyond what is necessary to achieve the intended purpose, and there are other measures that are less restrictive or distorting and have less impact on the users affected.”

The court ruled that registering the passenger’s name and ID number in the Ministry of Transport’s electronic registry was not necessary to control the fulfillment of the regulatory obligations imposed on transport service providers: “In fact, the information that the owner company is obliged to submit to the administration includes not only the contracted route but also the user’s data (name and number of the national identity card […] creating a national registry with them. This establishes an obligation to communicate personal data of the users of the service that has no justification in relation to the purpose pursued since such information is irrelevant to control the movements of the vehicle.”

Furthermore, the court identified creating a national database with the location of passengers when using transport services “allows to establish patterns of behavior in relation to mobility and use of the service of this urban transport of individuals perfectly identified, which not only can discourage the use of this service but has a clear impact on the rights protected by data protection regulations.” The court was concerned not only with the breach of data protection legislation, but also with the competitiveness of PHV services against taxi services, which have never been subjected to similar data-sharing obligations.

When the Spanish government abrogated the Royal Decree in July, it started the procedure to adopt a new Royal Decree that would create a new national register to be fed also in real-time by PHV licensees. Basically, the same data will have to be submitted, with the exception of the name and ID number of the passenger, to the extent they are a natural person. However, academic literature confirms “Over multiple trips, granular trace data can easily be linked to an individual person by evaluation of common travel patterns (e.g., home-to-work routes).

This raises privacy concerns for individuals using mobility services, including ride providers (for ride-hailing services) as well as riders.” Dates, times and locations for the start and end of a trip are quasi-identifiers, individually or in combination with other data, they can be used to probabilistically identify a passenger or a driver. The impact on the privacy of similar data-sharing obligations, also without the identity of the passenger, has been raised in other jurisdictions such as California.

Data-sharing obligations in transportation, both with the public authorities and other companies in the same ecosystem, will be increasingly discussed in the following years. Public administrations argue that there are benefits in terms of efficiency of the whole transport system, supervision of transportation by public authorities and enforcement of regulatory restrictions. However, data protection has to be taken into consideration, aside from the negative impact this type of obligation can create on competition, as highlighted by the Spanish Supreme Court.

Photo by Jorge Fernández Salas on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.