Transports

Avis concernant la communication de la Commission sur le plan d'action pour le déploiement de systèmes de transport intelligents en Europe et la proposition de directive du Parlement européen et du Conseil établissant le cadre pour le déploiement de systèmes de transport intelligents dans le domaine du transport routier et d'interfaces avec d'autres modes de transport, JO C 47, 25.02.2009, p. 6

The EDPS has adopted an opinion on the European Commission's proposed deployment plan for intelligent transport systems (ITS) in Europe that was adopted in December 2008 to accelerate and coordinate their deployment in road transport and their connection with other modes of transport. The deployment of ITS  has considerable privacy implications, for instance because these systems make it possible to track a vehicle and to collect a wide variety of data relating to European road users' driving habits.

The EDPS notes that data protection has been taken into consideration in the proposed legal framework and that it is also put forward as a general condition for the proper deployment of ITS. He however underlines that the Commission's proposal is too broad and too general to adequately address the privacy and data protection concerns raised by ITS deployment in the Member States. In particular, it is not clear when the performance of ITS services will lead to the collection and processing of personal data, what are the purposes and modalities for which data processing may take place, or who will be responsible for compliance with data protection obligations.

The EDPS opinion includes the following main recommendations:

• clarification of responsibilities: it is crucial to clarify the roles of the different actors involved in ITS in order to identify who will bear the responsibility of ensuring that systems work properly from a data protection perspective (who is the data controller?);
• safeguards for the use of location technologies: appropriate safeguards should be implemented by data controllers providing ITS services so that the use of location technologies is not intrusive from a privacy viewpoint. This should notably require further clarification as to the specific circumstances in which a vehicle will be tracked, strictly limiting the use of location devices to what is necessary for that purpose, and ensuring  that location data are not disclosed to unauthorized recipients;
• "privacy by design" approach: the EDPS recommends to consider privacy and data protection from an early stage of the design of ITS to define the architecture, operation and management of the systems. Privacy and security requirements should be incorporated within standards, best practices, technical specifications and systems.

Background information
ITS apply information and communication technologies (satellite, computer, telephone, etc.) to transport infrastructure and vehicles with the intention to make transport safer and cleaner and to reduce traffic congestion. ITS applications and services are based on the collection, processing and exchange of a wide variety of data, both from public and private sources, including information on traffic and accidents but also personal data, such as the driving habits and journey patterns of citizens. Their deployment will also rely to a large extent on the use of geolocalisation technologies, such as satellite-positioning and RFID tags. As such, ITS constitute a "data-intensive area" and raise a number of privacy and data protection issues that should be carefully addressed in order to ensure the workability of ITS across Europe.

Avis sur la proposition de directive faisant obligation aux Etats membres de maintenir un niveau minimal de stocks de pétrole brut et/ou de produits pétroliers, JO C 128, 06.06.2009, p. 42

The current issue serves as a good illustration of the fact that there should be a constant awareness of the rules on data protection. In a situation which concerns Member States and their obligation to hold emergency oil stocks, which are owned mainly by legal entities, the processing of personal data is not very obvious, but, even though it is not envisaged as such, it can still take place. One should in any case consider the likelihood of personal data processing taking place and act accordingly.

Avis sur la proposition de directive facilitant l'application transfrontière de la législation dans le domaine de la sécurité routière, JO C 310, 5.12.2008, p. 1

The EDPS issued an opinion on the proposal for a Directive facilitating cross-border enforcement in the field of road safety.

The proposal aims at reducing fatalities, injuries and material damage resulting from traffic accidents. In this context, the proposal intends to establish a system to facilitate the cross-border enforcement of sanctions for specified road traffic offences.

In order to contribute to a non discriminatory and more effective enforcement towards traffic offenders, the proposal foresees the establishment of a system of cross-border exchange of information between Member States.

The EDPS considers that the proposal provides for sufficient justification for the establishment of the system for the cross-border exchange of information, and that it limits the quality of data to be collected and transferred adequately.

He also welcomes the redress procedure foreseen in the proposal and, in particular, the fact that access to personal data will be possible in the country of residence of the data subject.

The EDPS also made the following recommendations:

• on the information of data subjects: the way data subjects will be informed of the fact they have specific rights of access to their data and possible correction of these data will depend on the format of the offence notification. It is therefore important that the proposal lists all information relevant for the data subject, in a language that he/she understands.
• on the security of the system: the EDPS has noted that it is foreseen to make use of an already existing infrastructure to exchange the information. The EDPS has no objection to this objective as far as it limits financial or administrative burdens. He insists however on the fact that this should not lead to interoperability with other databanks. The EDPS welcomes the proposed limit on the possibilities of use of the data by Member States other that the one where the offence was committed.

Avis sur la proposition de règlement instaurant un code de conduite pour l'utilisation de systèmes informatisés de réservation, JO C 233, 11.09.2008, p. 1

The EDPS issued an opinion on the proposal for a Regulation on a Code of conduct for computerised reservation systems (CRSs).

The objective of the proposal is to update the provisions of the Code of Conduct for Computerized Reservation Systems that was established in 1989 by Regulation 2299/89. The Code would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers.
A specific article on data protection has been developed in the proposal with a view to complementing the provisions of Directive 95/46/EC which continues to apply as a lex generalis.

The EDPS welcomes the inclusion of such principles in the proposal. He stresses that these provisions could nevertheless be usefully complemented by additional safeguards on three points:

• ensuring the fully informed consent of data subjects for the processing of sensitive data;
• providing for security measures taking into account the different services offered by CRSs;
• protecting marketing information relating to individuals from access by third parties.

With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical enforcement, taking into account the complexity of the CRS network.

It is deemed as essential to put the CRS question in this global context and to be aware of the implications of having a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third state authorities.

The EDPS considers it as decisive that effective compliance is ensured by competent authorities for enforcement (i.e. the Commission), as foreseen in the proposal, as well as data protection authorities.