Practical Guide to Mobility Data Sharing & Personal Privacy under GDPR ruling

Cities around the world face a range of challenges in meeting the needs of the growing urban populations, climate change and sustainability. Options are complex and interact across a range of dimensions such as transport, economic development, and environment. A key part of delivering this agenda, as evidenced by policy work from organisations such as the International Association of Public Transport (UITP) and the International Transport Forum (ITF), is the need for better and greener transport systems. In addition to the improvement of existing public transport systems, we have been witnessing the rise of new mobility services, such as car-sharing and numerous other micro-mobility services. However, these new mobility services have often failed to integrate transparently into cities’ existing transportation landscape. This practical guide intends to shed light on this new transport paradigm and give city officials, as well as mobility operators, a few tools to better collaborate.

1. What can cities do with mobility data?

A well functioning set of transport systems in an inevitably complex city situation, requires some level of understanding of how these systems are operating in real time, as well as provisioning information to city officials and the public. In this regard, the need for, not just adequate, but good and timely data, is key if city operators are to dynamically react to potential traffic incidents.

Notably, qualitative and quantitative mobility data are critical for cities to be able to:

• manage enforcement of transport regulations in real time;
• identify and enable timely intervention in incidents on the transport networks;
• provide advice back to travellers on the real time status of the network and nudging their transport choices;
• measure the effectiveness of the current transport system’s operations and for developing long term transport models and forecasts;
• enable penalties or other charges to be allocated to operators as agreed within the city.

These datasets are already being captured by cities around the world, such as via the use of on-street camera systems for traffic control or sensors for congestion charging. Cities are using APIs and open data to power in-house and third party travel planning applications. For instance, comprehensive data has been used to provide evidence of the impact of ride-hailing on traffic conditions in New York over the last few years. The emerging micro-mobility market should also be data led, to embed itself in the overall transport system of cities, improve its operations, meet licensing requirements and interact with other transport modes. This will provide an evidence-led approach regarding the impact and role of micro-mobility services in cities, and ensure that these new services support the mobility global goals of the city.

Transportation services in the city of the future: all connected and integrated ?

2. Why do cities need a license agreement?

Mobility data includes a range of information such as real-time GPS coordinates, dates and hours of individual trips along with unique vehicle identifiers (vehicle ID). Such data initially rests with mobility operators, who control their own fleets of vehicles and the respective information. On the other hand, cities need to access it to fulfil their mobility goals mentioned above; this is where licensing agreements come into play.

Indeed, while in a strictly legal sense there is no ownership of data per se under EU law, mobility operators may use this situation to decide who gets to receive mobility data, by granting and withdrawing access at their own discretion — so that although mobility operators do not legally own the data, technically the data is nonetheless owned by mobility operators. Cities of course cannot be content with such precarious access. To secure long-term data flows and make sure mobility providers will keep on feeding fresh, qualitative mobility data, they will need to enter into carefully drafted license agreements with these mobility providers.

Such agreements are a mobility providers’ binding commitment that they will keep on sharing their mobility data with the city (and all necessary third parties) as long as they operate on the city’s territory, so that the city may re-use such data for its very own purposes. Therefore, a mobility data license agreement should be an essential part of any tender, and a systematic, non-negotiable prerequisite in any case where a city intends to procure or authorise mobility services on its territory.

It’s strongly recommended that cities use the same license agreement format for all mobility operators they work with. Thus, license agreements should be signed directly between the city and mobility providers wishing to operate on its territory. This allows the city to remain in control of its data and be less dependent on third-party agreements.

3. What should cities make sure they include in the license agreement?

A micro-mobility operator license needs to include a number of core items regarding the collection and use of data. This will enable the city authority to perform directly, or via a contracted partner, the city management and planning activities outlined above, such as: regulation enforcement, multi-modal system management, provision of comprehensive mobility information to local travellers, etc.

At the core of the license agreement are needs for:

• location data and status data of vehicle which can also help identify and track distinct vehicles;
• real time data provision. The definition of real time data will vary. The definition of “real time data” may vary. Notably, it will depend on the existing standards applied to other transport modes in the city, the availability of funding to develop and support the data management platforms, and the current systems of the various operators. However, if micro-mobility is to be a core part of the overall transport network in the city, it is likely that location and status data of vehicles will need to be no more than a few minutes out of date;

On top of these, the following items will also need to be defined within the license agreement:

Data standards

The data needs outlined above can be related to the data format standards that are used by the operators. Various standards are in the market, including MDS and GBFS, amongst others. Some standards will without doubt solve many of the issues raised above, however, a city may choose not to impose a single standard. Nevertheless, the license agreement should guarantee the outcomes outlined in this practical guide.

Data Sharing

A micro-mobility management system will create a very rich and useful set of data for city authorities. In order for robust management of this dataset and to comply with data practice standards, it is crucial to consider how this dataset will be used over time.

At a basic level, aggregated data from the micro-mobility system will need to be combined with other datasets such as public transport usage data or city infrastructure data in order to develop geospatial insights and understandings. This should be a seamless process, offering a mix of typical data formats, and be supported by inherent data protocols that only allow anonymised data, with minimum levels of aggregation, to be exported. The anonymity of every individual should always be protected.

In due course, it would be expected that data feeds from the micro-mobility system may be shared in real time with other complementary transport management systems in order to develop a real time management tool of the overall mobility situation. Thus, an API feed should be developed for the micro-mobility management system. Sharing of aggregated data and the resulting insights on mobility topics will improve the integration of micro-mobility into the overall transport mix within a city and allow these services to support broader mobility goals.

The data license should make it clear to the operator that the provided data will be used for these purposes, as outlined. Thus, this will also impact the data statements that the operators locally make to their users. According to local regulations and security processes, data may also need to be provided to local public security officials. In this case, this might also involve the release of some personal data. A clear process for official request from the relevant authorities, for authorisation by the local transport authorities, transfer of the request to the data processors of micro-mobility systems — whether this is city staff or a contractor — and secure transfer of the data, is required. These processes will likely already exist for other transport datasets within the city and should similarly be deployed for micro-mobility services as well. The data license should indicate that data may be provided to public security officials under these circumstances.

Historical data collection

The collection of historical data for use in trend analysis, as well as predictive modelling, is a core part of the good development of micro-mobility modes as an integral part of the overall transport system. Thus, it is argued that cities should insist on having access to historical data, and therefore the operator data license should indicate the need for historical data collection. There are a number of ways in which this can be delivered:

• one model for data storage would suggest that data is only stored for a relatively short period of time — for example one week, so that short term trends can be analysed and operational as well as planning issues over this period be considered. Data summaries would then be regularly produced and overall aggregated datasets exported for future analysis;
• an alternative model would suggest that data is warehoused for an extended period of time to enable long term planning and forecasting to be considered. The data retention would need to follow GDPR guidelines so that data would not be retained without purpose, but only in order to produce historical analysis agreed beforehand. The precise length of time for data retention would need to fit within the planning activities of the city.

In addition to data retention length of time, appropriate retention and management guidelines — such as for the hosting of the data, secure and personalised access to data, logs of data access, etc. — should be considered. These topics are in line with GDPR practice in Europe and comparable practices emerging in other territories. Ultimately, the management of historical data will be managed within the principles of GDPR as later outlined in this note. Again, these long term data records should be stored in a secure, yet accessible manner, and in line with industry best practices, so that they can be made available to fulfil their purpose as a planning data tool.

Open Data

It’s inevitable that, as well as using the data from micro-mobility systems for management and planning, some city authorities may wish to offer a data summary to their local population. This already occurs in most other forms of public transport and road management: most cities now have some form of open data policy that encourages, or even mandates, the release of some city controlled datasets. In many cases, these open data policies are very extensive and have led to a flourishing local market in the re-use of public data. Open data is meant to still provide protection for the individual and so is only ever released in anonymised and/or aggregated formats. The ultimate purpose for this public data provision and the resulting level of detail of this data, will need to be carefully considered by city authorities.

The deployment of most micro-mobility services in cities is a competitive and commercial market, and this data could be used to distort the market or gain immediate competitive advantage. For example, this could include monitoring the market share of specific operators in certain neighbourhoods or identifying operational issues that could inform the design of targeted marketing campaigns. Moreover, the micro-mobility market also includes potentially personal data. While open data is acknowledged as a relevant, useful and innovative policy in the development of new mobility modes, data released via a micro-mobility management system will need to be carefully anonymised, aggregated, and even perhaps time-delayed in order to protect a viable model of local operator.

An inflexible position on fully opening up these data sources may prevent the micro-mobility market, which is still a nascent business activity, from ever becoming a viable mobility service. The need to support an agenda for open data may seem implicit in wider city policies, but operators should be aware that micro-mobility management systems will also be part of this agenda. In any case, the data license should make clear that operator’s data will be used to feed such public datasets.

4. How does GDPR come into play?

To the extent that it contains direct or indirect identifiers (such as vehicle IDs) or that it may be associated with such identifiers, mobility data may in fact qualify as personal data, and may provide unexpected insights of a person’s habits and behaviour. The French Data Protection Supervisory Authority’s Innovation Lab (the LINC) has even gone so far as describing mobility data as “stem cells”, to underline this ability to yield virtually any kind of information on individuals when combined in the right amount with the right third-party data.

Through its global reach and high requirements, the EU General Data Protection Regulation (GDPR) has quickly evolved into a worldwide privacy standard for all sectors dealing with personal data. It is our view that mobility data will be best processed in accordance with GDPR concepts and principles, regardless of whether this Regulation legally applies or not. One important aspect of GDPR is allocation of responsibilities. In the licensing framework we are describing hereby:

• cities are data controllers, for they collect and use mobility data for their own defined purposes;
• mobility operators are data sources, from which such aforementioned data is collected;
• third-party platforms and technical service providers such as we, Vianova, are data processors.

This distribution of course has a strong impact on contractual agreements, as eventually the city will be the one bearing most responsibilities.

On the other hand, complying with GDPR principles in the field of mobility data requires to think of innovative, case-specific solutions. Complete anonymisation of mobility data will not always be suitable, not to say feasible. As supervisory authorities themselves recognise, anonymisation must be conceived more as a gradient than in absolutes: depending on the use case, data cannot be entirely anonymised without actually losing all useful value, and compliance efforts will need to focus instead on reaching an acceptable level of aggregation while still allowing for fulfilment of the city’s purposes.

This may require a lot of thinking, and cities are actually encouraged to perform Data Protection Impact Assessments (DPIA) as per GDPR, where they sense potential risks for individuals’ privacy. However, cities are helped in this domain, and may save precious time and efforts through relying on responsible use policies and best practices of their own carefully chosen data processors. As with many things, privacy-friendly solutions in the mobility sector may only stem from sheer end-to-end cooperation.

Diagram summarising the concept for assessment of privacy risk levels

5. Which data format ? MDS or GBFS ?

Today, two data formats are used in the sharing of mobility data: MDS and GBFS, both delivered through an API (Application Programming Interface). We will only give here a short overview of the two standards, and will explain why, so far, MDS format is the most appropriate, whether it is for better mobility management, infrastructure planning, or regulation enforcement by cities as well as government agencies.

About GBFS

GBFS (General Bikeshare Feed Specification) is an open-data standard for bike-sharing, originally designed for docked bikes, then extended to dockless bikes. Under the NABSA’s leadership, GBFS was first released in November 2015, and is now adopted by 230 bike-sharing systems around the world.

GBFS is:

• designed for real-time information to bike-sharing end-user
• intended to enable tools that make bike-sharing systems more accessible to users
• a real-time, read-only, feed of bicycle locations and availabilities
• publicly available thus suitable for release of open data
• specific to micro-mobility

GBFS is not:

• providing vehicles’ precise status (i.e. maintenance, low-battery, rebalancing, etc.)
• providing historical data feed on trips and vehicles’ information
• designed for operations control and regulation enforcement
• bilateral, meaning that agencies and governments cannot send back information to operators, such as road closures, safety hazards, needs for vehicles rebalancing, etc.

About MDS

MDS (Mobility Data Specification) was first released in September 2018 by LADOT (Los Angeles Department of Transportation), and has since then seen its governance transferred to the Open Mobility Foundation (OMF). MDS is delivered through a standardised API on the operators’ side (Provider API) and on the agencies’ side (Agency API).

MDS is:

• designed for regulators and their management of free-floating mobility services
• historical and real-time, describing vehicle trips, routes, as well as vehicles’ locations and status (“out of order”, “available”, etc.)
• suitable for the following use cases: regulation enforcement, operation services’ control, transport and infrastructure planning, real-time safety hazards control
• contains sensitive and confidential data that should be stored and transferred securely
• intends to include all mobility-as-a-service devices
• is more expansive than GBFS in terms of additional data fields

MDS is not:

• open-data compatible as such, but GBFS open-data feed can be extracted from it
• personally-identifiable information per se

Diagram showing the expected events and related status transitions for a shared vehicle, under MDS

As mentioned above, although MDS does not provide directly identifying data, GPS and location data is still considered personal data in regards with GDPR, to the extent that it might reveal personal information in an indirect manner. Thus, storage and processing of MDS data should follow specific privacy protection and data security principles, that we will explain in a later article.

Conclusion

Reports such as “The Shared-use City: Managing the Curb” from the International Transport Forum (ITF) in 2018 or SAE International’s ongoing work on Mobility Data-Sharing Principles capture many of these issues and provide additional evidence of the importance of this topic to the mobility industry. In particular, the best practices hereby described are emerging and need to be monitored by city authorities, along with regulatory support at some levels, in order to ensure the development of a robust, workable and sustainable city environment.

As an emerging thought leader in the area of mobility management, Vianova is keen to work with cities that are eager to promote new transport modes, enforce reasonable and fair rules of deployment on territories, as well as better integrate micro-mobility into cities’ wider public transport system and meet the broader needs for efficient and sustainable mobility.

This document has been written by Thibault Castagne and Thibaud Febvre, co-founders of Vianova, with the precious assistance and guidance from Giles Bailey (Head of Policy & Partnerships) and Adrien Aulas (Legal Counsel).

This practical guide is intended to help cities navigate through the implications of integrating new mobility services, in terms of data licensing as well as governance and privacy. It does not constitute legal advice, nor does it substitute for legal advice. Cities officials should always seek specialised support for the right setup of such complex public-private framework.

If you have any comment that you would like to share with Vianova, please send your comments to cicero@vianova.io.