Opinion of the European Data Protection Supervisor (EDPS) on the Communication from the Commission on an Action Plan for the Deployment of Intelligent Transport Systems in Europe and the accompanying proposal for a Directive of the European Parliament and of the Council laying down the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other transport modes.
The EDPS welcomes the proposed ITS deployment plan put forward by the Commission that aims at harmonising the data processes throughout Europe in order to facilitate the provision of ITS services, and in which data protection is put forward as a core condition for the proper deployment of ITS in Europe. It notes that the Directive raises a number of privacy and data protection issues that need to be further addressed at EU and national level:
- there is a risk that the lack of clarity of the proposed legal framework will create diversity in the implementation of ITS in Europe which will lead to different levels of data protection in Europe. The EDPS emphasises the need for further harmonisation on these issues at EU level to clarify outstanding issues (such as definition of the roles and responsibilities of ITS actors, which specific ITS applications and systems must be embedded in vehicles, the development of harmonised contracts for the provision of ITS services, the specific purposes and modalities of use of ITS, etc.). It is particularly crucial to identify who the data controllers will be in respect of the data processing performed, as they will bear the responsibility to ensure that privacy and data protection considerations are implemented at all levels of the chain of processing;
- decisions concerning certain modalities of the processing that could seriously impact on the privacy and data protection rights of individuals should be taken by the European Parliament and the Council, and not through comitology procedure;
- it is paramount to consider privacy and data protection from an early stage of the processing and in all stages of the processing; the implementation of ‘Privacy by design’ should be encouraged for the design of ITS applications and systems, and should be incorporated within standards, best practices, technical specifications, and systems;
- any interconnection of applications and systems should be done with due respect for data protection principles and practical safeguards on security;
- with regard to the uncertainties that remain at this stage concerning the modalities of deployment of ITS, the EDPS particularly welcomes the initiative put forward by the Commission in its Communication that a privacy assessment be conducted by 2011. He furthermore strongly advises that privacy and data protection impact assessments are conducted in relation to particular sectors and/or purposes of use for the definition of appropriate security measures and that Best Available Techniques for privacy, data protection and security in ITS are developed;
- the EDPS further stresses that Member States will bear responsibility in implementing the Directive in a proper fashion so that ITS operators implement systems and services that offer an appropriate level of data protection across Europe;
- appropriate safeguards should be implemented by data controllers providing ITS services so that the use of location technologies, such as satellite positioning and RFID tags, is not intrusive of the privacy of individuals using vehicles in a purely private or in a professional context. This will notably require limiting the processing to the data strictly necessary for that purpose, ensuring that appropriate security measures are built in the systems so that location data are not disclosed to unauthorised recipients, and providing users with an effective means of deactivation of the location device/feature.
The EDPS recommends that Article 6 of the proposal on rules on privacy, security and re-use of information is amended, in line with Directive 95/46/EC:
- data minimisation should be encouraged for the data processing performed through ITS;
- it is important that personal data processed through interoperable systems are not used for further purposes that are incompatible with those for which they were collected, and this should be reflected in the wording ;
- the EDPS recommends adding an explicit reference to the notion of ‘privacy by design’ for the design of ITS applications and systems in Article 6 of the proposal. Moreover, he recommends that the Article 29 Working Party and the EDPS are consulted on further actions taken on this issue through the comitology procedure.
Lastly, the EDPS recommends that data protection authorities, in particular through the Article 29 Working Party, and the EDPS are closely involved in initiatives related to the deployment of ITS, through consultation at a sufficiently early stage before the development of relevant measures.