Growing urban population and environmental urgency brings challenges in terms of transport for cities. Micromobility vehicles (bikes, e-bikes, e-scooters etc.) such as those offered by companies to be shared and rented in the public space, can provide solutions to cover many short daily trips, and can also be a complement to public transport. How will these innovative modes be durably integrated in an urban landscape that was built around heavy transport modes? What role can data play, and what are the challenges around sharing sensitive information, such as location, between private and public actors in the European legal framework? How to ensure a successful data collaboration that strikes a balance between fostering the development of micromobility and protecting individual freedoms?

Sharing mobility data enables a responsible development of micromobility solutions
Micromobility combines the advantages of using less space than cars, being emission free and more intensively used, especially when shared. Its recent boom in cities urges regulators to allow these modes to deliver their full potential where they are most needed and to ensure their presence in the public space is respectful to all the inhabitants of the city. To achieve these goals, data generated by micromobility can help cities understand movement across its territory, and thus support informed public policy decision making. For example, data can help a city plan or justify infrastructure investments, such as bike lanes and dedicated parking locations, that foster the use of micromobility and encourage modal shift. Data can also be helpful for cities to regulate micromobility operators and ensure public order. Knowing the number and distribution of vehicles can help a city understand where there are gaps, and assess whether and how mobility programs are achieving city leaders’ goals.

The nature of data can imply that its sharing is regulated
When moving across a city, a traveler leaves a digital trace of their movements. This trace constitutes location data that is defined as personal data in article 4* of GDPR. It is indeed possible to re-identify an individual based on their travels (e.g. if leaving every day at the same time from A to go to B, we can easily infer that A is likely the home and B the workplace of this person.) Mobility data is linked to behaviour, and patterns of movement are both highly individual, permitting re-identification even in large cities. These patterns of movement reveal a lot about an individual’s life, including one’s habits, preferences, employment and economic status. Therefore, micromobility operators and cities who collect the data have a responsibility to make sure they both follow the rules that are in place to govern the collection and sharing of personal data. If an operator shares precise location data about individual trips with a city without the proper safeguards and policies in place, this could inadvertently infringe upon individuals’ privacy.

Ensuring the data protection rights of individuals – the European GDPR framework
The EU-wide GDPR provides a framework to ensure that the data protection rights of individuals are honored, also when their data is used and shared between private and public entities. First of all, the GDPR bases on the principles of purpose limitation and data minimization. As put forward by GDPR in article 5 “Personal data shall be: (…) collected for specified, explicit and legitimate purposes (…); adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). The sharing of personal data therefore needs to be motivated by a specific purpose. Indeed, collecting and using more than what is needed to address a specific purpose is not permitted in order to protect the privacy rights and other fundamental rights and freedoms of individuals.

Secondly, for each purpose put forward by a public entity, it should be assessed whether the sharing of personal data is lawful (=based on a public duty defined by law) and necessary, or whether it can be achieved through aggregated and anonymized or pseudonymized data (=less privacy-sensitive). It should assess what the minimal amount and granularity of personal data would be necessary to perform its duties. Here are some examples of purposes that do not require the sharing of personal data:
○ Urban planning (e.g. to inform where to build a new bike lane): this purpose can be addressed with data treated with standard aggregation techniques to protect against re-identification
○ Compliance enforcement: by sharing the real time position of parked vehicles that have been decoupled from trips and personal identifiers, one can verify fleet size control, equitable deployment, how long a given vehicle has been parked somewhere, proper parking, etc.

If a city requests individual trip data – especially in real-time – which is very sensitive regarding a.o. individuals’ right to privacy, freedom of assembly and freedom of movement, it would need to justify why it is needed. If the purpose put forward could be achieved through less privacy-sensitive data, then the city will not be able to request such data. Indeed, GDPR makes sure the rights of individuals for their data protection are protected, and only surpassed if a greater interest can clearly be established. The users by a statement or by a clear affirmative action, should signify agreement to the processing of personal data relating to them. A public body can process personal data, if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the public body. The basis for such processing must be laid down by a law. The purpose of the processing must be determined in that law or, must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. During the lawmaking process the legislator must address the necessity as well.

In conclusion, collaboration between private actors and public actors, with the goal of fostering the responsible development of micromobility should rely on data sharing that takes into consideration cities’ needs and individuals’ privacy rights. In order to be GDPR compliant, it is essential to reason from what is needed: necessity and proportionality are key.

Recommendations for GDPR compliant data sharing:

A. Operators, regulators, third parties providing or facilitating services and cities should all work closely together to define which data will be the most relevant and on what basis it is needed to help cities effectively regulate micromobility.

B. Public and private entities should engage with their data protection officer, as well as with data protection authorities to assess the risks of sharing mobility related data and work towards solutions. As GDPR applies to private companies and public bodies alike, it is essential that cities be able to explain how they will make sure that the data is collected, used, and protected in a way that protects individuals’ privacy and other rights, as set out by GDPR. A Data Protection Impact Assessment should have been concluded by the city prior to requesting the data, and preferably shared to improve collaboration. Also, data protection by design, that is to say from the very start and within engineering considerations (art. 25 of GDPR), should be adhered to.

C. Users should be clearly informed on what personal data is collected, shared and on what purposes. Users’ right to erasure of their personal data should be protected.

D. Finally, as data sharing can also be business/competition sensitive, confidentiality should be adequately guaranteed (e.g. by signing of an NDA) and security protocols implemented regarding the use, analysis, handling, safeguarding, and retention of such data.

_______________________________________________

* Art 4 of GDPR Definitions (1) personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

_______________________________________________

About the author:
Garance Lefèvre leads public policy efforts for Uber’s new mobility offer in Europe, namely shared e-bikes and e-scooters, which are currently available in 10 European cities under the brand JUMP. She previously covered public policy for Uber in France. She works hand in hand with public actors and third parties, to help them solve mobility challenges thanks to Uber’s technology. To this end, she brings forward the positive impact of sustainable shared mobility solutions to get from A to B in ever more densely populated cities.

Uber’s mission is to ignite opportunity by setting the world in motion. Good things happen when people can move, whether across town or toward their dreams. Opportunities appear, open up, become reality. What started as a way to tap a button to get a ride has led to billions of moments of human connection as people go all kinds of places in all kinds of ways with the help of our technology. Uber is a Member in the MaaS Alliance.