Several months ago our advisor, Jascha Franklin-Hodge, wrote a first draft of a Practical City Guide to Mobility Data Licensing for Remix. In the months since, we’ve learned a lot in working with cities across the country on mobility data licensing, and wanted to share some thoughts and insights based on those close relationships.
Cities have always collected data to understand the impact of transportation services offered to the public. Historically, this data may have been as simple as a log of trips as written down by a taxi driver. Today, transportation providers offer rides booked by mobile phone in cars, on scooters, docked bikes, dockless bikes and e-bikes — and in doing so these providers collect, store and analyze many data points with respect to every ride, in order to provide the best possible service for their customers.
Just as they have always done, cities require information about these trips to enforce policies that benefit riders, other street users, and companies who provide the service. Increasingly, cities also use this data to inform transportation planning decisions that impact the infrastructure we all rely on to get from point A to B. Information about digitally-enabled trips is a core asset for the mobility companies, and it is often so granular as to be privacy-sensitive for the riders using those services. Cities need to carefully consider the security, privacy and public disclosure implications of collecting mobility data in this new digitally-enabled world.
New privacy regulations, such as GDPR and CCPA, are setting a global standard for the protection of personal data. These regulations are also increasingly treating individual trip data as personal data due to the risk that individuals could be reidentified from the data. Given its classification as personal data, private companies are held to legally binding privacy policies and deploy industry best practices related to security, such as SOC-2. Cities that require individual trip data be shared with the city as a condition of operating must take steps to ensure they meet the gold standard of data protection in order to maintain the trust of individual citizens and commercial mobility operators.
The mobility data at issue must be understood to include personal data, and as such cities must consider Freedom of Information (FOI) requests and how they impact individual privacy. Cities should understand whether the applicable FOI laws compel production of individual trips records; in cities where that production is required, requiring providers to share individual trip records puts privacy at risk and should be reconsidered.
Cities are different from commercial entities in a number of ways, one of the most striking is that the government has police power. It is understandable that privacy advocates are concerned that cities collecting individual trip data may create a backdoor for law enforcement access to that data without due process. If your city plans to require individual trip data be shared by mobility providers, the city should first put in place a clear policy and procedure that governs law enforcement’s access to that data.
Individual trip data is vulnerable to reidentification attacks. Cities collecting this data should institute a policy prohibiting attempts to reidentify individuals.
Open data is a powerful way to keep our government more accountable and transparent. Cities that require individual trip data be shared by mobility providers must commit to keeping that individual trip data confidential. In practice, this means carefully considering how existing and planned open data policies will apply to mobility data, and ensuring any mobility data that is shared on open data portals is carefully aggregated and anonymized.
The best practice for stewards of personal data is to provide data subjects an opportunity to access their personal data and request that it be deleted. Many private mobility providers will be subject to this obligation given recent changes in state laws in the United States and the General Data Protection Regulation in Europe. As such, these providers may reasonably expect that cities holding individual trip data provide similar opportunities to individual citizens.
Some cities may have the capacity to responsibly manage individual trip data meeting all the obligations set out above. But many cities will not have that capacity, and will instead want to employ third-party software and services (like Remix) to help them understand, plan, and better coordinate with data and ensure data protection standards are met. It’s important cities understand where they sit on the spectrum of municipalities that collect mobility data, and choose solutions that are fit for purpose. To skip this step may put individual privacy at risk.
Cities manage the public right of way and need to ensure they can use mobility data to fulfill that duty. Mobility providers on the other hand may want to grant cities data licenses to govern what the data is used for. In these cases, cities should be sure that these licenses give cities the right to:
As Jascha wrote earlier — if cities receive a sufficiently broad license that covers these use cases, it is not strictly necessary for cities to “own” the data being shared by providers — which, in today’s world, may be the most pragmatic solution to working with private mobility data.
In summary, according to a framework from Julia Lane, Professor in the Wagner School of Public Policy at NYU:
For any government agency that is collecting data, the data should be:
1. central to the agency’s mission
2. collected and stored in a secure manner
3. integrated into the agency’s decision-making process.
Legal counsel note: This document is intended to aid cities in their consideration of the issues surrounding data licensing. It does not constitute legal advice nor does it address a number of topics that will be important in any licensing agreement. Cities should work with their in-house legal team and, where necessary, seek specialized legal support for the more complex aspects of data licensing.
Do you have comments that you would like to share? We’re open to feedback — please write to us at firstname.lastname@example.org or email@example.com.
In honor of Women’s History Month, Via and Remix organized the Women in TransitTech Summit 2021, featuring an all-female panel of transportation technology innovators. They share their key insights here.