National Academies Press: OpenBook

Legal Issues and Emerging Technologies (2022)

Chapter: II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS

« Previous: I. LIABILITY AND RISK MANAGEMENT
Page 15
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 15
Page 16
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 16
Page 17
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 17
Page 18
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 18
Page 19
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 19
Page 20
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 20
Page 21
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 21
Page 22
Suggested Citation:"II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2022. Legal Issues and Emerging Technologies. Washington, DC: The National Academies Press. doi: 10.17226/26786.
×
Page 22

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

TCRP LRD 59 15 regulations on both the federal and state level deal with the stor- age and use of an individual’s PII and confidential and sensitive information, such as medical and financial records. Data pro- tection law covers protected categories and types of data, when protection arises, and permissible uses or disclosures. Privacy law defines who has control over use of that information, while data protection focuses on an individual’s claim to control, use, or disclose such information. A. Personal Privacy Risks Collecting data poses significant risks to personal privacy. Consumers have a reasonable expectation of privacy when they engage in private transactions, such as taking and paying for transportation. Making data that is collected for regulatory purposes public by posting it online or making it available upon request could diminish consumer confidence in that mode of transportation. Malicious data security breaches aside, even supposedly “anonymized” data can be cross-referenced with other information to identify individual users. For example, in 2014, the New York City Taxi and Limousine Commission publicly released anonymous and randomized trip informa- tion in response to a Freedom of Information Law request from a researcher who was able to extract personal details about drivers, including their home addresses and their driv- ing routes.83 Another individual reportedly used the Taxi and Limousine Commission’s (TLC) anonymized data to identify Muslim drivers.84 According to an April 2016 report from Uber, the company received 33 regulatory requests in the second half of 2015, in- volving trip data for more than 12 million Uber users.85 Accord- ing to Uber, regulators frequently send “blanket requests with- out explaining why the information is needed, or how it will be used.” Although Uber stated that this trip data did not include personal information, it could reveal patterns of behavior and Uber claimed that the data provided more than regulators need to do their jobs. There is legitimate concern that anonymized and aggregated individual user data could be reverse engi- neered for malevolent purposes such as stalking, identity theft, or financial fraud.86 83 See Alex Hern, New York Taxi Details Can Be Extracted from Ano- nymized Data, Researchers Say, The Guardian, Jun. 27, 2014, https:// www.theguardian.com/technology/2014/jun/27/new-york-taxi- details-anonymised-dataresearchers-warn. 84 See Lorenzo Franceschi-Bicchierai, Redditor Cracks Anonymous Data Trove to Pinpoint Muslim Cab Drivers, Mashable, Jan. 28, 2015, https : / /mashable.com/2015/01/28/redditor-musl im-cab- drivers/#QJEqzARLgsqP. 85 Uber Transparency Report (Apr. 14, 2017), https:// transparencyreport.uber.com/. 86 Julia Franz, Uber Is Making Ride-Booking Data Publicly Available. Is This A Privacy Pandora’s Box?, PRI, Feb. 1, 2017, https://www.pri.org/ stories/2017-01-21/uber-making-ride-booking-data-publicly- available-privacy-pandora-s-box. by PTC.79 In October 2016, Amtrak reached a $265 million settlement with individuals affected by the derailment in 2015. This amount is in response to more than 125 cases filed against Amtrak by passengers and family members. On May 19, 2015, the FRA issued an emergency order to Amtrak related to the de- railment.80 Through this order, Amtrak was required to modify its automatic train control system to enforce the passenger train speed limit on the curve where the derailment occurred.81 To the extent additional train accidents occur in trains without PTC, further litigation can be expected. Additionally, if train acci- dents occur in PTC installed trains, it is anticipated that wrongful death and personal injury lawsuits alleging theories of product liability and negligent failure of the PTC system may be filed. II. DATA PRIVACY: PROTECTING PERSONAL INFORMATION IN GOVERNMENT RECORDS New and emerging technologies routinely collect and store information, including personally identifiable information (PII)—such as names, dates of birth, phone numbers, addresses, social security numbers, drivers’ licenses, or state IDs—as well as confidential or otherwise sensitive information. Data is essen tial to maintaining more precise and more flexible trans- portation regulatory systems. Trip data can be used to ensure compliance with existing regulations and for the purposes of public safety, congestion management, and transportation plan- ning, including curbside management, road improvements, traffic management, transit service planning, and the alloca- tion of public monies for those purposes. Many state and local regulators require taxis and other for-hire vehicles, including ridesourcing service providers, also known as ridesharing and TNCs, to report information about their operations, including passenger and driver data. Any technology that collects, receives, uses, or maintains data about individuals raises issues of privacy, data protection, and systems security. Data collection poses significant risks to per- sonal privacy and threats to innovation and competition. Public agencies and local governments must pay close attention to the privacy and data security laws that regulate their collection, use, transfer, and disposal of PII and other sensitive information that is contained in government records.82 Data privacy laws and 79 Merrit Kennedy, Amtrak Reaches $265 Million Settlement over Deadly Philadelphia Crash, NPR, Oct. 27, 2016, www.npr.org/sections/ thetwo-way/2016/10/27/499592760/amtrak-reaches-265-million- settlement-over-deadly-philadelphia-crash. 80 Fed. Railroad Admin., Emergency Order No. 31, Establishing Requirements for the National Railroad Passenger Corporation (May 21, 2015), available at https://railroads.dot.gov/elibrary/emergency-order- no-31-establishing-requirements-national-railroad-passenger- corporation. 81 Id. 82 In 2017, TCRP issued a report that discusses transit agencies’ use of contactless electronic payment systems for the collection of fares. See Larry W. Thomas and James B. McDaniel, TCRP LRD 48: Legal Issues Concerning Transit Agency Use of Electronic Customer Data, Transporta- tion Research Board of the National Academies of Sciences, Engineering and Medicine, Washington, D.C., 2017, https://doi.org/10.17226/24730.

16 TCRP LRD 59 ceed on the merits for several reasons. First, to help maintain the confidentiality of electronic trip data, the contracts with the technology system vendors included a provision specifi- cally prohibiting vendors from disclosing the location of a taxi- cab while it is off-duty to anyone, including the New York City TLC.91 Second, citing Knotts, the court found that there likely is “no legitimate expectation of privacy” in the taxicab context at issue, and the Fourth Amendment protection against un- reasonable searches and seizures “depends on whether the per- son invoking its protection can claim a ‘justifiable,’ ‘reasonable’ or ‘legitimate expectation of privacy’ that has been invaded by government action.”92 Third, the Alexandre court found that a person’s privacy interests are not absolute and “can be overcome by a sufficiently weighty government purpose.”93 The Court of Appeals for the Second Circuit had applied “intermediate level scrutiny” in evaluating regulations analogous to the taxi GPS rules considered in Alexandre.94 The court found that the use of GPS technology appeared to outweigh any burdened privacy rights because the technology was required to improve taxi service for the public good by using “modern methods.” The court also ruled that medallion owners who choose to engage in a “publicly regulated business” surrender their rights to un- fettered discretion and denied the preliminary injunction. Publicly disclosing disaggregated trip data is essentially shar- ing the movements of private citizens. Anonymized data can be cross-referenced with other information to identify individual users. Malicious data security breaches aside, there is legitimate concern that publicly available anonymized and aggregated indi vidual user data could be reverse engineered for malevolent purposes such as stalking, identity theft, or financial fraud. 2.  Micromobility Data: Shared Bikes and Scooters  As shared electric scooter systems have risen in popularity, cities across the country are mandating that the companies that operate these systems provide data about the scooters, includ- ing location and trip data. Cities often condition data sharing requirements on granting permission for shared scooter sys- tems to operate within their jurisdiction. For example, the Los Angeles Department of Transportation (LADOT) issued twelve-month permits to scooter share companies that agreed to share scooter location and trip data, including vehicle identi- fier, trip time, trip cost, and real-time and historical, minute-by- minute information about riders’ locations, routes, and destina- 91 Alexandre v. N.Y.C. Taxi & Limousine Comm’n, 2007 U.S. Dist. LEXIS 73642, at *30-34. 92 Alexandre, 2007 U.S. Dist. LEXIS 73642 at *31, citing Smith v. Maryland, 442 U.S. 735, 740, 99 S. Ct. 2577, 61 L. Ed. 2d 220 (1979) (citations omitted). 93 Alexandre, 2007 U.S. Dist. LEXIS 73642 at *33. 94 In Statharos v. New York City Taxi & Limousine Comm’n, 198 F.3d 317, 324 (2d Cir. 1999), the court held that, “Because taxis are an important part of the public life of the City and have a City-granted monopoly on providing a crucial service, the taxi industry is perva- sively regulated by the [TLC]. . . [M]edallion owners’ nominal private status does not sufficiently strengthen their confidentiality interest . . . so as to make the intermediate scrutiny [test] . . . inadequate.” B. Data Privacy Risks Associated with a Public Agency’s Use of Emerging Technologies Emerging technologies and systems gather and store a mas- sive amount of customers’ PII or information that is not iden- tifiable to a person but might identify a device the person uses, such as an intellectual property (IP) address. 1. Location Data Software that is capable of monitoring and recording the GPS location of vehicles, riders’ pick up and drop off locations, as well as their names, addresses, and other PII raises privacy concerns. If government has access to users’ route information, it can derive personal information from that data. New York’s highest court found that, “[d]isclosed in [location] data will be trips the indisputably private nature of which takes little imagi- nation to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.”87 Commentators have noted that “[i]f a vehicle’s navi- gation route decision is actually made by a centralized govern- ment network, there will be additional concerns about whether this infringes on the individual right to privacy, including the right to physical autonomy.”88 In United States v. Knotts, 460 U.S. 276, 281, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983), the U.S. Supreme Court held that “[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.”89 Courts have routinely found that “[t]here is a diminished expectation of privacy in a vehicle be- cause of its availability to public scrutiny.”90 In 2007, in Alexandre v. N.Y.C. Taxi & Limousine Comm’n, 2007 U.S. Dist. LEXIS 73642 (S.D.N.Y. Sep. 28, 2007), the U.S. District Court for the Southern District of New York rejected a group of taxi drivers’ claims that the local taxi regulator’s re- quirement that licensed medallion taxicabs install new technol- ogy systems that would automatically collect and transmit trip data, including location using GPS, violated the drivers’ funda- mental right to privacy guaranteed by the Fourth Amendment. In considering the drivers’ request for a preliminary injunction, the court found that their privacy claim was unlikely to suc- 87 People v. Weaver, 909 N.E.2d 1195, 1199 (2009). 88 William J. Kohler & Alex Colbert-Taylor, Current Law and Poten- tial Legal Issues Pertaining to Automated, Autonomous and Connected Vehicles, 31 Santa Clara High Tech. L.J. 99, 123 (2015). 89 See also Turner v. Am. Car Rental, Inc., 92 Conn. App. 123, 884 A.2d 7, 11 (Conn. App. Ct. 2005) (“[T]he plaintiff has not presented us with any authority that equipping a motor vehicle with a global posi- tioning system violates the privacy of the vehicle’s operator.”); People v. Gant, 9 Misc. 3d 611, 620, 802 N.Y.S.2d 839, 847 (Westchester County Ct. 2005) (holding that a search warrant was not required prior to installing a GPS device to track the vehicle’s whereabouts because there is no “legitimate expectation of privacy in a vehicle traveling upon . . . public roadways”). 90 U.S. v. Moran, 349 F. Supp. 2d 425, 467 (N.D.N.Y. 2005) (citing U.S. v. Knotts, 460 U.S. 276, 281, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983)).

TCRP LRD 59 17 C. Federal Laws Protecting Personal Information in Government Records Both federal and state laws protect personal information in government records. Similar to the private sector, state and local government agencies are subject to a patchwork of data security laws and other restrictions when they receive, main- tain, use, or transmit data containing PII and other sensitive or confidential information. However, there is no overarching federal privacy regulation that addresses the government’s use of all types of personal data from its citizens. Federal laws that protect personal information in government records applicable to public agencies include the Freedom of Information Act (FOIA), discussed in Section III of this digest, the Privacy Act of 1974, the Driver’s Privacy Protection Act (DPPA), and the Family Education Rights and Privacy Act (FERPA). These laws concern an individual’s claim to prevent disclosure of sensitive or confidential information held by the government.101 Some federal laws, such as the federal Privacy Act of 1974 and FOIA, broadly control the “use and disclosure of federal government records about its citizens.”102 Many states have adopted statutes mirroring or implementing these federal laws as well as gen- eral data security and breach notification statutes that typically apply equally to government and private entities. Most states have laws and regulations that govern the length of time that state and local government agencies may retain PII and other personal information. Often, government entities are exempt from consumer data privacy laws that apply to the private sector. For example, the California Consumer Privacy Act of 2018 (CCPA) applies only to “businesses” that are “organized or operated for the profit or financial benefit of [their] shareholders or other owners,” which would not include government agencies.103 The CCPA is the first U.S. law to grant consumers rights over their personal informa- tion collected by businesses and how that personal informa- tion is handled. Similar to the European Union’s General Data Protection Regulation (GDPR), the CCPA requires companies to be transparent with consumers regarding the categories of personal data they collect and how they disclose and share that information. 1.  The Federal Privacy Act of 1974 The Privacy Act of 1974 (Privacy Act) protects the privacy of records maintained by federal agencies for individuals and regu- lates the agencies’ release of private information.104 The Privacy Act does not apply to state and local government agencies. The Privacy Act guarantees three primary rights: (1) the right to see records about oneself, subject to the Privacy Act’s exemptions; 101 1 Data Privacy, Protection, and Security Law § 1.02 (2020); see also T.M. Cooley, The Law of Torts 29 (2d ed. 1888) (“privacy” is the “right to be let alone”). 102 J. Thomas McCarthy, The Rights of Publicity and Privacy, at § 6.135 (2013). 103 Cal. Civ. Code Div. 3, Pt. 4, Title 1.81.5 (added Stats. 2018 ch. 55 § 3 [A.B. 375], effective Jan. 1, 2019, operative Jan. 1, 2020). 104 See 5 U.S.C. § 552a. tions to within a few feet. Companies that declined to share such data were eligible for a provisional, 30-day permit only. LADOT and a private sector consultant developed a soft- ware tool known as Mobility Data Specification (MDS) that uses GPS to collect this data. MDS does not capture riders’ identi- ties, but the information that it collects could be used to reveal the identities of riders. Data collected from MDS is classified as “confidential” under the LADOT’s Data Protection Principles.95 However, such data is nonetheless susceptible to loss, abuse, theft, or subpoena, and raises privacy concerns. On June 8, 2020, the American Civil Liberties Union (ACLU), in partnership with the Electronic Frontier Founda- tion (EFF), filed a lawsuit in Federal District Court in California claiming LADOT’s requirement of scooter tracking data vio- lates the Fourth Amendment to the U.S. Constitution and the California Electronic Communications Privacy Act.96 The U.S. District Judge dismissed the lawsuit in February 2021, stating that the plaintiffs did not have their legal or constitutional priva- cy rights violated by MDS, although the Judge did recognize the “Plaintiffs’ concern with the unprecedented breadth and scope of the City’s location data collection.”97 Instead, the Judge said the debate over MDS “may be more appropriately addressed as a matter of public policy.”98 3.  Autonomous Vehicles Autonomous and connected vehicle technology is entirely dependent on the vehicles sharing and coordinating data with each other and between the autonomous vehicles and an exter- nal network, both locally and through centralized infrastruc- ture. The data can include information about the exact loca- tion of vehicles as well as how and where drivers operate their vehicles. Autonomous vehicles will likely generate other forms of data, not necessarily associated with location, over which users may have a reasonable expectation of privacy. Even data that is scrubbed of unique individual identifying markers (e.g., VINs, IP addresses, vehicle location) has the potential to be mined and reconstructed to show PII about particular vehicles and their passengers.99 This raises privacy and data use concerns relative to the government agencies deploying such vehicles and creating the infrastructure. Issues related to data collected by autonomous and connected vehicle software and computers include vehicle testing crash data storage and access, concerns about who owns the data, and consumer privacy.100 95 City of Los Angeles, Inter-Departmental Correspondence, Data Protection Principles/Use and Retention (CF #19-1355), Jun. 14, 2020, http://clkrep.lacity.org/onlinedocs/2019/19-1355_rpt_DOT_6-14- 2020.pdf. 96 Sanchez v. L.A. DOT, No. CV 20-5044-DMG (AFMx), 2021 U.S. Dist. LEXIS 34711 (C.D. Cal. Feb. 23, 2021). 97 Id. 98 Id. 99 See Dorothy J. Glancy, Privacy in Autonomous Vehicles, 52 Santa Clara L. Rev. 1171 at 1196, 1200 (2012). 100 Congressional Research Service, Issues in Autonomous Vehicle Testing and Deployment, R45985, v. 11, Feb. 11, 2020, https://fas. org/sgp/crs/misc/R45985.pdf.

18 TCRP LRD 59 (2) the right to amend a nonexempt record if it is in accurate, irrelevant, untimely, or incomplete; and (3) the right to sue the government for violations of the statute, such as permitting un- authorized access to an individual’s records. The Privacy Act applies to information that is “about an indi- vidual,” that is stored in a system of records “under the control of any agency,” and that is “retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”105 Covered persons in- clude lawful U.S. residents and citizens of certain foreign coun- tries designated by the U.S. Secretary of State. When disclosing records, no federal agency or its contractors may disclose PII without the affected individual’s written consent.106 Covered persons may sue in a U.S. federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the cov- ered person. To establish a claim for wrongful disclosure under the Privacy Act, a plaintiff must establish that (1) the plaintiff ’s information is a record contained in a system of records; (2) the agency disclosed the information improperly; (3) the disclosure had an adverse effect on the plaintiff; (4) the disclosure was will- ful or intentional; and (5) the plaintiff suffered actual damages.107 While the Privacy Act provides individuals with a means of access similar to that of the FOIA, the statutes do not overlap entirely.108 The intent of the Privacy Act is to govern the pro- cedures by which federal agencies gather, maintain, use, and disseminate personal information,109 whereas the intent of the FOIA is transparency in government operations. 2. Driver’s Privacy Protection Act The federal government enacted the DPPA to protect the privacy of drivers’ personal information in state motor vehicle records.110 The DPPA prohibits state departments of motor ve- hicles (DMVs) and their contractors from knowingly disclos- ing (1) personal information and (2) highly restricted personal information, subject to several exceptions.111 Personal informa- tion means information that identifies an individual, including an individual’s photograph, social security number, driver iden- tification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but specifically does not include information on vehicular crashes, driving violations, and driver’s status.112 Highly restricted per- sonal information means an individual’s photograph or image, social security number, medical or disability information.113 105 5 U.S.C. §§ 552a(a)(4)–(5). See Wilson v. Libby, 535 F.3d 697. 106 65 Fed. Reg. 82482 (Dec. 28, 2000). 107 Stafford v. SSA, 437 F. Supp. 2d 1113. 108 See generally Greentree v. U.S. Customs Serv., 674 F.2d 74, 76-80 (D.C. Cir. 1982). 109 Federal Privacy Act, 4 Pattern Discovery Tort Actions § 46:7. 110 18 U.S.C. §§ 2721–2725. 111 18 U.S.C. § 2721. 112 18 U.S.C. § 2725(4). 113 18 U.S.C. § 2725(5). States are required to follow the DPPA, and some states have adopted laws that substantially follow the DPPA.114 State laws may be more restrictive than DPPA. For example, California law is more restrictive than the DPPA with respect to the DPPA permissive disclosure categories and prohibits access to per- sonal information unless the legislature affirmatively authorizes disclosure.115 3.  Family Educational Rights and Privacy Act FERPA protects the privacy of student education records.116 FERPA prohibits the U.S. Department of Education (DOE) from providing federal funds to any educational agency or in- stitution if it has a policy or practice of permitting disclosure of a student’s PII contained within his or her education records without the consent of the student or the parent of a minor student, unless in response to a subpoena or court order.117 A student record may include a variety of details about a student, including a bus route. Student transportation providers are in- creasingly using technology to transport students to and from school, including routing and tracking software. 4.  Health Insurance Portability and Accountability Act Public transportation agencies that provide paratransit ser- vices—the alternative to fixed route transit service required by the Americans with Disabilities Act118 of 1990, as amended (ADA)—collect, use, and maintain some medical information about their clients. Transit agencies also contract with state and local governments to serve as a broker to provide coordinated transportation services to ADA-patrons, Medicaid-recipients, and beneficiaries of other federal and state programs. In providing these services, transit agencies collect, use, and maintain health information about patrons, including the names and locations of their clinics, hospitals, doctors’ offices, and dialysis centers. The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a privacy rule that provides federal protections for individually identifiable health information (referred to as “protected health informa- tion” or “PHI”) held by covered entities or a business associate of a covered entity.119 The HIPAA Security Rule requires covered entities and business associates to implement certain adminis- trative, physical, and technical safeguards to protect PHI that they transmit or maintain in electronic form.120 HIPAA applies only to “covered entities,” which the law defines generally to include (1) health plans, (2) health care clearinghouses, and (3) health care providers “who transmit[] any health information in electronic form in connection with 114 See, e.g., Idaho Code § 49-203; 625 Ill. Comp. Stat. Ann. 5/2- 123; and Iowa Code § 321.11. 115 Cal. Veh. Code § 1808. 116 20 U.S.C. § 1232g. 117 Id. 118 Pub. L. No. 101-336, 104 Stat. 327 (1990). 119 Pub. L. No. 104-171, 110 Stat. 1936 (1996). 120 45 C.F.R. § 160.103.

TCRP LRD 59 19 a transaction covered by this subchapter.”121 A health care pro- vider means a provider of medical or health services and “any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”122 “Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies are health care providers;” transit agencies are not, even if they obtain PHI from a covered entity such as a hos- pital.123 Therefore, HIPAA does not apply to transit agencies un- less they meet HIPAA’s criteria for being a business associate of a covered entity. A separate Legal Digest on How the HIPAA and Other Pri- vacy Laws Affect Public Transportation Operations concluded: [A] transit agency is not subject to HIPAA’s privacy and security rules because of the need to have health information provided by patrons (or an entity covered by HIPAA that patrons authorize to provide to the agency) to qualify for paratransit services. A transit agency is subject to HIPAA only if the transit agency meets HIPAA’s definition of a business associate (or is a subcontractor of a business associate subject to HIPAA) under 45 C.F.R. § 160.103 of the HIPAA rules. A person or entity meeting HIPAA’s definition of a business associate of a person or entity covered by HIPAA (e.g., a health care provid- er) must have a business associate agreement in accordance with 45 C.F.R. § 164.504(e)(2) of the HIPAA rules. Even though some transit agencies have business associate and subcontractor agreements that state that HIPAA applies to the agreements, it does not appear that transit agencies meet HIPAA’s definitions of a business associate or subcontractor of one. 124 A business associate is a person or entity that performs ac- tivities, functions, or services that involve the use or disclosure of PHI on behalf of a covered entity.125 The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) lists some of the functions, activities, and services that would make a person or entity a business associate.126 The types of functions or activities that may make a person or entity a busi- ness associate include payment or health care operations activi- ties; they do not include transportation.127 Many entities do not fall into the category of covered entities or a business associate of a covered entity and therefore do not have to comply with the HIPAA Rules. HIPAA aside, there are state statutes that may apply to transit agencies regarding their handling of personal health information that they receive from patrons. As transit agencies deploy new technologies to provide 121 45 C.F.R. § 164.104(a). 122 45 C.F.R. § 160.103. 123 Larry W. Thomas and James B. McDaniel, TCRP LRD 46: How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations, Transpor- tation Research Board of the National Academies of Sciences, Engi- neering and Medicine, Washington, D.C., 2014, available at https://doi. org/10.17226/22359, citing U.S. Dep’t of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ index.html. 124 Id. 125 45 C.F.R. § 160.103; U.S. Dep’t of Health and Human Services, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/ business-associates/index.html. 126 Id. 127 Id. paratransit service, they should be aware of their obligations under state laws if they create, receive, maintain, or transmit PHI about patrons. 5.  The Payment Card Industry Data Security Standards In 2017, TCRP issued a report that discusses the use of con- tactless electronic payment systems for the collection of fares by public agencies.128 There are more methods to pay a fare now than ever been before due to advancements in mobile phone technology, banking, and payment systems. Today, transit agencies deploy myriad fare technologies, including magnetic stripe medium, contactless smart cards, smartphone payment, and off-board payment. New technologies have also allowed alternatives for purchasing fares (e.g., account-based ticketing, online account management), making it more convenient for customers. While ultimately related to the choice of the overall fare payment tech- nology, purchasing also has its own features and options.129 A contactless fare payment system began to roll out in New York City in May 2019. One Metro New York (OMNY) uses a contactless bank card or smart device to make fare payments and will eventually combine payments and ticketing across sub- ways, buses, and commuter rail. To pay fares at subway turnstiles and buses, a customer taps the contactless card or smart device on an OMNY reader.130 The multi-agency GoPass in the Dallas/ Fort Worth area can only be purchased through smartphones. The Ventra fare payment system in Chicago uses an open pay- ment system where riders can use their own contactless bank cards. Smartphone payments may also be used via Google or Apple Pay. Furthermore, Ventra cards can be used as a credit/ debit card at other merchants, allowing for promotional oppor- tunities and partnerships.131 A vendor typically handles back- end processing of transactions to enable appropriate cost and revenue sharing. Having a variety of options for purchasing and paying fares can attract more (or a more diverse set) of riders (particularly for younger customers who are used to innovative and app- based payment options for other goods and services), while also reducing dwell times and ultimately speeding up service. If fare equipment is outdated and needs to be updated or replaced, adding new payment options can open opportunities for new partnerships with other transit agencies, mobile payment pro- viders, or retail establishments. Public agencies that accept payment via a customer’s credit or debit card must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information secu- rity standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry 128 Thomas & McDaniel, supra note 82. 129 Nashville MTA/RTA Strategic Plan, https://nmotion.info/wp- content/uploads/2015/12/nMotion-Fare-Technology_151120_FINAL. pdf. 130 OMNY, https://omny.info/about-omny. 131 Ventra Chicago, https://www.ventrachicago.com/howitworks/.

20 TCRP LRD 59 charges that the company deceived consumers about its privacy and data security practices.137 E. State Data Privacy Laws States have different definitions for personal information and regulations regarding protection of such information in govern- ment data. Some states have specific data security requirements for government agencies that collect, use, or manage personal information of the state’s residents, while others regulate data collected by and from certain modes, in particular TNCs. 1. Data Privacy Laws Applicable to Government Agencies Generally  Some examples of State data privacy laws that apply to gov- ernment entities are below. Under California’s Electronically Collected Personal Infor- mation law, any state agency that electronically collects personal information through the internet must prominently give notice to users about the data that the agency is collecting and its pur- pose for doing so and that users have the option of requesting their data be discarded.138 This information is exempt from re- quests made pursuant to the California Public Records Act. The law also prohibits state agencies from distributing or selling any electronically collected personal information to any third party without prior written permission from the user.139 California state agencies are required to discard without reuse or distri- bution any electronically collected personal information upon request by the user. Utah regulates disclosures by the state government, preclud- ing agencies from collecting “personally identifiable informa- tion related to a user of the governmental entity’s governmental website unless the government entity has taken reasonable steps to ensure that on the day on which the personally identifiable information is collected the governmental entity’s governmental website” posted a privacy policy.140 The Virginia Government Data Collection and Dissemina- tion Practices Act controls the collection, maintenance, use and dissemination of personal information by government agencies of the Commonwealth.141 The Government Data Collection and 137 In the Matter of Uber Techs., Inc., 152-3054, 2018 WL 1836642 (Apr. 11, 2018). 138 Cal. Gov’t Code § 11015.5(a). See also Cal. Gov’t Code § 11015.5(d)(1) (defining “Electronically collected personal information” as “any information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and informa- tion that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to indi- viduals who are users serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business.”). 139 Cal. Gov’t Code § 11015.5(b). 140 Utah Code Ann. § 63D-2-103(1). 141 Va. Code Ann. § 2.2-3803(a). Security Standards Council.132 Some state statutes either refer to the PCI DSS or require that any merchant accepting payment in a manner that requires a bank-issued credit or debit card must comply with the PCI DSS. D. Federal Consumer Data Privacy Law: Federal Trade Commission Act The Federal Trade Commission (FTC) has become increas- ingly concerned with the privacy implications of mobile and geolocation data, and mobile app data security. In its 2012 re- port “Protecting Consumer Privacy in an Era of Rapid Change,” the FTC “call[ed] on entities involved in the mobile ecosystem to work together to establish standards that address data collec- tion, transfer, use, and disposal, particularly for location data.”133 Since then, the FTC has issued further guidelines on best prac- tices with respect to the development of privacy and data secu- rity policies and practices.134 The FTC has authority to bring actions against companies or individuals that engage in unfair or deceptive acts or practices, including those involving vehicle data privacy and security. The FTC’s authority under the Federal Trade Commission Act, 15 U.S.C. § 45, extends to its recommended guidelines regarding privacy policies. The FTC protects consumers’ privacy by en- forcing Section 5(a) of the FTCA and penalizing companies for using consumer data in a way that violates the manufacturer’s stated privacy policies.135 Section 5 prohibits “unfair or decep- tive acts or practices in or affecting commerce” and states an act may be considered “unfair” if it “causes or is likely to cause sub- stantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”136 In the transportation technology context, the FTC has used its enforcement authority in appropriate circumstances to bring actions against Uber. In October 2018, the FTC settled an action it brought against Uber for data breaches in 2014 and 2016 and 132 PCI Security Standards Council, https://www. pcisecuritystandards. org/pci_security/. 133 U.S. Federal Trade Comm’n, Protecting Consumer Pri- vacy in an Era of Rapid Change (2012), https://www.ftc.gov/sites/ default/files/documents/reports/federal-trade-commission-report- protecting-consumer-privacy-era-rapid-change- recommendations/ 120326privacyreport.pdf. 134 See, e.g., U.S. Federal Trade Comm’n, Mobile Privacy Dis- closures: Building Trust Through Transparency (Feb. 2013), www.ftc.gov/sites/default/files/documents/reports/mobile-privacy- disclosures-building-trust-through-transparency-federal-trade- commission-staff-report/130201mobileprivacyreport.pdf; U.S. Federal Trade Comm’n, Marketing Your Mobile App: Get It Right from the Start (Apr. 2013), https://www.ftc.gov/system/files/ documents/ plain-language/pdf-0140_marketing-your-mobile-app.pdf; U.S. Fed- eral Trade Comm’n, Start with Security: A Guide For Business (Jun. 2015), https://www.ftc.gov/tips-advice/business-center/guidance/ start- security-guide-business; U.S. Federal Trade Comm’n, App Developers: Start with Security (May 2017), https://www.ftc.gov/ tips-advice/business-center/guidance/app-developers-start- security. 135 15 U.S.C. § 45. 136 15 U.S.C. § 45(n).

TCRP LRD 59 21 pleteness that is necessary to assure fairness in any deter- mination made with respect to a person on the basis of the information; • Take reasonable precautions to protect personal infor- mation in the system from unauthorized modification, destruction, use, or disclosure; • Collect, maintain, and use only personal information that is necessary and relevant to the functions that the agency is required or authorized to perform by statute, ordinance, code, or rule, and eliminate personal information from the system when it is no longer necessary and relevant to those functions. 146 The Ohio Privacy Act establishes a private right of action for a person who is harmed by the use of personal information that is maintained in a personal information system. Civil dam- ages are available from any government official or agency who intentionally: • Maintains personal information that he knows, or has rea- son to know, is inaccurate, irrelevant, no longer timely, or incomplete and may result in such harm; • Uses or discloses the personal information in a manner prohibited by law; • Supplies personal information for storage in, or uses or dis- closes personal information maintained in, a personal infor- mation system, that he knows, or has reason to know, is false; or • Denies to the person the right to inspect and dispute the personal information at a time when inspection or correc- tion might have prevented the harm. 147 Finally, state and local agencies in Ohio also have an obliga- tion to ensure that the information they maintain is accurate. If any person disputes the accuracy, relevance, timeliness, or com- pleteness of personal information in any state or local agency information system, that person may request the agency inves- tigate the current status of the information.148 2.  Transportation Network Company Data Privacy Laws Some state laws create an exemption for certain TNC records from disclosure under public records and freedom of informa- tion laws. For example, the District of Columbia deems TNC data confidential and exempts it from disclosure under the pub- lic records access law.149 However, the law allows the D.C. Mayor to enter into a confidential data sharing agreement with the Washington Metropolitan Area Transit Authority or the Metro- politan Washington Council of Governments to provide those entities with anonymized and aggregated trip data.150 New York State’s TNC law also exempts the names and identifying infor- mation of TNC drivers obtained in connection with an audit 146 Ohio Rev. Code Ann. § 1347.05. 147 Ohio Rev. Code Ann. § 1347.10. 148 Ohio Rev. Code Ann. § 1347.09. 149 See D.C. Code Ann. § 50-301.29a. 150 Id. Dissemination Practices Act does not make personal informa- tion confidential but establishes certain practices which must be followed in the collection, retention, and dissemination of that information.142 Most Virginia agencies are required to adopt certain policies if they maintain an information system that includes personal information. These include collecting, main- taining, using, and disseminating only that personal informa- tion permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper pur- pose of the agency. In addition, agencies must establish appro- priate safeguards to secure the system from any reasonably fore- seeable threat to its security and collect no personal information concerning the political or religious beliefs, affiliations, and ac- tivities unless authorized explicitly by statute or ordinance.143 In addition, agencies may not disseminate information to another system without specifying requirements for security and usage, including limitations on access, and after reasonable assurances that those requirements and limitations will be observed.144 The Ohio Privacy Act requires state and local agencies to only use personal information in a manner that is consistent with the purposes of the information system145 and must also: • Appoint one individual to be directly responsible for the system; • Adopt and implement rules that provide for the operation of the system in accordance with the provisions of this chapter that, in the case of state agencies, apply to state agencies or, in the case of local agencies, apply to local agencies; • Inform each of its employees who has any responsibility for the operation or maintenance of the system, or for the use of personal information maintained in the system, of the applicable provisions of this chapter and of all rules adopted in accordance with this section; • Specify disciplinary measures to be applied to any employee who initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public, evidence of unauthorized use of in- formation contained in the system; • Inform a person who is asked to supply personal informa- tion for a system whether the person is legally required to or may refuse to, supply the information; • Develop procedures for purposes of monitoring the accu- racy, relevance, timeliness, and completeness of the per- sonal information in this system, and, in accordance with the procedures, maintain the personal information in the system with the accuracy, relevance, timeliness, and com- 142 See Carraway v. Hill, 2003, 574 S.E.2d 274, 265 Va. 20; Hinderli- ter v. Humphries, 1982, 297 S.E.2d 684, 224 Va. 439 (holding that the Privacy Protection Act does not render personal information confiden- tial and does not generally prohibit the dissemination of information; instead, the Act requires certain procedural steps to be taken in the col- lection, maintenance, use, and dissemination of such data.). 143 Va. Code Ann. §§ 2.2-3800(A)(1)–(10). 144 Ohio Rev. Code Ann. § 1347.10. 145 Ohio Rev. Code Ann. § 1347.07.

22 TCRP LRD 59 F. Transit Agency Regulations, Policies, and Procedures for Data Privacy and Protection Data collection poses significant risks to personal privacy and threats to innovation and competition. Therefore, data should be collected in a quantity and at a level of detail that is reasonably necessary to implement and ensure compliance with regulations or to deliver legitimate public policy outcomes. Transportation agencies should have in place rules, regula- tions, policies, and procedures that protect the personal privacy rights of customers and drivers. Regulators should also take all reasonable measures and efforts to protect, secure, and—when appropriate—encrypt or limit access to any data provided. Data should be provided in an anonymized format and not include the personal information of passengers or drivers to the extent possible. Policies should specify that data collected by a govern- ment agency will be used only for the purposes of public safety, congestion management, and transportation planning, includ- ing curbside management, road improvements, traffic man- agement, transit service planning, and the allocation of public monies for those purposes The following recommendation would help to ensure trans- portation operators employ appropriate and adequate privacy and security safeguards for all data collected, regardless of whether the data is provided to a regulatory agency: • As a condition of licensure, all companies must have appro- priate data privacy protections in place and enforced. The appropriateness of the data protection protocol will depend on the nature of company, including whether drivers or passengers use an app in connection with the service. • Companies should collect and process only personal data that is necessary for the fulfillment of a legitimate business purpose. • The nature and extent to which customers’ personal data is being collected and used should be clearly and conspicu- ously identified and communicated to consumers at, or before, the time of collection. Companies should clearly articulate how their users’ data is retained and shared, and offer a clear opt-in or opt-out mechanism, as well as a right to access and correct the personal data held by the com- pany. The language used should be clear and easy to read, even when displayed on the screen of a smartphone. • Proper administrative, physical, and technical safeguards should be implemented and periodically tested to protect passenger personal data against unauthorized access, de- struction, use, modification or disclosure, and risk of loss. • Access to sensitive data such as geolocation and financial data should only be granted to a limited number of autho- rized individuals, for a set of limited and clearly defined legitimate business purposes. Employees and contractors training, together with strict disciplinary actions, are neces- sary steps to ensure the enforceability of these mechanisms. • If passenger personal data is shared by a company with a third party, the company should take steps to ensure that the latter secures such data in a manner consistent with from public disclosure,151 as does the Texas TNC Law.152 Such records may only be disclosed to a third party in compliance with a court order or subpoena.153 To minimize the risk of the inappropriate disclosure of PII, Texas law requires a public entity make the following assess ment before deciding to collect, use, or disclose any TNC records, data, or other information: • Consider the potential risks to the privacy of the indi viduals whose information is being collected, used, or disclosed; • Ensure that the information to be collected, used, or dis- closed is necessary, relevant, and appropriate to the proper administration of the Texas TNC Law; and • Take all reasonable measures and make all reasonable ef- forts to protect, secure, and, where appropriate, encrypt or limit access to the information. It is notable that Texas law further shields TNCs from civil and criminal liability for any unauthorized disclosure, misuse, alteration, destruction, access or acquisition, or use of PII of drivers that occurs while the information is in the possession of a state public agency.154 Some states, including Texas and Virginia, impose restric- tions on TNCs’ disclosure of passenger and driver data. Under these laws, TNCs may not disclose a passenger’s PII to a third party unless: (i) the passenger consents; (ii) the disclosure is re- quired by a legal obligation; or (iii) the disclosure is required to either protect or defend the TNC’s terms of service or investi- gate a violation of those terms.155 Similar to TNC data protection requirements, under New York law, shared electric scooter system operators are barred from disclosing or otherwise allowing access to “trip data, per- sonal information, images, videos, and other recorded images collected by any shared electric scooter system,” except to com- ply with a lawful court order, judicial warrant, or subpoena.156 151 See N.Y. Veh. & Traf. Law § 1698(2). 152 Tex. Occ. Code § 2402.152. 153 Id. 154 Id. 155 Tex. Occ. Code § 2402.153 (“A transportation network company may disclose a passenger’s personal identifying information to a third party only if: (1) the passenger consents; (2) the disclosure is required by a legal obligation; or (3) the disclosure is required to: (A) protect or defend the terms of use of the transportation network company service; or (B) investigate a violation of those terms.”); Va. Code Ann. § 46.2- 2099.53 (“[A] transportation network company shall not disclose any personal information, as defined in § 2.2-3801, about a user of its digital platform unless: 1. The transportation network company obtains the user’s consent to disclose the personal information; 2. The disclosure is necessary to comply with a legal obligation; or 3. The disclosure is neces- sary to protect or defend the terms and conditions for use of the service or to investigate violations of the terms and conditions.”). 156 N.Y. Veh. & Traf. Law § 1282 (McKinney) (for the purposes of this section, “personal information” means “information that identifies an individual, including but not limited to name, address, telephone number, and the type and form of payment including credit card num- ber, debit card number, or other payment method.”).

Next: III. DISCLOSURE OF DATA UNDER THE FEDERAL FOIA OR STATE OPEN GOVERNMENT LAWS »
Legal Issues and Emerging Technologies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The nation’s 6,800 plus public transportation agencies need to have access to a program that can provide authoritatively researched, specific studies of legal issues and problems having national significance and application to the public transportation industry. Some legal issues and problems are unique to transit agencies.

The TRB Transit Cooperative Research Program's TCRP Legal Research Digest 59: Legal Issues and Emerging Technologies provides transportation attorneys with guidance and resources to assist with these legal changes resulting from the implementation of technology, including regulatory challenges, risk management, cybersecurity, privacy, handling confidential and proprietary information, intellectual property rights, civil rights and environmental justice compliance, labor and employment law, and procurement issues.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!