Do you know exactly how much of your data is being collected, by whom, and for what purposes? Our data protection experts examine how much information is collected when you are travelling.
Data privacy in your car
If you watch the popular TV show Hunted, you’ll know that the government can use CCTV, ANPR (Automatic Number Plate Recognition), GPS and Oyster cards to track individuals’ movements. But it’s not just the state that can follow us as we go about our daily lives.
In August 2019, Mercedes-Benz sparked a privacy row when it admitted that it used tracking devices covertly installed in its cars to effectively spy on drivers and pinpoint a vehicle’s exact location. According to Mercedes, the sensors are only used in “extreme circumstances”. This includes when a customer has defaulted on a payment. In such instances, Mercedes would activate the tracker and share car owner information and vehicle location details with bailiffs and car recovery firms.
Worryingly, many people who bought a car from Mercedes had no idea that the car manufacturer could use their data this way.
At Keller Lenkner UK, we would argue that such surveillance is legally very concerning. Not least because tracking a car without the driver’s knowledge is illegal under EU data protection laws.
“Any company that handles personal data should explicitly disclose how this information is gathered and how it could be used. In the case of Mercedes, there has been a shocking lack of transparency when it comes to how it is processing personal data. Yes, there are details about the sensors in the extensive terms and conditions, but Mercedes is undoubtedly aware that these are often misunderstood or not read at all. As such, we believe that the company is playing fast and loose with the data privacy rights of its customers”.
Kingsley Hayes, head of data breach, Keller Lenkner UK
Does car insurance pose a data privacy risk?
Apps that supply data to insurance companies are also raising privacy concerns. For example, car insurance companies are experimenting with charging for insurance based on an individual’s actual driving rather than statistics and algorithms. So, people would let their insurance company watch them drive via an app and then receive a quote based on their actual driving history. But there are significant privacy concerns with this approach. Not least because to work, such apps will have to monitor drivers at all times and cannot be switched off.
For many, a reduction in insurance premiums might be worth it. But we must know what we are signing up to. Because, with a wealth of data to track, where does this stop?
It’s not at all unlikely that, in the future, insurance-based technology could examine the music you listen to or the restaurants you drive to and use this data to make assumptions about you and your driving habits. We should also think about how this information might be shared with third parties.
Uber data breach
In 2018, the Information Commissioner’s Office (ICO) fined Uber £385,000 following a data breach that Uber covered up for a year. In this case, the personal details of approximately 2.7 million UK customers were accessed by hackers. This included full names, email addresses and phone numbers. The records of almost 82,000 UK drivers were also taken during the incident.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Steve Eckersley, Director of Investigations, ICO
British Airways data breaches
Like other transport providers, airlines must also ensure that sensitive passenger information is kept secure. But customer privacy does not seem to have been a priority after a series of data protection failures at the airlines.
- British Airways Data Breach One (2018): Booking website and app. Almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. In response, the airline is now facing a staggering £183 million penalty by the Information Commissioner’s Office (ICO).
- British Airways Data Breach Two (2018): Reward bookings. When investigating the first data, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.
- British Airways Data Breach Three (2019): e-Ticketing system. Security researchers uncovered unencrypted links within BA’s e-ticketing process. The vulnerability with British Airway’s e-ticketing system may have exposed sensitive passenger information such as email addresses, names, phone numbers and more.
- EasyJet data breach. On 19th May 2020, EasyJet confirmed that it had been the target of a highly sophisticated cyber-hack.
- SITA airline data breach. On 24 February 2021, SITA suffered a “highly sophisticated” attack on its IT systems. SITA is a bookings and reservations system that provides services to many airlines worldwide.
- The Cathay Pacific data breach. In another airline data breach, Cathay Pacific Airways Limited was fined £500,000 by the ICO following a massive data breach. This was the maximum penalty possible in this case because older data protections laws were in place when the breach happened.
Data privacy concerns for the London Underground
According to reports, passengers using the London Underground network are to be tracked via the WiFi beacons on their smartphones. TfL said it would use the data to determine how commuters use the network and send targeted information about avoiding congestion. The move comes following a trial of the system in 2016.
However, as well as using the data to improve its service, experts predict that TfL will commercialise this data. For example, by pricing advertising based on footfall.
While Tfl states that it has “pored over” guidance provided by the ICO, it also believes that it is not subject to GDPR because there is no way of directly identifying an individual from their phone signal. Whether that remains the case is yet to be seen, but this could have long-term privacy implications unless a security-first approach is adopted.
Is Big Brother watching?
You might expect to be free from data collection when you are on foot or on your bike. But in our connected online world, this is far from the truth. Your exposure to data harvesting depends on the number and type of smart devices that you own and the apps that you use. But today’s intelligent devices have the potential to collect a vast amount of data about you.
For example, cyclists have been warned about sharing data on ride-tracking apps because they could be helping bike thieves. Also, Google could be keeping a detailed record of your exact movements. In fact, it could know everywhere you have ever been! Check here to make sure your location history is turned off.
And it is not just your own technology you have to think about. The ICO was said to be ‘deeply concerned’ about how AI surveillance systems were being used in central London. In this case, it was revealed that hundreds of thousands of people were being secretly spied on by face-recognition systems. The area watched included King’s Cross railway station. The ICO launched an investigation after concerns about this mass surveillance were reported in the media.
“Scanning people’s faces as they go about their daily business is a potential threat to privacy that should concern us all. That is especially the case if it is done without people’s knowledge or understanding.”
Elizabeth Denham, Information Commissioner, ICO
Minimise the impact of data breaches
Our world is rapidly changing, and technology is here to stay. So, we would not recommend not using smart devices or apps, especially as they can deliver enormous benefits. But when signing up for any new service, it is vital to check the small print and make sure you understand how your data is being used.