Using MDS Under GDPR

INTRODUCTION

Background & Context

Led by cities and other public agencies who govern the public right-of-way, the Open Mobility Foundation (OMF) develops and promotes open source technology used by cities and operators of mobility services in tools that help government entities manage the public right-of-way. Specifically, The OMF oversees the development of the Mobility Data Specification (MDS), which is designed to help cities manage shared mobility programs (e.g. e-scooters, bicycles, mopeds, cars). MDS provides a standard for mobility operators and cities to exchange data about shared vehicles on city streets.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation to allow personal data to be safely collected and processed for legitimate use cases. As part of its mission to help MDS users address privacy considerations, the Open Mobility Foundation’s Privacy, Security, and Transparency Committee has engaged with legal counsel to create the following public guidance on MDS in the context of GDPR.

GDPR does not contain any provisions relating specifically to shared mobility data. While EU data protection supervisory authorities have provided helpful guidelines and opinions about the GDPR aspects of mobility data and location data, none of them relate to the specific case of shared mobility. This does not mean that the application of GDPR (and EU data protection laws and regulations more generally) to shared mobility data raises entirely unprecedented issues. Most questions may be addressed with an acceptable level of certainty by relying on more general or comparable case law and authorities’ guidance.

However, certain specific questions – such as when data relating to shared vehicles is to be considered personal data – are not settled, and the analyses provided in this guide are, to some extent, prospective. When and where there is ambiguity, readers of this guide will note that a more cautious and structured approach is recommended.

How to Use This Guide

This resource is specifically designed for cities and companies that wish to stay compliant with GDPR while implementing and using MDS. This guidance is intended to address data that is – or could be – sent to public agencies via MDS in its current form, but not additional data requested beyond that or the mobility provider source data MDS is derived from.

This document has been structured to answer common questions and designed to be useful to a variety of audiences. Section 1 of the in-depth guide is intended to provide an understanding of the legal frameworks at play, while Section 2 is intended to demonstrate how public agencies can comply with GDPR in practice.

For executives and those looking for a general overview, please refer to the summary. Program managers should refer to the short answers provided, which are a summary of the legal justification for each question. For Data Protection Officers, a longer legal justification has been provided for each question and its corresponding answer, which they might find helpful in fulfilling their accountability obligations under GDPR.

In any case, organizing GDPR compliance depends on a case-by-case assessment of the intended processing of MDS data, taking into consideration all specific circumstances (such as domestic laws, contemplated use cases, technical resources and governance) which may vary from one MDS user to another; this Q&A only provides general guidelines as to how such assessment is to be conducted, and a detailed presentation of applicable principles and obligations to comply with.

When and where there is ambiguity, we advise to favor the most privacy-centered option, in compliance with the overarching principles of privacy by design (which are endorsed by Article 25 GDPR).

¹ This view is encouraged by supervisory authorities, who for instance recommend that when there is ambiguity about whether a given dataset is personal data or not, data controllers treat it as personal data and protect it accordingly (WP29’s Opinion 13/2011 on geolocation services on smart mobile devices, p.11).

MDS GDPR GUIDANCE DOCUMENTS

Here are the latest OMF guidance documents about using MDS under GDPR:

• MDS 2.0 GDPR Guidance – Introduction, Exec Sum and Short answers
• MDS 2.0 GDPR Guidance – Technical Appendix

This applies to our 2023 release of MDS 2.0.

If you are looking for guidance about MDS 1.2 from 2021, see this page.