Single Ticket and the Limits of Privacy
Written by
Odélio Porto Júnior (See all posts from this author)
25 de February de 2017
The municipal government of São Paulo is seeking to privatize Single Ticket, a public transportation system of electronic tickets. In this model, a passenger buys a electronic card attached to his personal ID, and then constantly recharges it by buying new electronic tickets. In official advertising of the city hall, it is stated that the system has 15 million electronic cards issued (Metropolitan region of São Paulo has 21 millions of inhabitants), and the privatization is an opportunity to sell data base of the Single Ticket. So the companies will be able to do cross sales using the information generated by public transportation users.
Nowadays 94% of people using public bus transportation do it through the Single Ticket card. The city government seeks to increase user’s numbers of the card system either due to the convenience provided, or through negative incentives, such as the proposal to charge more for the ticket paid in cash on the bus. Therefore citizens will be compelled to adopt Single Ticket, and, in doing so, they will have to provide some of their personal data.
What kind of data is collected?
First we must verify what kind of personal data is collected by the current system, so, next, we can evaluate what are the potential risks to privacy and data protection of citizens. The adhesion contract of São Paulo’s Single Ticket requires, mandatorily, user’s identification numbers, residential zip code, date of birth, and a digitalised photo. It is facultative to answer a socio-economic census, but if a person is trying to get free-charge based on low income, it must answer it. If the card is paid by a person’s employer data about his or her employer is stored. And students that get free-charge tickets also have to provide data about where they study. A similar system is used in the city of Rio de Janeiro, where , additionally, the state’s legislature has approved facial recognition on the public buses.
Additionally, the data controller has access to the daily routine of users of the system, because it has precise information about which trips are performed in the city and by whom. With these data, one can infer the income of the person, his place of work, his habits of leisure and consumption, among others. And it is the crossing of several databases that makes it interesting for companies from other business to access this information. In Rio de Janeiro, for example, private company RioCard, responsible for managing the single ticket, has made a partnership with Visa in 2016, integrating payment services and public transportation tickets into the same card, the RioCard Duo. And these kinds of partnerships that will attract the private sector to administer the system in São Paulo. Cross-referencing allows the inference of various user’s habits, which are used in new business models such as targeted marketing, credit score systems, insurances, etc.
What are the limits to the use of personal data?
It is interesting to note that the São Paulo adhesion contract to the Single Ticket does not have any clause about the protection of user’s data, how data are used, for how long, and who is responsible for any violations of privacy. Similar gaps are found in Rio de Janeiro’ system. The researcher Joana Varon, from the think (do) tank Coding Rights, warns in a project of social awareness called Chupadados:
“If we had a personal data protection law in Brazil, a type of privacy policy would be mandatory. As it is not, these databases can fall into anyone’s hands. And it isn’t a new thing that databases of various kinds are sold out in the market and even accessed on the internet. It’s not by chance that you get advertising from unknown numbers on your cell phone, for example.”
Infographic made by international law firm DLA Piper. In red, the countries considered with the highest level of protection of personal data, according to their legal framework.
The existence of a legal framework for the protection of personal data is important because it would make clearer what are the limits on use of the data. The current scenario is of legal uncertainty, because it is not clear what companies and the government can or cannot do.
Despite the delay in comparison with other countries, currently there are some bills in the National Congress which establish a general regime for personal data protection in Brazil. An important one is the Bill Nº 5.276/2016, currently attached to the Bill Nº 4060/2012. It was drafted by an online public consultation initiated in 2010 by the Ministry of Justice, in a process similar to the draft of Brazilian Civil Rights Framework for the Internet (“Marco Civil da Internet, Law Nº 12.965/ 2014) . The bill was inspired by the European Union’s data protection regulation, Directive 95/46 / EC, which strongly protects citizens’ personal data.
Is the brazilian user of public transportation protected?
Currently, data protection in Brazil is scattered over several laws (Constitution; Civil Code; Consumer Protection Code; and Brazilian Civil Rights Framework for the Internet).
The lack of a comprehensive and systemic protection affects the legal certainty of the Single Ticket. It would be possible to legally argue that the electronic systems used by Single Ticket can not be categorized as “internet applications” (Article 5, VII, Law 12.965), since they do not use internet infrastructure and TCP/IP, being a closed system like an intranet. If the system is not a “internet application” there isn’t the obligation by the company to comply with protections to privacy and personal data stated at the Civil Rights Framework for the Internet. So companies wouldn’t have to get “free, express and informed consent” for the treatment and provision of data to third parties, Article 7, VII and IX, Law Nº 12.965.
In addition, there would be no need for the system administrator to make clear to the user the form of “collection, use, storage, treatment and protection of their personal data”, which should be used only for purposes that justify their collection, at least according to Article 7, VIII, Law 12.965.
As follows, the Single Ticket would only be submitted to the protections established by the Constitution, the Civil Code and the Consumer Protection Code. Additionally, it is possible that a judge uses Brazilian Civil Rights Framework for the Internet in a case involving the Single Ticket, by means of the interpretation technique of analogy.
In the case of public transport applications for smartphones they are categorized as an “internet application”. And the personal data collected through them would be covered by the guarantees of the Brazilian Civil Rights Framework for the Internet.
What are the possible solutions?
The lack of a regulatory framework relieves companies and governments from adopting a robust protection of privacy and personal data from the star. Allowing these players to benefit from a window of deregulation, at least until some court decision affects them, or a law on the subject is approved.
The citizen should keep in mind that, nowadays, various business models on the internet are based on the collection of user’s data, which brings new services and economic opportunities. The idea of protection should not be based on the old “right to be left alone” of the 19th century.The laws should ensure that the citizen will have informations about how his personal data will be used; they establish limits on its use in order to prevent abuse; and they should ensure that individuals have a minimal control over their data, having the possibility to require discontinuation of data treatment. So brazilian societe must establish, for these purposes, an effective oversight from competent authorities.
Civil society must press for regulations to ensure a minimum protection. And the services they use daily must be continuously inspected in order to guarantee citizens’ privacy and personal data protection, regardless of whether they are public or private.
[1] PREFEITURA DE SÃO PAULO. Vídeo Road Show Prefeitura de São Paulo. Disponível em: <https://www.youtube.com/watch?v=ND76XbS77BY>. Acessado em: 22/02/2017
[2] RUSSO, Rogério Gentili Rodrigo. Dória vai privatizar gestão do Bilhete Único dos ônibus de São Paulo. Jornal Folha de São Paulo, versão online. Disponível em: <http://www1.folha.uol.com.br/cotidiano/2017/02/1856747-doria-vai-privatizar-o-bilhete-unico-e-espera-economizar-r-456-mi-por-ano.shtml> . Acessado em: 22/02/2017
[3] ASSEMBLEIA LEGISLATIVA DO RIO DE JANEIRO. Lei Nº 7123 de 08/12/2015. Disponível em: <http://www.fetranspordocs.com.br/downloads/Legislacao/Lein7123Controlebiometrico.pdf>. Acessado em: 22/02/2017
[4] NATUSCH, Igor; FELIZI, Natasha; VARON, Joana; SIQUEIRA, Flávio. Bilhete Único: concentração de dados e dinheiro no transporte público do Rio. 2016. Disponível em:<https://chupadados.codingrights.org/com-o-riocard-seus-dados-passeiam-pelo-rj-e-ninguem-sabe-onde-vao-descer/>. Acesso em: 23/02/2017.
[5] NATUSCH, Igor; FELIZI, Natasha; VARON, Joana; SIQUEIRA, Flávio. Bilhete Único: concentração de dados e dinheiro no transporte público do Rio. 2016. Disponível em:<https://chupadados.codingrights.org/com-o-riocard-seus-dados-passeiam-pelo-rj-e-ninguem-sabe-onde-vao-descer/>. Acesso em: 23/02/2017.
Written by
Odélio Porto Júnior (See all posts from this author)
Researcher at the Institute for Research on Internet and Society, undergraduate Law Student at the Federal University of Minas Gerais (UFMG). Member of the Study Group on Internet, Innovation and Intellectual Property (GNET). Former member of the Human Rights Clinic (CDH) and of the University Popular Legal Advisory (AJUP), both from UFMG.