During the usage phase, Ruter plans to use personal data to predict travel patterns in order to provide travel suggestions, and for post-learning of the AI model. Ruter will also explore the option of using personal data during the usage phase for further development of the relevant service, and Ruter's services in general. The latter could, for example, include the use of statistics that can provide information for other service development, improve traffic planning, reveal which model in the Ruter app works best, and possible other forms of use.
The purpose during the usage phase
Providing information about the purposes of the intended processing of personal data is vital for compliance with the obligation to provide information. Ruter envisions that personal data collected in connection with the use of the AI solution can be useful for a multitude of purposes.
In the sandbox project, we have therefore discussed questions related to purpose limitation, including:
- What purposes does Ruter need to use personal data to fulfil?
- What falls under the same purpose?
- Which constructed examples of possible future purposes may be compatible with the initial purpose?
Personal data must only be collected for specified, explicit and legitimate purposes, cf. Article 5 (1) (b) of the GDPR. The purpose or purposes must be defined before the personal data is collected, and must be clearly communicated to the data subjects. The requirement relates to the transparency principle. The manner in which the personal data will be processed must be predictable for the data subjects. This enables them to have greater control over how their personal data is used. When Ruter uses consent as a legal basis for processing the personal data, it is also important for the validity of the consent that Ruter provides clear information about the various purposes and that separate consent is obtained for each separate purpose.
Which processing activities come under the same purpose?
At an overall level, Ruter envisions that these activities may become applicable during the usage phase:
- predict travel patterns to provide travel suggestions
- post-learning by the AI model
- further development of the relevant service
- further development of Ruter's services in general.
All these overarching activities can be divided into several, more specific processing activities. For some of the more specific processing activities, Ruter can already be certain when they collect the data that they wish to carry out these activities at some point in the usage phase. Other processing activities that may be beneficial in the long term are not possible to envisage at such an early stage. This particularly applies to the further development of the service and Ruter's services in general. We have therefore prepared some examples of new requirements that may arise in the future. In the sandbox project, we have discussed what processing activities may fall under the same purpose, and those which may be part of new purposes. We have also discussed whether or not new purposes may be compatible with initial purposes. Use of personal data for compatible purposes will be lawful, provided that Ruter has a legal basis for this.
The Article 29 Working Party, (which was the predecessor to the European Data Protection Board), wrote the following on page 16 of its opinion 03/2013 on purpose limitation:
“For ‘related’ processing operations, the concept of an overall purpose, under whose umbrella a number of separate processing operations take place, can be useful. That said, controllers should avoid identifying only one broad purpose in order to justify various further processing activities which are in fact only remotely related to the actual initial purpose.”
The opinion relates to the principle of purpose limitation in the previous data protection regulations. Since the principle of purpose limitation has been continued in the GDPR, the opinion can still provide guidance under the current regulations. A purpose can therefore be specific even if it encompasses several different processing activities that have a natural connection to the overall purpose.
Ruter has explained that distinguishing between providing travel suggestions and post-learning of the model serves no practical purpose. Travel patterns are constantly changing. For example, travel patterns were more static prior to the pandemic than what they are now when people have a more variable working day. Ruter wants to identify these kinds of patterns. Travel patterns are also seasonal, which means that there are major differences in movement patterns between winter and summer. The model therefore needs to be continuously adapted and improved in order to provide accurate travel suggestions. Ruter has noted that the quality of the product will deteriorate if the model does not learn along the way, and that part of the purpose of using AI would then be lost. The same applies to adaptations of the AI model that are not post-learning, for example adaptation of the extent to which the AI model should emphasise different elements, as well as the removal of unnecessary elements and errors. Ruter wants to make these needs clear to the customers.
In the sandbox project, we concluded that there could be a sufficient link between the use of personal data in the AI model to predict travel patterns and for post-learning of the model, to enable the processing activities to be considered the same purpose. An overall purpose of offering personal travel suggestions in the Ruter app can also be sufficiently specific. What is of decisive importance is that the processing activities that fall under the purpose need to have a sufficiently close connection. The connection can be close when it is not possible to achieve the purpose of a processing activity without adding an adjacent processing activity.
Page 53 of the Article 29 Working Group's opinion 03/2013 on purpose limitation provides an example of how an overall purpose can often be broken down into several underlying purposes:
“[…] - For example, processing an individual’s claim for a social benefit could be ‘broken down’ into verifying his or her identity, carrying out various eligibility checks, checking other benefit agencies’ records, etc.
- The concept of an overall purpose, under whose umbrella a number of separate processing operations take place, can be useful. This concept can be used, for example, when providing a layered notice to the data subject. More general information can be provided in the first instance about the 'overall purpose', which can be complemented with further information. Breaking down the purposes is also necessary for the controller and those processing data on its behalf in order to apply the necessary data protection safeguards.”
In purely practical terms, Ruter can provide information about the overall purpose in the first layer of information, while information about underlying purposes – such as post-learning and adaptation of the AI model – can be provided in another layer that the data subject can choose to access by clicking on a link.
Another question is whether further development of the specific service for personalised travel suggestions can be categorised under the same purpose. Further development of the service is a rather broad description. Multiple processing activities may be covered by this description. Ruter has explained that by further developing the service they wish to achieve two objectives:
- To further develop to ensure the quality of the personalised travel suggestions, and
- To further develop to provide added value beyond the personalised travel suggestions.
On the one hand, Ruter is continuously working to improve the service, and they claim that there is no point in presenting the product to customers without being able to further develop it. This type of further development could be called maintenance: It is about ensuring quality, not achieving something new. On the other hand, Ruter wants to further develop the service by adding new functions where they see this could provide added value. An envisaged example could be new integrations to guide the customer to make informed and efficient travel choices. Another could be new integrations to guide the customer towards making good ticket selections.
Overall purpose: Offer personalised travel suggestions
The illustration shows a proposal for the envisaged division of Ruter's overall purpose, underlying purpose and processing activities. There are smooth transitions between the various processing activities and it can be challenging to define what is covered by one specific purpose.
In order to assess what falls under the same purpose, we again need to look at the connection between the processing activities. This therefore pertains to all further development of the service that does not specifically apply to the AI model. Ruter has also explained that it is not possible to clearly state in advance which processing activities will be desirable in the long term. In order for the processing activities to be covered by the same purpose, there must be sufficient proximity to both the other processing activities and the overall purpose.
In the discussions, we arrived at the conclusion that further development covered by the maintenance category could come under the overall purpose. An example of this could be removing unnecessary elements and errors. The example of adding new integrations to guide customers towards making good travel choices is more difficult to consider as being pure maintenance. Such guidance could, for example, be a suggestion to take a more efficient route half an hour before you normally travel. We considered this to be on the borderline of what can be characterised as the prediction of desired travel for the purpose of providing personalised travel suggestions. However, if a desire to effectuate similar integration arises, the example is of such a nature that it can be argued that it is covered by the initial purpose, or possibly that it is a new and compatible purpose. The assessment of whether a new purpose is compatible is only applicable when the purpose cannot be defined at the time the personal data is collected. If Ruter already finds, when the data is collected, that such an integration is desirable, they must assess whether it constitutes a new purpose before such collection takes place.
Another conceivable example of a new integration could be that Ruter guides the customer towards making good ticket selections, for example, by purchasing a 24-hour ticket rather than four separate tickets during the same period of time. We found that the latter probably falls outside the purpose of offering personalised travel suggestions. We also discussed whether such envisaged further development could be compatible with the initial purpose. Several elements have to be considered when making the assessment:
Pursuant to Article 6 (4) of the GDPR, when assessing whether a purpose is compatible with the purpose for which the personal data is initially collected, the following must be taken into account:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences are processed;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the processing is predictable when the data is collected, or is a logical next step, this may indicate that the purpose is compatible. The more unpredictable that further processing will be, the more that is required to consider the purpose to be compatible.
It is important to look at how the purpose is perceived by the data subject when assessing foreseeability. On pages 24-25 of its opinion 03/2013 on purpose limitation the Article 29 Working Party wrote that it is the content, and not the original choice of wording in the explanation of the purpose, that is decisive. The balance of power between the data subjects and the controller may also be of significance in the assessment. Technical and organisational measures may also be important. This is linked to the element relating to the potential consequences of the further processing for the data subjects, see fact box.
Using the personal data to analyse and guide ticket selection is not particularly far removed from the purpose of receiving personalised travel suggestions. However, it may come as a surprise to the data subjects who have consented to one type of analysis of their data to discover that it is also being used for another, different analysis. This argues against the purpose being considered compatible. In the discussions, we came to the conclusion that this example was borderline in terms of what can be considered compatible.
Is further use of statistics compatible?
The Norwegian Data Protection Authority and Ruter also found that improving Ruter's other services would be unlikely to fall under the original purpose of offering personalised travel suggestions. Ruter particularly envisages that it may be applicable to generate statistics on the basis of the personal data, which in turn can:
- provide information for other service development,
- improve traffic planning, and
- reveal which model in the Ruter app works best.
Other further uses for the statistics may also be relevant for Ruter. However, it is difficult to predict exactly what use the statistics may be beneficial for in the future.
In the sandbox project we further examined whether these new purposes can be compatible with the initial purpose.
Overall purpose: Offer personalised travel suggestions
The illustration provides examples of hypothetical future purposes.
Pursuant to Article 5 (1) (b) of the GDPR, statistical purposes are not incompatible provided that the controller provides necessary guarantees for protecting the data subject's rights and freedoms, cf. Article 89 (1) of the GDPR.
In recital 162 of the GDPR, statistical purposes are described as: “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results”. The term encompasses a wide spectrum of processing activities, cf. page 29 of opinion 03/2013 on purpose limitation. The use of statistics for both public and commercial purposes is covered. A commercial purpose may be the use of statistics for analysing websites or market research. Measures for protecting the personal data may, among other things, be anonymisation or pseudonymisation, including access control.
The measures must be viewed in connection with the principle of data minimisation. The data must be de-identified and protected to the extent that it is possible to still achieve the purpose.
Ruter is working on solutions for anonymising data for further use. At present, it is challenging for Ruter to achieve the desired purposes through continued internal use if they use true anonymisation. For external use, Ruter can and will anonymise the data.
Read more about true anonymisation here.
The statistics that Ruter wishes to use internally will still be processed in such a way that it may be difficult to derive personal data from these in a simple manner. The personal data will therefore be pseudonymised. In the sandbox project we discussed what is required to satisfy the condition of necessary guarantees.
Recital 162 of the GDPR states that: “Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.” In the discussions, we came to the conclusion that this most probably means that the statistics should not be used for purposes that require the re-identification of individuals. We also discussed whether the statistics can only be used for new purposes when personal data can no longer be derived from the statistics. An affirmative answer to that question would appear to contradict the wording of Article 89 (1) of the GDPR. It is only when the purpose can be fulfilled by using anonymous data that the provision requires this, otherwise data minimisation is required.
If personal data is reused for new purposes, information must be provided to the data subjects. Our conclusion is that Ruter should provide as much detail as possible about such reuse already at the point at which consent is given. Other information relating to new purposes must be provided no later than before further processing takes place, cf. Article 13 (3) of the GDPR. This will enable the data subjects to still have the opportunity to protect their rights. The new purposes must still be specified, explicit and legitimate, cf. Article 5 (1) (b) of the GDPR.
What information does Ruter have to provide during the usage phase?
There are a number of similarities in the development and usage phases when concerning what information Ruter has to provide and the manner in which this can be done. In the following, we further examine what specifically applies to the usage phase.
Provide information about profiling and how data is processed
As mentioned, Ruter’s processing of personal data for the purpose of offering personalised travel suggestions will involve profiling. See descriptions in the previous chapter of what information must then be provided to the data subjects. Ruter does not know how the underlying logic in the fully trained AI model will function until the project is through the development phase. We therefore do not have specific underlying logic that we can identify in this report. However, we wish to provide an overall statement about what information has to be presented to the data subjects and how this can be presented by Ruter.
When the AI model is ready to be rolled out to users, it is important that Ruter has a good overview of what parameters the model emphasises in its profiling and how this takes place, such that the data subjects may receive information regarding how the model generally determines travel suggestions.
A topic that was also raised in the sandbox is whether the model needs to be changed in order to fulfil the data subjects’ right to information. For example, does one have to select a model that is easier to explain in order to fulfil this requirement? We agree that no changes are required in Ruter's model to meet the requirement for information in this instance. However, we do not rule out that it may be necessary to meet other requirements in the regulations.
Information concerning the use of feedback in the AI model
Ruter wants to make it possible for customers to provide feedback on the travel suggestions through, for example, buttons with a thumbs up or thumbs down image. The company wants to use this feedback to adjust the AI model to enable it to provide more relevant travel suggestions and improve the service. In connection with this, we have discussed that Ruter has to provide information on how the feedback will be processed in a simple manner if the feedback constitutes personal data.
How can the information be provided to the data subjects
Ruter currently has an existing app with which the personalised travel suggestions will be integrated. The company therefore has the opportunity to test different methods of providing information in this solution. The information could, for example, be provided through pop-up windows.
"How do we provide you with personalised travel suggestions?
In the model, we use data about when and where you use our app, and what trips you search for at what time. The model also uses data about which trips other people in your area have searched for, at what time and where they were when they made the search. Based on this, the model calculates our current travel suggestions".
However, this type of wording must be adapted to the underlying logic when it becomes clear to Ruter how this will function. The wording also needs to clarify what personal data is used in the AI model.
It is also important that Ruter provides information in an intelligible manner about, for example, what profiling is and what it means for the customer, as well as the data flow and potential transfers of personal data out of the EEA.
Requirements for information when obtaining consent
Ruter plans to obtain consent for the usage phase through an information page, with a button/tick box which appears in connection with an update to the app. Like the development phase, the minimum requirements for informed consent will already need to have been satisfied in the first layer.
In the discussions, we discovered that the assessments for the development and usage phases will be relatively similar. Among other things, the information on the right to withdraw consent can be formulated in the same manner. What may be different in the usage phase will particularly relate to purpose limitation and further use for new purposes. As mentioned, it is important for the validity of the consent that the information clearly distinguishes between different purposes. Separate consent must be obtained for each new purpose.
The information provided to the data subjects has an impact on the assessments of purpose limitation. The information concerning purpose that is provided when the user's consent is obtained could, for example, influence what may be considered a compatible purpose, see the sub-chapter relating to purpose.