Responsibility for local storage
In this sandbox project, Ruter will be the controller for the service which provides personalised travel suggestions in the Ruter app. But what responsibility does Ruter have for local storage during the preparation phase?
In the project, we discussed how far this responsibility extends. This is decisive for determining when the obligation to provide information comes into effect. The question has arisen in connection with personal data that Ruter will not have access to.
As a data minimisation measure, Ruter will facilitate the local storage of data on customers' devices during the preparation phase. The purpose of local storage in this project is for Ruter to be able to use the travel data to develop AI at a later stage if the customer consents to this during the development phase. A log, which includes personal data, can then be sent to Ruter’s centre for AI development at regular intervals.
While personal data is stored locally on customers' devices, Ruter will not have access to this. For customers who do not consent to central storage, Ruter will never have access to the data. The customer will also be able to delete favourite trips directly in the app. The customer will be able to delete all other data by reinstalling the app, or resetting the phone to factory settings.
Do the data protection regulations apply to local storage?
And if so, what role will Ruter play?
The starting point is that the data protection regulations will apply when processing personal data, cf. Section 2, subsection 1 of the Norwegian Personal Data Act and Article 2 (1) of the GDPR. The first question is whether personal data is processed in accordance with these provisions. The Norwegian Data Protection Authority and Ruter have differing opinions with regard to this. The Norwegian Data Protection Authority is of the opinion that personal data is already processed in connection with local storage. Ruter is of the opinion that this cannot be viewed as processing of personal data in relation to Ruter. Such an interpretation would mean that the data protection regulations will not apply, and that, under the regulations, Ruter will not have responsibility during the preparation phase. However, in the sandbox project we nevertheless further examined the other assessments that need to be made when the Norwegian Data Protection Authority's understanding is used as a basis.
Even if one accepts that personal data is being processed, the regulations do not always apply. There are exceptions that apply if, among other things, the processing of personal data is carried out by a natural person in the course of a purely personal or household activity, cf. Section 2, subsection 2 (a) of the Norwegian Personal Data Act and Article 2(2) (c) of the GDPR. Pursuant to recital 18 of the GDPR, such activities could include correspondence and the holding of address books, or social networking and online activity undertaken within the context of such activities. However, these rules do apply to controllers or processors that provide the means for processing personal data for such personal or household activities. The customer's own processing of personal data in the Ruter app, in the form of, for example, saving and deleting useful travel searches, will be an activity that falls outside the regulations. In instances such as this, where Ruter does not have access to the personal data, it will also be possible to make exceptions to several of the obligations under the GDPR.
An undertaking is responsible for processing when it determines the purpose of the processing and the means that will be used, see the fact box.
A controller is the party that determines the purpose (i.e. why) and means (i.e. how), of processing personal data, cf. Article 4 (7) of the GDPR.
The controller has overall responsibility for compliance with the data protection principles and the regulations. This follows from the principle of accountability in Article 5 of the GDPR.
The purpose of storing personal data locally is that the customer will later be able to consent to personal data being sent to Ruter centrally for the development of AI. With regard to this storage, in our discussions we arrived at the conclusion that Ruter determines the purpose and means that are to be used. Therefore, for this part of the processing, Ruter will have the role of controller.
Irrespective of whether or not the regulations apply, Ruter plans to initiate measures which involve them fulfilling the responsibility that is incumbent upon the controller for this activity. Several of the exceptions to the duties of the controller are nevertheless relevant in the preparation phase, because Ruter does not have access to the personal data. For example, one does not need to fulfil all the rights of the data subjects if it can be demonstrated that the data subject cannot be identified, cf. Articles 11(2) and 12(2) of the GDPR.
For the sandbox project, it is the information requirements that are relevant. Ruter plans to provide information to customers even before the travel data will be stored locally. In the following chapters, we will further examine how.
The discussions in the sandbox project regarding when the responsibility for providing information becomes applicable have revealed some possible paradoxes. Ruter has chosen to use local storage as a data minimisation measure in the preparation phase. If the data protection regulations become applicable during this phase – which is the Norwegian Data Protection Authority’s understanding – a potential consequence is that Ruter will have to ask the customer for access to more personal data than Ruter originally requested. If a customer asks to have a right fulfilled, for example, data portability, Ruter needs to gain access to the personal data in order to fulfil the obligation. Issues relating to responsibility for local storage may be relevant for many actors, irrespective of industry and whether they use AI. The Norwegian Data Protection Authority views this form of data minimisation as positive, and wants to contribute to actors being able to comply with the regulations in a simple and appropriate manner if they select this measure.
Responsibility in accordance with other regulations
In the sandbox project, we have only discussed the responsibility that follows from the personal data regulations. Other legislation can also stipulate obligations for Ruter, for example, the Norwegian Electronic Communications Act. This Act sets conditions for being able to store and gain access to data on the customer's equipment. However, examining the responsibilities that Ruter has under other legislation falls outside the scope of this project.