Is there a regulatory framework for location data?

Published on 21 July 2021 Cynthia Chassigneux Lawyer, Partner / Langlois Lawyers Article

Analysing location data can help service providers assess whether to boost services in one part of a city versus another, at a particular time of day or in preparation for an upcoming festival, for instance. However, the data used for these analyses is linked to individuals and makes it possible to identify them. City planners and business managers working to improve our ever-changing environment must incorporate the rules for privacy protection into their activities. But what are these rules?

At the Transportation Cybersecurity and Functional Safety Forum, one of the panels was entitled “Data protection for collaborative innovation in mobility.” A key topic of discussion was whether there was a law (or laws) governing this area. The answer is ‘Yes’.

Whether one thinks of information showing the times of use of a bicycle or a car; the route taken from point A to B in the morning and vice versa in the evening; or even information that allows one to locate individuals and inform them about the closest bus or metro lines, all this information is personal.

Information collected by fobs (for those who still have a BIXI fob, for example), mobile apps or RFID tags, like those used in bike or car-sharing services, is linked to individuals and makes it possible to identify them, directly or indirectly. Such devices are often associated with a surname, first name, date of birth, mailing and e-mail addresses, as well as a credit card number.

In Quebec, if a public body—such as a city—or a business wants to collect such information to develop an urban plan or enhance a service offering, it must take into account the laws governing the protection of personal information.

The focus here will be on the Act respecting access to documents held by public bodies and the protection of personal information (public sector) and the Act respecting the protection of personal information in the private sector. Even though, at the time of writing, Bill 64, which aims to modernize these laws, is still under consideration, it is nonetheless possible to identify a few key elements to guide those who collect, use/analyze, distribute and retain such information.

Before collecting personal information or acquiring, developing or redesigning an information system or digital services operation, public bodies and businesses must:

  • have a serious and legitimate interest;
  • identify the purpose for which they intend to collect personal information;
  • collect only the information necessary to fulfil this purpose;
  • identify the factors/risks that may impact the privacy of the individuals affected and put in place measures to eliminate or at least minimize them;
  • inform individuals of, among other things, the purpose for which their personal information is collected; how it is collected; the third parties for whom it is collected or to whom it will be disclosed; the fact that it may be sent outside the province; the length of time it will be retained; their right to access and potentially correct the information; and the name of the person in charge of protecting this personal information;
  • inform individuals that they are using technology that can identify them, locate them or create a profile of them, and, in turn, provide the means to activate these functions;
  • obtain the consent of individuals: consent must be clear, free and informed; it must be given for specific purposes and only for as long as necessary to achieve those purposes.
    • In some cases, such as when biometric characteristics are to be collected, consent must be expressly given, and the Commission d’accès à l’information (CAI) must be informed at least 60 days before the start of any process to capture such characteristics in order to verify or confirm a person’s identity (reference is made here to the Act to establish a legal framework for information technology as amended by Bill 64).

In addition, public bodies and businesses must:

  • establish and implement policies and practices to guide their governance of personal information and to ensure its protection;
  • adopt a privacy policy;
  • adopt security measures to ensure the protection of personal information.
    • In the event of unauthorized access, use, disclosure or any loss of personal information, public bodies and businesses must report the privacy incident to the CAI and the individual affected. This declaration must be made with diligence and with due regard to the fact that there is a risk of serious harm to the person whose information was involved in the incident;
  • enter into an agreement if they intend to disclose personal information without individuals’ consent to a third party who intends to use it for study, research or statistical purposes;
  • destroy or anonymize personal information once the purposes for which it was collected or used have been fulfilled.

As mentioned in the introduction, there are indeed laws governing the processing of location data. These laws are under review and provide for new obligations for public bodies and businesses.

Even if these obligations are not yet in force, it is advisable to consider them in order to anticipate the issues that could arise with regard to the collection, use, distribution and retention of personal information, especially since the future penalties for non-compliance will be higher than at present.

If you have any questions about this topic, please feel free to contact us.

Poursuivre la lecture sur le sujet

Article 14 December 2022

Will industrial strategies chart a new course for the future of Quebec industries?

The Quebec economy—and more broadly the world economy—faces multiple challenges: the climate crisis, supply chain problems, labour shortages, inflation, etc. Quebec has an abundant supply of resources, know-how, and expertise; however, the next points on its agenda should include structuring, developing, and planning industrial activities.

Read more
Article 27 June 2022

Telematic Data: the Key to a Successful Energy Transition

Fleet managers are currently facing the colossal challenge of the energy transition, in order to meet legislative requirements and societal demands. For most carriers, both in the passenger transport sector and in the last mile delivery sector, this green shift has already begun.

Read more
Press release 23 June 2022

Ambition EST 2030 : a roadmap for propelling Quebec to the forefront of the electric and smart transportation industry by 2030

Propulsion Québec, the cluster for electric and smart transportation, is announcing Ambition EST 2030, a roadmap for the electric and smart transportation (EST) industry developed in partnership with Deloitte.

Read more
Article 25 April 2022

Energy transition, the challenge that is shaking up the trucking industry

The U.S. Department of Energy recently released a report containing a vehicle cost analysis for zero-emission medium and heavy-duty trucks.

Read more
Article 27 October 2021

The Mobility of the Future is Smart, Green, Inclusive and Healthy

Innovation is part of our Alstom in Motion 2025 strategy. It has brought us to where we are today, and we want to go even further. With the new scale and combined expertise, Alstom has doubled its innovation capacity and we will support this growth by doubling the financial investments in R&D, up to 600 million euros (875 million Canadian dollars) per year by 2024.

Read more
Article 3 September 2021

Astus – Proud to support IMPULSION MTL 2021

With more than 25 years of expertise in the field of vehicle telematics, Astus is now a key player in the energy and digital transition of mobility and transport.

Read more
Article 22 August 2021

LiDAR and AI in autonomous vehicle commercialization and functional safety

The story of smart, autonomous transportation began nearly half a century ago. In the early 1980s, avionics systems started to replace more traditional mechanical and hydraulic systems through calculators and embedded software.

Read more
Article 22 June 2021

How to develop a successful strategy for your transition towards EVs

To this day, it is not uncommon to see a good number of companies relying on assumptions, sometimes non-global and inaccurate information reports in order to manage their vehicle fleet.

Read more
Article 21 May 2021

Five key Cybersecurity takeaways for the automotive industry

In our ever-changing connected world, digital transformation is affecting every aspect of our lives. The automotive industry is no exception to this evolution: our cars are becoming our best co-pilots, allowing us to plan our trips with real-time data or read and respond to text messages using voice command.

Read more
Article 21 May 2021

Why cyber hygiene should be a top priority

With cybercrime damages expected to cost the world $10.5 trillion annually by 2025, this evolving issue shouldn’t be taken lightly. Threat actors continue to develop new ways to attack organizations,

Read more