MaaS surveillance: Privacy considerations in mobility as a service

The concept of Mobility as a Service (MaaS) is seeing increasing attention from researchers, industry, and the public sector. MaaS, which posits that traditional models of car ownership and travel may be supplanted by models focused on packages of shared vehicle access, use of public transport, active transport, and teleworking, is currently viewed as having potential beneficial impacts including reductions in single-occupancy vehicle trips, with concomitant reductions in travel cost, congestion, and environmental concerns. MaaS, however, relies upon a number of social expectations, including trust, reliability, and transparency, each of which is reliant upon both the social network that enables MaaS to work efficiently, and upon the ways in which data are handled within the enabling framework. In light of this, it is anticipated that the recently-enacted General Data Protection Regulation (GDPR) has the potential to significantly impact upon the further implementation of MaaS. MaaS services are predicated upon the sharing of personal travel information (vehicle availability, origins, destinations, financial information, social network data, etc.) that, under GDPR, may be considered personal, subject to the regulations and restrictions this categorisation implies. For MaaS to work in a European context, then, it must be responsive to GDPR requirements related to issues such as Privacy by Design, Consent, and Protection. In this paper, we explore the concept of MaaS in relation to privacy considerations raised by GDPR requirements, with attention to methods and techniques related to relevant data acquisition, sharing, and protection processes. A case study of the Whim application’s privacy policy is presented to demonstrate the potential implications of this policy in an applied context.