Synthesis of the legal process carried out regarding the implementation of electronic ticketing
Given the governmental decision to implement electronic ticketing, we have submitted a request for information and subsequently initiated a recurso de amparo so that they provide us with the requested information. We will detail below the steps and results of the process.
Despite the fact that some of the information was not provided, we would like to highlight the gesture of goodwill on the part of the Ministry of Public Works and Communications (MOPC) in responding to the request, especially considering that other institutions such as the Interior Ministry have not done so when we requested information on facial recognition cameras.
Background
Through law 5230/14, which “establishes the electronic collection of public transport tickets”, the state established the mandatory digitization of the collection of public transport tickets through an interoperable computer system. The arguments for making the change are the improvement of transparency and of the public service itself.
Taking into consideration that Paraguay does not yet have a personal data protection law, the implementation of this new system raised doubts about how the collection of data, as well as its storage and processing, may have a negative impact on citizens’ fundamental rights. The lack of a legal framework implies that there are no guarantees for the protection and safeguarding of the personal data collected, especially considering that the data would be shared between the government and private companies. This may lead to violations of the rights to privacy and to protest, and jeopardize people’s freedom of expression and of movement.
In order to address these doubts, on April 28, 2019, our executive director Maricarmen Sequera submitted a request for information (using as tool the law 5282/14 on “free access to public information and government transparency”), asking the MOPC to provide details regarding the Electronic Ticketing project. Our intention was to find out what kind of technology will be used, as well as the details of its implementation and the protocols to be followed regarding the processing of personal data.
Furthermore, we asked them to point out the purpose of implementing this system, to indicate what personal data will be collected, stored and processed, for how long it will be stored, and which dependency of the Vice Ministry of Transport or the MOPC will be in charge of the database management. In addition to this, they were asked to indicate if there is a protocol on how to deal with situations of abuse and/or illicit use, as well as if there are protocols for handling sensitive information, such as the one provided by minors and seniors. We also requested that they provide information on what other state agencies and companies would have access to the aforementioned database, and whether impact studies were carried out on the protection of personal data and/or human rights regarding the use of electronic ticketing.
Regarding open data, our director requested that the Vice Ministry detail if the statistical information would be published on the official MOPC portals, specifying whether real-time information would be available. She also asked if there would be an API for public access to statistical information and if the mobile app with the bus information will generate open data so that the information in real time can be used by other applications or services.
On May 3, 2019, the ‘access to public information’ office of the MOPC responded to our request asking for an extension, which is not contemplated in the law on access to public information. In simple terms, it does not establish in any of its provisions the possibility of extending the term for the delivery of information by public bodies. What the law does establish, in its article 16, is the term of fifteen working days to answer requests for public information. In turn, the request for an extension was not based on any factual and/or legal situation, but instead said they were “waiting for the response from the Vice Ministry of Transport”, without providing a specific date to deliver the requested information.
Amparo action
More than two months having passed since the request, and not having received the information in accordance with the law, on July 22, 2019, we filed an amparo action under article 20 of the aforementioned legislation, presented by lawyers Federico Legal and Ezequiel Santagada of IDEA, and in collaboration with the Legal Clinic of Access to Public Information of the Law School of the National University of Asunción (UNA). Article 20 clearly states that if there is no response within the established period, it may be assumed that the request for information was denied. The refusal to provide information on a subject must necessarily be covered by the legislation and cannot be defined motu proprio.
On the other hand, the legislation provides for the possibility that the information requested is of a reserved nature and therefore cannot be provided, but for this to happen it must be expressly classified as such in law. This implies that this figure of exceptionality cannot be used at discretion, but must be covered by a law that determines the information as such.
Based on the foregoing, in the amparo action we alleged that the refusal to provide the requested information was an arbitrary action that violated the fundamental right of citizens to know the processes of implementation of a system, whose operation could in turn, violate other human rights.
On July 29, 2019, the MOPC lawyer presented an answering brief to the Court, requesting the rejection of the amparo action based on a document they had presented. Said document was anauthenticated copy of Memorandum No. 10, dated July 12, 2019, redacted by the Advisory Committee for Processing the Homologation and Implementation of the electronic collection of the public transport ticket which, according to them, provided the answers demanded in the request.
On August 6, 2019, through a final judgment, the Judge resolved to reject the filed amparo action, considering that the presentation of Memorandum No. 10 prevented the existence of a possible injury to a constitutional guarantee.
After this decision, we decided not to file an appeal since, as will be detailed in the following section, it can be deduced that the Ministry does not possess any more information on the operation of the software.
However, we highlight the lack of an annex to the document “Technical Regulations Manual of the SNBE”, which is extremely necessary to answer some of the questions raised.
MOPC’s Incomplete Answer on Electronic Ticketing
The aforementioned Memorandum No. 10 provides answers on some questions: firstly, it indicates that the implementation would initially take place in the Public Transport services of the Asunción Metropolitan Area, to be later extended to other passenger transport services. It also states that, in the beginning, manual and electronic collection will coexist for a period not exceeding 1 year. Regarding regulation, it states that the regulatory authority will be the Vice Ministry of Transport.
The document explains that there would be 3 types of cards:
- “Not registered and/or anonymous” users with general access: they pay full rate. Only their payment and boarding point will be recorded. This information will be used to calculate usage statistics of the transportation system and/or monetary transactions.
- “Registered” users with general access: they pay full rate and voluntarily provide their names, surnames and identity document number in order to protect their balance in case of theft or loss. Only on the basis of complaints can officials access this data.
- Users with special access: they pay reduced fees or are exempt. To enter this group, the respective institutions must grant the corresponding certificates. The type and cost of the fare will be registered, as well as the boarding point. This would apply to people with disabilities and students.
As for the personal data that will be collected, processed and stored, it is stated that in addition to what was already mentioned, the passenger’s date of birth and their geolocation when boarding the bus will be recorded, but there will be no record of the descent. The database with this information will be managed by the Vice Ministry of Transport through the Transport Innovation Coordination, dependent on the Metropolitan Directorate. The VMT will be able to record and verify the system in real time through the Center for Control and Monitoring (CCM). In addition to this, SEDECO (consumer protection) would be accompanying the regulation and implementation of the system. Regarding private companies, the only ones that will have access to the databases are those that are service providers and are legally authorized.
In our article “A Personal Data Law Is Not A Credit Data Law” we explain why it is important that the protection of personal data is considered a human right. In order to safeguard the fundamental rights of citizens, such as the right to freedom of expression, association, demonstration, free movement or privacy, international data protection standards must be applied. With this in mind, and considering that the electronic ticketing system will collect and store personal data, we consider it of utmost importance to highlight the MOPC’s affirmation that there have been no “studies or concrete analyzes” regarding the impact of electronic ticketing on the protection of personal data and/or human rights.
Moreover, regarding the treatment process of personal data, they stated that “they will be kept in safety following international security standards that are being studied, developed and that will be implemented in a timely manner. The companies must develop and implement on their own the mechanisms, controls and measures necessary to safeguard the data”.
In other words, the Ministry began implementing a system that could bring about human rights violations without securing a level of data protection that safeguards citizens. Nor do they clearly establish an exact time when the norms under study would be applied, describing it simply as “timely”. Timely may refer to a convenient or appropriate moment, yet undetermined. When exactly does the state consider it “timely” to safeguard rights?
Regarding our questions about the software’s terms and conditions of use, their answer referred to the technical regulations manual supposedly attached to the memorandum. However, this document was neither attached nor sent to us.
We need a comprehensive law on personal data protection
This case brings out the urgent need for Paraguay to have a comprehensive personal data law, as there are currently no guarantees for the protection of the privacy and security of users’ personal data. The risk of potential human rights violations is very high, given that for many people the use of public transport is a regular and daily activity, and the collected data would make it possible to infer people’s behavior and routines. Having access to these data, one could establish someone’s address, place of work, place of study, among others, which opens the possibility of predicting where a person could be on a certain day at a certain time.
The National Constitution contemplates the right of all people not to be identified and not to reveal their identity. This is included in art. 26 on the right to freedom of expression and demonstration, which states that people have the right to move anonymously through the city without the risk that their routines and movements can be identified.
Additionally, it is especially worrying what the law for the implementation of electronic ticketing expresses in its Article 6 subsection e): “the smart electronic means of payment to be used (…) for the payment of the transportation fee and to enable other uses that allow the user their eventual insertion in different government social programs or commercial uses…”.
What the article establishes implies that the database generated by this ticketing system may be used for other purposes beyond transportation, which would imply the collection of other data. This, as already stated above, would entail a greater risk on fundamental rights and a potential increase in state surveillance.