If you have followed the news lately, I assume you’ve heard about the European Court of Justice (ECJ) ruling that declared the Safe Harbor agreement with the US invalid. Often, the big players like Facebook, Google or Twitter are cited as the companies that might be disrupted by this ruling. In their cases it is somehow obviously to see that they collect personal data from EU citizens and transfer them to the US for further processing. However, I wonder whether this ruling has any effect on the construction industry.

To start with, there is a list of US companies available online, which are currently participating in the Safe Harbor agreement. My quick look through the list showed that some large machine manufacturers are participating in the agreement but that’s about it. So, one might conclude that the ruling has no effect on the industry.

But wait, this is about processing personal data! Every company collects some personal data, for example in regard to their employees (bank account details to pay salaries and wages, home address, etc.). These are typical personal data for me. But with an increase in telematics solutions in the construction industry, there is a lot of information about machines collected and processed - mainly on the Internet. So I was wondering again whether these telematics data are personal data or not.

Personal Data in the EU

Let’s start with the term: personal data. After some research I came to the understanding that almost every country has its own definition. But as this was a ruling on EU level, I want to focus here on the situation in the EU. An EU directive defines personal data as any information relating to an identified or identifiable natural person. This is still not a very hands-on definition. The national data protection officers from all EU countries (the so-called Article 29 Data Protection Working Party) provided further explanations and some examples what personal data actually are. For instance, already a statement like ""I am always traveling with a towel"" should be considered personal data.

It fulfills all three aspects of the definition:

1. It is an information about me. It actually does not matter if the statement is true or not.
2. Through my user name and profile in this community, I am easily identifiable.
3. I am a natural person.

Two further examples (from many interesting ones) are of special interest here. Firstly, a car service record by itself is not personal data. But if it is linked with owner information (e.g. for billing), this service record should be treated as personal data. Additionally, if a service record is used to evaluate mechanics’ performance, it also should be treated as personal data (now the mechanics’ personal data). Secondly, a system to monitor taxis’ positions to optimize utilization & service actually provides only data about the taxi itself. Even if such a system is not used to evaluate driver performance, it can have a considerable impact on drivers as it could be used to check if speed limits are respected or appropriate routes are selected. Therefore, these data may also be personal data.

Personal Data in Telematics Solutions

Back to the construction industry, modern telematics systems collect mainly position data and machine data like fuel consumption or weight information. Looking back at the previous examples, the data collected by telematics systems look very similar to the ones of the taxi positioning system. Actually, increasing utilization is also one of the benefits of a telematics solution likewise to a taxi monitoring system. Further, telematics data can (and are) used for employees’ performance reviews. It is necessary to identify the operator, but imagine that you have only one person with a qualification to operate a specific machine on the jobsite or the datasets contain license plate numbers, operator short codes or similar data, then it should be a rather simple exercise. According to the Data Protection Working Party these data might need to be considered as personal data then.

Implications

The implication of dealing with personal data is that additional requirements need to be fulfilled. The OCED has issued 7 principles, which needs to govern the processing of personal data (adapted from here)

1. Notice - person should be given notice when their data is being collected;
2. Purpose - data should only be used for the purpose stated and not for any other purposes;
3. Consent - data should not be disclosed without the person’s consent;
4. Security - collected data should be kept secure from any potential abuses;
5. Disclosure - person should be informed as to who is collecting their data;
6. Access - person should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability – person should have a method available to them to hold data collectors accountable for not following the above principles.

All 7 principles are incorporated in the early mentioned EU directive, while the US has not implemented them.

Summary

As mentioned before, I could not spot any immediate effect of the ECJ’s ruling on the Safe Harbor agreement in the construction industry, but thoughts about personal data might surfaced issues in the long run. With an increase in telematics systems and more sophisticated features, the likelihood of personal data collected increases. With the invalidation of the Safe Harbor Agreement, it is likely that providers and users of telematics solutions (on both sides of the Atlantic) need to spend more time and resources to comply with data protection legislation.

Since this topic touches on several legal issues, I need to advise that neither MOBA Mobile Automation nor I give legal advice. Companies should seek information from qualified legal counsel.What do you think, do you see personal data as a future issue in the construction industry or am I mistaken here?