Slovenia: Introduction of electronic toll collection for passenger cars and data protection challenges
As time passes and technology develops, the potential for data protection laws to be applied in many different aspects of our lives becomes more and more apparent. In this regard, the collection of tolls from passenger cars may prove no exception. Vesna Ložak Polanec, Attorney at Law at Law Firm Neffat, discusses this issue in the Slovenian context and how the coming use of electronic toll collection can be carried out in compliance with legislation at the EU level.
According to Slovenian media publications and news, electronic toll collection for passenger cars is expected to replace the vignette system and start operating in December 2021. Widespread deployment of electronic road toll systems and electronic collection for passenger cars is desirable, as interoperable electronic road toll systems contribute to achieving the objectives laid down by EU law on road tolls. Implementing the 'pay as you go' principle for passenger cars could be beneficial as it is a very fast and efficient mode for collection of toll charges determined according to the kilometres actually traveled by a passenger car.
However, electronic toll collection could pose a threat to privacy as the implementation and control of electronic tolling is practically impossible without the processing of personal data. The obligation to pay road fees and enforcement of this obligation through the identification of the vehicle, as well as the identification of the vehicle owner, collection of the personal data of this individual for the purpose of ensuring the compliance of the toll charger, and, in cases of infringement, the transmission of data to the authorities, undoubtedly all entail the processing of personal data. Therefore, good legal and technical arrangements regarding implementation of electronic road toll systems need to be carried out. But how is this possible if the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and other EU legislation regarding the road toll systems and toll collection has not yet been transposed into national law? Can this be the manufacturers' or stakeholders' decision and responsibility?
Directive (EU) 2019/520 of the European Parliament and of the Council of 19 March 2019 on the interoperability of electronic road toll systems and facilitating cross-border exchange of information on the failure to pay road fees in the Union1 ('the Road Toll Systems Directive') sets out basic rules regarding electronic toll collection and data protection. Slovenia needs to adopt and publish the laws, regulations, and administrative provisions necessary to comply with the Road Toll Systems Directive by 19 October 2021. Until then, the Directive of the European Parliament and the Council 2004/52/ES of April 29, 2004 on the interoperability of electronic road toll systems in the Community, which has been transposed into Slovenian national law by the Road Tolling Act, is still applicable.
Standards of personal data protection when talking about electronic toll collection for passenger cars and data processing connected to it are set out in the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ('the Data Protection Directive'). The Data Protection Directive has been transposed in Slovenia's national law with the Electronic Communications Act2.
The GDPR sets out basic principles relating to processing of personal data, meaning that personal data shall be:
- processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data3.
The Road Toll Systems Directive stipulates that Member States shall, in accordance with applicable data protection legislation, take the measures necessary to ensure that the processing of personal data is possible only for limited purposes and within a limited scope (i.e. data relating to the vehicle, Member State of registration, registration number, data relating to the failure to pay a road fee, Member State in whose territory there was a failure to pay a road fee, reference date, and time of the occurrence); ensure that the personal data is accurate and kept up to date with requests for rectification or erasure handled without undue delay; and ensure that a time limit is established for the storage of personal data.
Member States shall also take the measures necessary to ensure that the data subjects have the same rights of information, access, rectification, erasure, and restriction of processing, as well as the rights to lodge a complaint with a data protection authority and receive compensation and an effective judicial remedy, as provided for in the GDPR.
When introducing the electronic toll collection system in Slovenia, it is necessary that technical and legal arrangements concerning electronic toll collection and processing of personal data are explained through the aforementioned legislation and in strict compliance with the basic principles relating to processing of personal data, since the GDPR provisions have not yet been transposed into Slovenian national law.
Electronic road toll charging includes processing of a broad scope of personal data. The data on the movement and locations of passenger cars could have a very high value and there may be a very high risk of the data being used for purposes other than tolling. In light of the GDPR and the Road Toll System Directive, it is therefore necessary that the electronic toll collection system is implemented with respect to principles of data minimisation and Privacy by Design as set out in the GDPR. Processing of personal data needs to be limited as much as possible and any purposes other than the processing of data for the purpose of tolling should be expressly prohibited by law. Only personal data necessary to achieve the legitimate and lawful purpose should be processed and pseudonymised data should be used where possible. The data may be processed for no longer than is necessary to meet the legally permissible purposes. This means that the legislator must specify the scope of personal data, the purpose of processing, the retention period, the appropriate safeguards, and the penalties for breaking the law. National law should also include an individual's right of information, access, rectification, erasure, and restriction of processing, a right to lodge a complaint with the Information Commissioner ('the Commissioner'), and a right to compensation and an effective judicial remedy.
The Commissioner has issued several opinions, press releases, and statements regarding the area of electronic road toll charging in free traffic flow and dangers it poses to personal data protection4, which should be taken into consideration when these solutions are implemented.
The Commissioners' official statements and opinions that the electronic toll collection system should not allow any vehicle tracking (ongoing or subsequent) are commendable. Personal data of drivers who have not violated toll regulations shall not be further processed and shall be discarded as soon as possible. It is also important to use the appropriate system; the Commissioner has already stressed previously that the most appropriate system would be the one in which the data needed for the purpose of toll service would be exclusively under the control of the user, such that the calculation of the toll would be made by the device alone, while the control centre would receive only the sum of the toll spent and no other personal data. This is also compliant with the principles of proportionality and data minimisation and leads to a smaller risk of excessive and inadmissible data collection and data processing.
The aforementioned privacy implications of the introduction of the electronic toll system could mostly be mitigated through an adequate legislative procedure in which strict adherence to the principles of personal data protection is essential. It would be beneficial if the introduction of electronic toll collection for passenger cars was carried out after the Road Toll Systems Directive's implementation into national law, or at least done so in compliance with its provisions. However, toll chargers and service providers are nevertheless obliged to ensure compliance with the fundamental principles of data protection directly on the basis of the GDPR, regardless of the fact that it has not been transposed into national law yet.
Vesna Ložak Polanec Attorney at Law
Law Firm Neffat, Ljubljana
1. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2019.091.01.0045.01.ENG
2. Only available in Slovenian at: http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO6405
3. Summarised from Article 5 of the GDPR
4. See: https://www.ip-rs.si/fileadmin/user_upload/Pdf/razno/Opinion_on_electronic_toll_collection_Information_Commissioner_Slovenia.pdf; https://www.ip-rs.si/en/news/press-release-electronic-road-toll-system-661/; https://www.ip-rs.si/novice/uvajanje-elektronskega-cestninjenja-za-osebna-vozila-1185/