Daily Northern

Nordic News, Every Day

Menu

Danish Data Protection Agency launches investigation into Rejsekort app over privacy concerns

Thursday 11th 2024 on 15:51 in  
Denmark

After several months of problems and criticism of the Rejsekort app, the Danish Data Protection Agency has initiated an investigation. The probe focuses on the app’s collection and storage of personal data, as it is suspected of potentially overinvasive monitoring of users.

The issue arose from the app’s misjudgment of whether the data were anonymous or pseudonymized. Pseudonymization means the data can ultimately be linked to specific users. It was revealed that the data weren’t as anonymous as previously believed.

The Rejsekort app, rolled out to its first users on April 9 this year, recently sent an email to its 60,000 users. The email informed users that the data they were told would be anonymized, hadn’t been. Instead, location data – information about where the app users are – had been pseudonymized.

The difference between anonymous data and pseudonymization can best be compared with the board game ‘Guess Who’, explains Allan Frank, a lawyer and IT security specialist at the Danish Data Protection Agency. If you have enough information to trace back to the bespectacled man with red hair with the information you have available, it is pseudonymization. But if you can’t trace back to him with the information you have, he is anonymized.

Users of the app are also receiving a “simplified version” of the message via a notification today. The company behind the app, Rejsekort & Rejseplan A/S, has recently sent out emails to make users aware of the update to the terms and privacy policy in the app.

These emails revealed that the location data stored when a check-out is missed, which was supposed to be anonymized after the system determined the user’s final destination on the journey, was only pseudonymized, meaning it can be characterized as person-specific. It was also reported that this data will now be stored for two months instead of three years, as it has been until now.

The Rejsekort app has been under scrutiny before. Users have to allow the app to track their location all the time if they want to use it. Therefore, data ethics advisor Pernille Tranberg can understand if there are users of the app who are considering whether they should continue to use it. However, it depends on who you are and what matters to you, she explains.

If you fully trust the Rejsekort company and think convenience is the most important thing in the world, then you can give them your data. But if you are someone who cares that public and semi-public agencies don’t sit on all possible data about you, then I would demand to get a different version of the app.

Rejsekort & Rejseplan A/S plans to introduce an alternative to the Rejsekort app in 2025 for customers who want to travel completely anonymously. This solution will cater to customers who want to travel completely anonymously, as they can pay for their tickets with cash, for example.

In response to the Danish Data Protection Agency’s investigation, the company has stated that it will “naturally ensure that the Danish Data Protection Agency gets the necessary insight” for the investigation.

“We think it’s natural that the Danish Data Protection Agency is interested in a new product on the market – especially when there has been a debate about the collection of personal data and data mining,” writes Jens Willars, customer director at Rejsekort & Rejseplan A/S.