Rejsekort, the pre-pay system used for public transport tickets in Denmark, has met a new bump in the road as it switches form from physical card to app.
Rollout of the app, launched earlier this year, was put on hold last month after issues were identified with the way the app stores location data.
It now subject to Data Protection Agency scrutiny, the agency’s IT security specialist Allan Frank confirmed to newspaper Berlingske.
“We can see some issues that we will need documentation for and will have to ask for their assessment,” Frank said.
“The documentation we have received has not completely convinced us that it complies with the relative rules. We will therefore need more,” he said.
Frank noted that it is too early to say whether the app had broken the law, but the Data Protection Agency has decided the issue is serious enough to warrant further investigation.
In June, technology journal Ingeniøren reported that the rollout of the app had been paused because it does not anonymise users’ location data.
The app can check users out of their trains or buses automatically by using a “Smark Check-Out” function. This reduces the risk of overpaying a fare because the passenger forgets to check out – a not-uncommon occurrence for users of the regular Rejsekort.
This function relates closely to the nature of the problem because the app tracks users between check-in and check-out, but continues to track them if they have not checked out until the automatic check-out kicks in at 4am the next day.
But – to simplify the technical explanation given by Ingeniøren – the tracking information has not been kept anonymous, as its developer initially said would be the case.
Jens Willars, customer services director of the company which owns the app, Rejsekort & Rejseplan A/S, told Berlingske that the Data Protection Agency investigation was a natural step.
In a written comment to the newspaper, he said that any comments coming from the authority would be taken into account.
Member comments