London's Oyster card and New York's MetroCard have dozens of counterparts abroad, including the Clipper Card in San Francisco, the Octopus card in Hong Kong and the OV chip card in the Netherlands. These systems also retain data including names, addresses, phone numbers, email and credit card details, Privacy International said.
Personal information gathered by companies like TfL is very sensitive and can often be accessed by law enforcement agencies without a warrant, King said. Although law enforcement requests under the U.K. Data Protection Act (DPA) require evidence of relevant legislation or a court order, the situation is different in other countries, King said.
Conflicting laws led to privacy concerns during the introduction of the OV-chip card in the Netherlands, said Anita Hilhorst, spokeswoman for Trans Link Systems (TLS), an organization that was founded by the five largest Dutch public transport companies to implement a single payment system for public transport.
"We started with seven years of data retention at the request of the ministry of Finance," Hilhorst said. Later, the retention period was reduced to two years and after an audit by the Dutch Data Protection Authority, the retention period was reduced further to 18 months, she added.
Law enforcement agencies request OV-chip card data "a couple of times a week," said Hilhorst. The type of information depends on the request and cannot be disclosed by TLS, she said. One reason law enforcement requests OV-chip card data is to track down missing persons, she said. "Those requests are to be handled with great urgency," she said.
Privacy International's main goal is to warn travelers using public transit chip cards that their privacy could be in jeopardy due to legislative shortcomings and the data hunger of law enforcement agencies, King said. "We want to convince companies and authorities to demand a warrant," when law enforcement authorities request private data, he added.
Law enforcement agencies always want to increase the amount of data they can access, according to King. In the U.K., for instance, the new Draft Communications Data Bill, if passed, could be used to increase law enforcement access to personal data of travelers, he said. "The police say the amount of data they can access has been reduced over the years," he said. However, according to Privacy International, the personal data that can be accessed by law enforcement has only grown due to the introduction of the new electronic systems that store and track customer information.