Connected Vehicles and GDPR – A Status Update after the Public Consultation
Many vehicles that were launched in the last few years contain sensors, cameras, a GPS and other data capturing technologies. Very often, the data captured are transmitted to receivers outside of the vehicle to enable service providers (such as vehicle repairers, insurers and telecom operators) to provide services to the driver. Obviously, the use and sharing of such data often raises intricate data protection issues. Like the Dutch Data Protection Authority, the European Data Protection Board (EDPB) published draft guidelines n°01/2020 on the processing of personal data in the context of connected vehicles and mobility-related applications (the Guidelines). The public consultation has now closed and the EDPB will finalise and adopt the guidelines. Hereafter you will find a summary of the main points of attention listed by the EDBP and the main concerns raised by the stakeholders.
1. Who is concerned by the Guidelines?
The Guidelines are mainly directed towards vehicle manufacturers, equipment manufacturers, automotive suppliers, vehicle repairers, dealerships, vehicle service providers, rental and vehicle sharing companies, fleet managers, motor insurance companies, telecommunication operators, mobile app providers as well as drivers, owners, renters and passengers.
2. What are connected vehicles and mobility-related applications (mobile app related to driving)?
The EDPB defines connected vehicles as vehicles equipped with many control units (ECU) that link together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle. This covers for instance the mandatory 112 eCall service, GPS, ‘Pay As/How You Drive’ insurances and driver assistance.
3. What is the scope of the Guidelines?
The Guidelines apply to personal data processed in the vehicle, personal data exchanged between a vehicle and personal devices and the transfer of personal data collected in the vehicle to external entities. The Guidelines provide general information and their concrete application with some case studies.
The Guidelines do not cover the professional use of connected vehicles, employee monitoring through company cars, Wi-Fi-tracking and cameras installed on vehicles. In addition, the status of the various participants (as (joint) controllers or processors) is only briefly elaborated.
4. What categories of data may be processed?
The Guidelines put emphasis on compliance with the principles of data minimisation and purpose limitation. The EDPB recommends that only data strictly necessary for the vehicle’s proper functioning be processed by default. As regards other functions and related data, the driver must be offered the possibility to (actively) opt in rather than to opt out (e.g., for Bluetooth).
Geolocation data need particular attention, since such data could reveal the data subject’s behaviour, driving style, habits and visited places (doctor’s office, church, sexual preferences). The EDPB recommends that stakeholders put into place specific safeguards to avoid abuse and surveillance through these data and that only strictly necessary (minimal) data are collected. Data subjects must be properly informed and must be given the option to deactivate geolocation services at any time. This raises risk management and safety issues.
The EDPB further specifies that biometric data should only be processed locally to create a biometric template and should be deleted afterwards. The biometric template should only be stored locally in the vehicle in an encrypted form with state of the art key management and there should always be a non-biometric alternative (e.g. in the case of access controls, a physical key or a code).
Data revealing criminal offenses should only processed in accordance with Article 10 of the GDPR. Moreover, only local processing of these data is advised where the data subject has full control and strong security safeguards should be put in place.
5. Is consent the only valid legal ground to process data in connected vehicles?
The legal ground for processing personal data generated by connected vehicles will often be prior consent. This is also the case because a connected vehicle can be considered as a’ terminal equipment’ under the ePrivacy Directive.
Consent must be collected from every vehicle user of which personal data is collected. In practice, consent may be difficult to obtain from drivers and passengers who are not related to the vehicle’s owner (e.g. in the case of second hand, rented or borrowed vehicles) (see below), so that it raises concerns.
The consent must compliant with GDPR and the EDPB’s recently issued guidelines n°05/2020 on consent. It must be free, informed and specific for each processing purpose. In order to be valid, the consent must be given separately and cannot, for example, be given at the same time of signing the purchase agreement of the vehicle or accepting the general terms and conditions. In case of lack of specific information on the processing of personal data, the consent may not be sufficiently informed and thus null and void.
As consent needs to be specific, initial consent cannot justify further processing of personal data without obtaining a new consent or basing the processing on another legal ground. Hence, according to the EDPB, telemetry data collected for maintenance purposes should not be disclosed to insurance companies for the creation of behaviour-based insurance products without the driver’s consent. The data subject’s consent should be obtained before their personal data is transmitted to commercial partners acting as controllers. The practical application hereof is criticised by the insurance sector.
However, the EDPB seems to recognize that, under certain circumstances, like a ‘pay as you drive’ insurance, the insurance companies can rely on Article 6 (1) (b) of the GDPR (processing necessary for the performance of a contract) for the processing of personal data following the storage or access to the end user’s terminal equipment. Moreover, where there is a legal obligation to process personal data, the EDPB considers Article 6 (1) (c) of the GDPR to be applicable (e.g., Article 6 of Regulation (EC) No 715/2007 and Article 61 et seq. of Regulation (EU) 2018/858, which applies from 1 September 2020).
6. When and how must information be provided to the data subject?
Complying with the information obligation in the context of connected vehicles might constitute a challenge. Indeed, the buyer and/ or owner of the vehicle are not necessarily the driver of the vehicle. At the same time, the controller should comply with its information obligation towards all (potential) users of the vehicle.
The Guidelines suggest that a fair processing notice is shown every time the vehicle is started. The EDPB further suggests improving the readability and understanding of such fair processing notice by the data subject through the use of (standardised) icons (e.g. a light alerting the data subject of the processing of geolocation data). Moreover, fair processing notices should be available in the language of the data subject.
The EDPB also recommends that when providing layered fair processing notices in the context of connected vehicles, data subjects should be made aware in the first layer of all the recipients of their personal data (at least the type of recipient by reference to the activities it is carrying out, the industry, sector and sub-sector and location of the recipient).
According to the manual on connected vehicles issued the Dutch Data Protection Authority (the Autoriteit Persoonsgegevens), the full privacy notice can be made available to the data subject (i) via the website of the manufacturer, importer, or dealer or rental company; (ii) as part of the information the data subject receives with each a software update; and (iii) via the vehicle's instruction booklets or manuals.
7. How to allow the data subject to exercise his/her rights?
The EDPB suggests implementing different user profiles to enable every user of the vehicle to provide his/her consent separately (if needed), to choose which data can be processed and to exercise his/her rights as a data subject under the GDPR. For instance, data subjects should be able to delete permanently any personal data before the vehicle is sold.
8. Where should personal data be stored?
Controllers need to comply with the principles of privacy by design and privacy by default. Storing personal data locally on the vehicle is a good way of safeguarding such data (in order to mitigate the potential risks of cloud processing), since in that manner the data do not leave the vehicle and are under the full and exclusive control of the data subject.
The EDPB recommends developing an in-vehicle platform to manage in-vehicle applications. This in-vehicle platform must not be connected to the cloud, contrary to some security functions that are connected to the cloud. If not all data can be processed locally, hybrid processing is an option, where only personal data that cannot be processed locally are processed externally, while all other personal data are still processed locally.
In the event personal data are transferred to third parties, if possible, such personal data should be anonymised or pseudonymised. Data should only be stored as long as is necessary for the provision of the services.
9. What specific security measures should be implemented?
Unlike most Internet of Things (IoT) devices, a security breach involving a connected vehicle could pose serious safety risks for the users of the vehicle. Hence, appropriate security measures must be implemented. This includes the use of encryption.
10. Must a DPIA be carried out?
The Guidelines state it is likely that a data protection impact assessment (DPIA) will be required when there is processing of personal data in relation to connected vehicles, in particular when biometric data, geolocation data or information relating to criminal offences is transferred outside of the connected vehicle.
Also from a more general point-of-view, the Guidelines are interesting, since the EDPB confirms that the Working Party 29’s 2016 guidelines on transparency and 2014 guidelines on anonymisation are still relevant today.
The public consultation on the Guidelines is now closed. Companies in the automotive, telecom and insurance sectors have raised a number of important concerns with respect to the content of the Guidelines. It remains to be seen how the EDBP will respond to these valid concerns and in how far it will amend the Guidelines.