Vehicles are becoming more than just a means of transportation, and the focus of European data protection regulators is increasingly shifting towards the collection and use of personal information generated by smart vehicles. The latest models integrate sensors and connected on-board equipment to collect and record vast amounts of personal information, such as very specific driving routes, locations visited, driving habits, and potentially even the driver’s well-being. Biometrics (such as fingerprints) are also increasingly used for authentication and identification purposes. And when interfaced with mobile applications, a host of other information about the driver and passengers (such as their interest in music, video, sports, social media and other related activities) can be collected by such smart vehicles.
A number of EU data protection authorities (DPAs) have in recent years published varied opinions on the processing of personal information by vehicle sensors, telematics boxes and driving applications (such as the German Federal Data Protection Commissioner and France’s CNIL). The European Data Protection Board (EDPB) has now weighed in on the topic by adopting Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications (the “Guidelines”). Relevant stakeholders are advised to review and adjust their processing practices accordingly.
Stakeholders using data generated by Connected Vehicles will need to review their data collecting, processing and sharing processes and procedures, and ensure compliance with the recommendations set out in the Guidelines and as summarised below. This will particularly include the following:
1. Determining whether your organization acts as a company responsible for the processing of personal information (data controller) in the complex eco-system of various stakeholders;
2. Conducting DPIAs as early as possible in the design process, even when this might not be legally required (as a matter of best practice);
3. Ensuring appropriate legal basis under the ePrivacy rules and the GDPR;
4. Integrating privacy by design and default into the Connected Vehicles’ setup;
5. Providing appropriate notices to individuals, and considering best ways and technological solutions to bring them to the attention of the individuals using Connected Vehicles;
6. Ensuring local/in-vehicle processing of raw data as much as possible, and otherwise consider applying appropriate anonymization or pseudonymization techniques to raw data;
7. Implementing appropriate technical and organizational security measures; and
8. Considering additional measures when processing location, biometric, and other data that could potentially reveal criminal offenses or other infractions.
The Guidelines focus on “Connected Vehicles,” which are smart vehicles that are equipped with electronic control units (ECUs). The ECUs can be linked together via an in-vehicle network as well as connectivity facilities that allow sharing of information with other devices both inside and outside the vehicle. They can include mobile applications that might (i) connect to a vehicle’s entertainment unit or (ii) work as standalone applications that assist drivers or passengers (such as GPS navigation on smart phones). The EDPB does limit the scope of the Guidelines to mobile applications that are related to the driving environment. So other applications that suggest, for example, places of interest (such as restaurants or museums) are out of scope.
While the Guidelines do not cover employee-monitoring issues, they provide useful insights for various Connected Vehicles stakeholders on how to set up a system that is compliant with the EU General Data Protection Regulation (GDPR) and the ePrivacy rules. The wide spectrum of stakeholders that the Guidelines are directed towards, includes traditional actors of the automotive industry as well as emerging players from the digital industry. This includes but is not limited to vehicle manufacturers, equipment manufacturers, automotive suppliers, car repairers, automobile dealerships, vehicle service providers, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, and road infrastructure managers.
The EDPB leaves no room for doubt whether Connected Vehicles generate personal information. It notes that most of the data collected and processed through Connected Vehicles can be linked to one or more identifiable individuals. This can include directly identifiable data (such as the driver’s identity), as well as indirectly identifiable data. The latter may include, for example, the details of journeys made, the vehicle usage data (such as data relating to driving style or the distance covered), or the vehicle’s technical data (such as data relating to the wear and tear on vehicle parts). Metadata (such as vehicle maintenance status) may also qualify as personal information.
A Connected Vehicle is furthermore considered to be “terminal equipment,” just like any computer, smartphone or smart TV. Compliance with Article 5(3) of the ePrivacy Directive is therefore required. Organizations wishing to store data in a vehicle, or access such data, will need to obtain prior user consent under the ePrivacy rules, unless an exception applies. Additionally, any processing of personal information must also have a legal basis under Article 6 GDPR in order to be lawful. The EDPB provides one example of when user consent is not needed, i.e., when “processing is necessary to provide GPS navigation services requested by the data subject when such services can be qualified as information society services”.
Considering the above, the EDPB sets out a number of specific recommendations for organizations wishing to process personal information generated by Connected Vehicles. Many of the following key recommendations basically reiterate general obligations under the GDPR:
While the EDPB does not consider in much detail which players in the Connected Vehicles eco-system are (jointly) responsible for the processing of personal information (data controllers), it does specifically call out as such:
Connected Vehicles will often result in high risk processing; this will particularly be the case when data are processed outside the vehicle because of the potential sensitivity and scale of the data involved. Where this is the case, a DPIA will be required. The EDPB recommends that all responsible stakeholders conduct a DPIA as a best practice as early as possible in the design process, even where this would not be legally required.
Connected Vehicle technologies need to be designed to minimize the collection of personal information, provide privacy-protective default settings, and ensure that individuals are well informed and have the option to easily modify their privacy settings.
Organizations should consider specific tools to allow effective exercise of individuals’ rights and control over their personal information. In particular:
Individuals need to be provided with a comprehensive GDPR-compliant notice that can be provided in layers. The first level should contain the most important information. The EDPB does not expand on what this information is, except to say that it should include information about data recipients (such as vehicle manufacturers or insurance providers).
Organizations can consider using (i) concise and easily understandable clauses in the vehicle’s purchase or service contracts, (ii) other written forms, distinct documents (such as the vehicle’s manual) or an on-board computer; and/or (iii) standardized icons that can potentially reduce the need for vast amounts of written information. The icons should be used to let the individuals know when certain types of information (such as location) are being collected. The EDPB suggests a light coming on in the vehicle, or moving arrows on relevant screens.
Organizations should consider processing raw data inside the vehicle - thus not transferring it to vehicle manufacturers or insurers. This includes individuals having direct access to the data generated by their vehicles and any associated applications, and being enabled to permanently delete any personal information before their vehicles are put up for sale.
Organizations should also consider “hybrid processing.” The EDPB suggests, for example, that insurance companies should not have access to raw driving data. The data should instead be processed in the vehicle (or by a third party service provider) to generate a “score,” which is then shared with insurance companies.
If it is necessary to transfer data outside the vehicle, organizations should instead consider anonymizing or pseudonymizing the data first. When anonymising, the responsible party (data controller) should take into account all processing involved which could potentially lead to re-identification of data, such as the transmission of locally anonymised data.
Given that risks to security can endanger the lives of the driver of a vehicle and any number of other individuals, organizations need to consider a number of security measures:
The EDPB points out that the following three categories of personal information warrant special attention because of their potential sensitivity: