The European Data Protection Board (EDPB) has published its draft guidelines on processing personal data in the context of connected vehicles for public consultation. The Guidelines have a wide reach and will apply to more than just vehicle manufacturers. We have summarised the key points and recommendations from the EDPB in the Guidelines below. The public can provide comments to the EDPB until March 20th, 2020. Thereafter, the EDPB will finalize and adopt the Guidelines, as amended following any comments.
Who should read this?
The Guidelines have a broad reach and the EDPB states the Guidelines are directed to “vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities as well as drivers, owners, renters and passengers”, although the EDPB also states this is not an exhaustive list.
What do the Guidelines apply to?
The Guidelines focus on non-professional use of connected vehicles by data subjects, where personal data is:
- processed inside the vehicle;
- exchanged between the vehicle and the data subject’s personal devices; or
- exported externally from the vehicle (e.g. to vehicle manufacturers or service providers).
The EDPB considers that most data generated by connected vehicles will be considered personal data, since it relates to drivers or passengers. The Guidelines mention that in the context of connected vehicles indirectly identifiable data will generally constitute personal data, such as details of journeys made, vehicle usage data (e.g. driving style or distance), vehicle’s technical data (e.g. wear and tear on vehicle parts), and metadata (e.g. maintenance status) when this information is cross referenced with other information such as the vehicle identification number (VIN number). As such, the Guidelines may apply to a broad range of applications for connected vehicles, including driver assistance, vehicle maintenance and management, road safety and entertainment.
How does EU data protection law apply to connected vehicles?
The Guidelines cover both compliance with the GDPR and the ePrivacy Directive:
- GDPR: where personal data is processed in the context of connected vehicles, GDPR will apply and controllers must identify an appropriate legal basis for processing personal data under Article 6 GDPR.
- ePrivacy Directive: a connected vehicle, and any device connected to it, is “terminal equipment” for the purposes of Article 5(3) of the ePrivacy Directive. Consent (to GDPR standard) is therefore required for the reading or storing of information in the vehicle or device (unless an exception applies, such as where the processing is strictly necessary for the provision of the service). Since consent will normally be required under Article 5(3) for the initial reading or storing of information in the vehicle, the EDPB considers that consent will generally also be the appropriate legal basis for subsequent processing of that information under Article 6 GDPR (to the extent that the information includes personal data). However, as the ePrivacy Directive is being revised, this could change in the future by providing alternative legal bases for the processing of personal data in this context.
What are the privacy risks associated with connected vehicles?
In the EDPB’s view connected vehicles present a number of potential privacy risks, including:
- Lack of information and control: privacy information may only be given to the original vehicle owner, and not necessarily to other drivers, passengers, or subsequent owners. In addition, certain in-vehicle applications may be triggered without the data subject’s knowledge. Therefore, there is a risk that data subjects may not have the opportunity to control the processing of their personal data.
- Quality of consent: where the processing is based on consent, a lack of privacy information can present a barrier to demonstrating that consent is valid under the GDPR (as the consent may not be sufficiently informed). In practice, consent may be difficult to obtain from drivers and passengers who are not related to the vehicle’s owner (e.g. in the case of second hand, rented or borrowed vehicles).
- Further processing of personal data: where data is collected on the basis of consent under Article 5(3) of the ePrivacy Directive or one of its exemptions, it can only be further processed for another purpose if the controller also obtains consent for that purpose or based on Union or Member State law to safeguard the objectives of Art. 23 (1) GDPR. For example, in the EDPB’s view telemetry data collected for maintenance purposes should not be disclosed to motor insurance companies for the creation of behaviour-based insurance products without the driver’s consent. Further processing based on compatibility (Art. 6 (4) GDPR) shall not be possible.
- Excessive data collection: the development of new in-vehicle functionalities (particularly those based on machine learning algorithms) may require a large amount of data collected over a long period of time. As such, there is a risk of collecting more personal data than is necessary to achieve the application’s purpose.
- Security of personal data: the variety of functionalities, services and interfaces offered through connected vehicles increases the risk of data breaches. Unlike most IoT devices, a security breach involving a connected vehicle could pose serious safety risks for users of the vehicle and people around, potentially even causing a threat to life.
What does the EDPB recommend?
The EDPB makes a number of recommendations specific to the processing of personal data in the context of connected vehicles:
- Categories of data: in the EDPB’s view certain categories of personal data generated by connected vehicles warrant special attention in light of the risks set out in the Guidelines:
- Geolocation data: given the ability to infer a detailed profile of a data subject from geolocation data, the frequency of access and the level of detail should be proportionate to the purpose of processing. Information about the processing of geolocation data should be provided to data subjects, and data subjects should have the option to deactivate it at any time.
- Biometric data: if using biometric data in the context of connected vehicles, data subjects should be offered a non-biometric alternative (e.g. in the case of access controls, a physical key or a code). The biometric data should be stored in encrypted form and compared on a local basis only. The Guidelines also set out a series of measures to ensure the reliability of biometric authentication solutions.
- Data revealing criminal offences: given the potential for some personal data processed in the context of connected vehicles to reveal the commission of a criminal offence (e.g. instantaneous speed combined with precise geolocation data or data indicating that the vehicle crossed a white line), this data should be processed locally and subject to strong security measures. The EDPB confirms that in its view instantaneous speed on its own is not offence related data, although such data could become offence related data because of the purpose it is collected for (e.g. investigating and prosecuting a criminal offence).
- Local processing of personal data: wherever possible, vehicle and equipment manufacturers and other service providers should not transfer personal data outside the connected vehicle. The EDPB recommends developing a secure in car application platform that is physically divided from safety relevant car functions so that access to car data is not dependent on unnecessary external cloud solutions. The EDPB also recommends that only data strictly necessary for vehicle functioning are processed by default, and that data subjects should be able to permanently delete any personal data before the vehicle is sold.
- Anonymisation and pseudonymisation: if personal data must be transferred outside the connected vehicle, consider whether it can be pseudonymised or anonymised to reduce or eliminate the risk of doing so.
- Data protection impact assessments (DPIA): the Guidelines state it is likely that a DPIA will be required when there is processing of personal data in relation to connected vehicles, in particular where personal data is processed outside of the vehicle. As such, it is best practice to conduct a DPIA as early as possible in the design process.
- Privacy information: privacy information must be provided to the data subject. The EDPB recommends that this information should be visible in vehicles and encourages the use of standardised icons (e.g. a light alerting the data subject to the processing of geolocation data), thereby potentially reducing the need for large amounts of written information. The EDPB also recommends that when providing layered privacy notice information in the context of connected vehicles, data subjects should be made aware in the first layer of all the recipients of their personal data. As stated in past guidelines (WP 260), the EDPB’s view is that generally the recipients should be individually named, but if this is not possible, the information should be as specific as possible and indicate the type of recipient by reference to the activities it is carrying out, the industry, sector and sub-sector and location of the recipient.
- Rights of data subjects: vehicles and equipment manufacturers and other service providers should facilitate data subjects’ control of their personal data, e.g. through an in-vehicle profile management system to help data subjects change their privacy setting at any time. If a connected vehicle is sold, the EDPB states that the change in ownership should trigger deletion of any personal data no longer needed. It is, however, unclear how this is triggered.
- Security and confidentiality: the EDPB recommends a series of security measures for vehicle manufacturers, such as enabling rapid patching of security vulnerabilities, using encryption of data or hashing functions to ensure integrity of data, and separation of vital functions from those relying on telecommunications (such as “infotainment”).
- Transmitting data to third parties: the data subject’s consent should be obtained before their personal data is transmitted to commercial partners acting as data controllers.
- Use of in-vehicle WiFi: data subjects should easily be able to opt out of in-vehicle WiFi to ensure the service set identifier (SSID) of the WiFi network is not used for identification and tracking.
The Guidelines also outline five case studies in which the risks and recommendations above are discussed from a practical perspective, including pay-as-you-drive insurance, the eCall system (i.e., the system that prompts a manually or automatically activated call from the car to a public safety answering point in case of a serious accident), features allowing for locating a vehicle when it is stolen, and the storage of personal data on the dashboards of rental cars.
What happens next?
The Guidelines are open for consultation until March 20, 2020. Following the consultation period, the EDPB will issue an updated version of the Guidelines at a later date.