EDPB guidance on connected cars & personal data

The European Data Protection Board (EDPB) has released new guidance on processing personal data in the context of connected vehicles and mobility related applications.  This important guidance will be mandatory reading for those in the automotive industry, such as vehicle manufacturers, and other stakeholders including mobile app providers.  The guidelines are open for public consultation until 20 March 2020.

Personal data in the connected car context

The concept of connected vehicles under the guidelines is interpreted broadly so even standalone mobile applications (i.e. those independent of the vehicle) are covered where the apps assist drivers.

Similarly the definition of personal data is interpreted widely and much of the data that is generated by a connected vehicle is confirmed by the EDPB to constitute personal data to the extent that it relates to an actual person that is identified or identifiable. For example, a driver’s identity would be personal data but so would details of journeys made if by cross referencing with other files that information could be related to an actual person.

Issues

There are a number of issues that arise in the context of connected vehicles and personal data which the EDPB raises as follows:

• Lack of control and information asymmetry – there is risk that there are insufficient functionalities or options offered to exercise the control necessary for affected individuals to exercise their data protection rights.  Individuals may also not be informed about the processing of their personal data in connection with the connected vehicle in line with legislative requirements;
• Consent – controllers need to pay careful attention to the modalities of obtaining valid consent from different participants, such as car owners or car users.  Consent obtained must meet the GDPR requirements and those of the ePrivacy directive;
• Further processing of personal data – initial consent will never legitimise further processing as consent needs to be informed and specific to be valid.  For instance, telemetry data which is collected during use of the vehicle for maintenance purposes may not be disclosed to motor insurance companies without the user’s consent for the purpose of creating driver profiles to offer driver behaviour based insurance policies;
• Excessive data collection – the development of new functionalities may require a large amount of data to be collected over a long period of time;
• Security of personal data – the plurality of functionalities, services and interfaces offered by connected vehicles increases the attack surface and the number of potential vulnerabilities.

Recommendations

The EDPB makes a number of recommendations in order to mitigate the risks for data subjects as identified above including:

• Categories of data – certain data generated by connected vehicles is particularly sensitive and may particularly impact on the rights and interests of data subjects:
  • Geolocation data can reveal the life habits of data subjects such as religion through revealing the individuals place of worship.  Accordingly, the vehicle manufacturer, other controllers and service providers should be particularly vigilant not to collect location data except if doing so is absolutely necessary for the purpose of processing;
  • Biometric data may be collected to enable access to a vehicle or to authenticate the driver/owner.  It is important that biometric authentication solutions are sufficiently reliable and data subjects’ control over their biometric data is guaranteed;
• Data revealing criminal offences or other infractions – the EDPB notes that it is possible that personal data from connected vehicles could reveal the commitment of a criminal offence or other infraction and therefore be subject to special restrictions.  For example the instantaneous speed of a vehicle combined with precise geolocation data could be considered offence-related data.  The EDPB helpfully confirms that it considers that instantaneous speed is, not on its own, offence-related data since it does not, by itself, reveal an offence given that speed restrictions may vary by location.  However such data could become offence-related data because of the purpose for which it is collected (e.g. for the purposes of investigating and prosecuting criminal offence data) in which case the safeguards set out in Article 10 GDPR would apply;
• Purposes – special attention should be paid to the categories of data collected and personal data should only be collected where relevant and necessary for the processing;
• Local processing of personal data – wherever possible processes should be used that do not involve personal data or transferring personal data outside of the vehicle;
• Anonymisation and pseudonymisation – if data must leave the vehicle consideration should be given to anonymising it before transmission;
• Data protection impact assessments – given the scale and sensitivity of the personal data that can be generated via connected vehicles it is likely that processing will often result in a high risk to the rights and freedoms of individuals and that it will be necessary to perform a data protection impact assessment (DPIA);
• Information - prior to the processing of personal data the data subject should be informed of the identity of the data controller as well as a number of other points in line with Articles 13 and 14 GDPR.  Such information should be provided in clear, simple and easily accessible terms.  The information may be provided in layers such as by providing some information on the onboard computer.  Standardised icons could also be used to enhance transparency;
• Rights of the data subject – controllers should facilitate data subjects’ control over their data through the implementation of specific tools providing an effective way to exercise their rights;
• Security and confidentiality – measures should be put in place that guarantee the security and confidentiality of processed data and the EDPB makes a number of specific suggestions for measures to be taken at paragraph 90 of the guidance;
• Transmitting personal data to third parties – in view of the possible sensitivities of the vehicle usage data the EDPB recommends that the data subjects’ consent be systematically obtained before their data is transmitted to a commercial partner acting as a controller;
• Transfer of personal data outside the EU/EEA – special safeguards are required in this case in line with Chapter V GDPR.

ePrivacy Directive Consent Requirement

Whilst much attention is given to the GDPR, the EDPB guidance serves as a reminder that the ePrivacy directive must be complied with as well.

Article 5(3) of the ePrivacy directive provides that prior consent is required for the storing of information or the gaining of accessed information already stored in the terminal equipment of a subscriber or user, subject to certain exemptions.  The EDPB notes that the connected car and every device connected to it shall be considered as a ‘terminal equipment’.

The result is that the EDPB considers (at paragraph 15) that consent will likely be the appropriate legal basis for storing and accessing information in connected cars and devices and subsequent processing of personal data.  Despite this, it is worth noting that the EDPB does recognise that another legal basis (necessary for the performance of a contract) can be relied on in certain circumstances (paragraph 106).

Comment

Out of scope issues include the use of connected cars by employees and this is an area where more guidance would be welcomed.  Additionally the guidance does not cover in detail the status (whether controller, processor or joint controller) of the various participants and further clarification in this area would be useful as well.

Given that the EDPB considers consent to be the appropriate legal basis for processing connected car personal data in many, but not all, cases, it would be helpful to understand more clearly where the EDPB draws the line.