Increasingly the automotive industry is incorporating equipment in vehicles that can collect different types of information such as the location, driving habits or data on vehicle use. In this context, the European Data Protection Board (the “EDPB”) has published guidelines on processing personal data in the context of connected vehicles and mobility related applications (the “Guidelines”). This Guidelines, which is currently subject to a public consultation, set out several recommendations regarding the processing of personal data relating to the non-professional use of connected vehicles by data subjects (e.g. drivers, passengers, vehicle owners, etc).
There are a number of issues that had already been pointed out in the Article 29 Working Party opinion on Internet of Things regarding the security and control of personal data, although in the case of connected vehicles it may be more sensitive as also involves aspects related to road safety and the physical integrity of the driver. Furthermore, connected vehicles raise significant data protection and privacy concerns about the processing of location data due to its increasingly intrusive nature.
The Guidelines provide recommendations on the below:
1. Categories of Data:
In the context of connected vehicles it is common to process geolocation data, biometric data or data revealing criminal offences. The EDPB emphasises that the use of this type of data requires the implementation of specific safeguards to prevent the surveillance of individuals and the misuse of data. For example, in the case of the geolocation, the EDPB indicates that it can only be used when strictly necessary and it is recommended to put in place different measures such as informing the user that the geolocation has been activated by using icons, giving the option to deactivate the geolocation, and defining a limited storage period.
In relation to connected vehicles, personal data can be processed for different purposes such as security, insurance, efficient transportation, etc. These purposes should always be specific, explicit and legitimate and should not include further purposes that may be incompatible with the legal bases applicable to the main purpose.
3. Data Minimisation:
The EDPB emphasises that controllers should only collect and process those categories of data that are necessary for the specific purpose. For example, location data may reveal life habits of individuals that should not be processed in most cases.
4. Data Protection by Design and by Default:
Due to the large volume and diversity of personal data that can be collected and transmitted through connected vehicles, the EDPB points out that the technologies developed in the context of connected vehicles are configured to respect the privacy of individuals by design and by default. To this end, it is recommended to implement measures to anonymise information as well as to perform data protection impact assessments to identify and mitigate risks prior data processing.
Before start processing personal data, individuals should be informed about all the aspects required by the General Data Protection Regulation (the “GDPR”). The Guidelines also suggests the use of icons when informing.
6. Data Subjects Rights:
Users should maintain control over their personal data when using connected vehicles, so it is recommended to create or make available a profile management system to store drivers' preferences and help them to easily change their privacy settings at any time. It is also noted that the sale of connected vehicles and change of ownership should automatically result in the deletion of any previous personal data that is no longer required.
7. Security and Confidentiality:
Manufacturers should put in place measures that will ensure the security and confidentiality of the data as well as prevent unauthorised access to it.
8. Data sharing to third parties:
The EDPB recommends that only the controller and the data subject have access to the personal data generated by the connected vehicles. However, the controller may transmit data to the processor when it is necessary to comply with the GDPR requirements. Similarly, data may be transmitted to other third parties as commercial partners if there is a legal basis for doing so. Finally, where personal data is to be transferred outside the European Economic Area, special safeguards need to be implemented to ensure the protection of the data.
The Guidelines also contain several case studies in which the recommendations set out above apply, such as “pay as you drive” insurance, renting and booking a parking space, eCall to 112 and accidentology studies, among others.
Connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers. Even if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.