On October 3, 2016, at the Paris Motor Show, the French Data Protection Authority (“CNIL”) reported on the progress of a new compliance pack on connected vehicles. The work was launched on March 23, 2016, and should be finalized in Spring 2017.

The compliance pack on connected vehicles will contain guidelines regarding the responsible use of personal data for the next generation of vehicles. It is currently drafted in cooperation with the automobile industry, innovative companies from the insurance and telecommunications sector, and public authorities.

The CNIL will distinguish between the three following scenarios:

  • “IN -> IN” scenario
    The data collected in the vehicle remains in that vehicle and is not be shared with the service provider (e.g., an eco-driving solution that processes data directly in the vehicle in order to show eco-driving tips in real time on the vehicle’s dashboard).
  • “IN -> OUT” scenario
    The data collected in the vehicle is shared outside of the vehicle for the purposes of providing a specific service to the individual (e.g., when a pay-as-you-drive contract is purchased from an insurance company).
  • “IN -> OUT -> IN” scenario
    The data collected in the vehicle is shared outside of the vehicle to trigger an automatic action by the vehicle (e.g., in the context of a traffic solution that calculates a new route following a car incident).

The CNIL recalled the following:

  • All data that may be attributed to an identified or identifiable individual (e.g., via the license plate number or the vehicle serial number) qualifies as personal data subject to the French Data Protection Act and the EU General Data Protection Regulation (“GDPR”). Information on the vehicle condition, the number of miles driven and driving style is personal data to the extent that this information may be attributed to an individual.
  • The compliance pack is intended to raise awareness amongst the automotive sector’s economic operators of the transparency and fairness principles when collecting personal data. Accordingly, operators should at least provide notice to individuals and even seek their consent. The CNIL recognized, however, that implementing an opt-in mechanism each time the vehicle is started may affect the driving experience. The data processing rules should be defined on a case-by-case basis, taking into account the scenario adopted, the type of data collected and users’ legitimate expectations.
  • Operators should adopt a Privacy by Design approach. This may include the implementation of easily configurable dashboards in order to ensure that individuals keep control over their data.
  • The CNIL encourages stakeholders to prefer the “IN -> IN” scenario that involves processing personal data locally, within the vehicle.

Compliance packs are a new toolkit developed by the CNIL to identify and disseminate best practices in a specific sector while simplifying the formalities to register the data processing for organizations that comply with such practices. They assist various stakeholders in the industry to prepare for the GDPR.