The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.
The resolution outlines several obligations of car manufacturers, dealers, repair shops, and providers of communication services.
The most surprising element of these statements is that any processing either must be contractually agreed upon, or must be based on an explicit consent. This fails to consider the EU principle in Article 7(f) of the EU Data Protection Directive that legitimate purposes may justify the collection and processing of personal data. The use of legitimate interests has most recently been confirmed by the Article 29 Working Group in its Working Paper 223 (Opinion 8/2014 on the Recent Developments on the Internet of Things, adopted on 16 September 2014).
The other obligations restate principles that have frequently been quoted in the context of connected cars (but now for the first time by the German Data Protection Authorities):
- Manufacturers and service providers must observe “privacy by design” and “privacy by default” when developing new products or services.
- All data processing must observe the principles of data avoidance and data minimization, and data must be deleted when no longer needed.
- Drivers, owners and users of cars must have complete transparency. This requires complete and understandable information about which data are collected and processed, which data are transferred to whom via which interfaces and for which purpose. All changes must be notified in a timely manner. The concerned persons must be in a position to inform other users.
- Even if the transfer of personal data to a manufacturer or a service provider is contractually agreed or based on consent, the driver, owner and user must be in a legal and factual position to recognize, control and stop such data transfers. There must be freedom of choice for any privacy-relevant system setting, and a broad right to delete data.
- Data security and integrity must be safeguarded by appropriate technical and organisational measures. This applies in particular for data communications from cars.
Although the resolution recognises that these existing obligations, it states that the Data Protection Authorities will work with car manufacturers, suppliers and their industry associations to set uniform data protection standards on a high level.
The resolution follows the 2012 publication by the German Data Protection Authorities of a template notification for the collection and processing of personal data in cars, agreed upon between the German automotive industry and the Bavarian Data Protection Authority. The purpose was to inform consumers, in the user manual, about data collection and processing for technical and security purposes.
The new resolution has the potential to have a broad impact on the privacy afforded to connected car users in view of the global importance of the German automotive industry.
For “Data Protection in the Car”, click here (German only).