The 39th International Conference of Data Protection and Privacy Commissioners produced guidance in relation to the connected cars technology in an effort to bring more structure from a legal perspective to this rapidly emerging area.

Through cooperative intelligent transport systems, connected cars have the ability to update other road users, traffic management systems, and third parties about current driving conditions. This advancement in technology will allow for a better driving experience, however, as the autonomous car industry grows, concern for the protection of personal data and privacy also grows. The collection/processing of this data could be intrusive into the driving behaviours of vehicle users. This data could also be manipulated by third parties if enforcement is not effectively implemented.

The following guidelines were agreed by the Data Protection Authorities:

  • Data Notices must be made available detailing the types of data that will be collected and processed, and who exactly will have access to this data. All data should be anonymised/pseudonymised where possible;
  • Data retention periods must not be longer than actually needed in order to provide the service;
  • Vehicle users should be able to easily access privacy controls and provide consent to data categories of their choice;
  • Vehicle users should be able to restrict access to their personal data but should have the option to still receive vital real time information about hazardous road conditions;
  • Any algorithms to be used in conjunction with this technology should be tested by an independent assessor to verify that discriminatory automated decisions will not be made;
  • If a vehicle is sold, all previous personal data collected must be deleted in its entirety; and
  • Data Protection Impact Assessments (DPIAs) should be carried by manufacturers of connected cars technology to highlight any concerns or non-compliance with the General Data Protection Regulation (GDPR).

It is hoped that this guidance will bring a greater level of certainty to operations in this area in terms of the regulation and usage of data generated by connected cars. This is particularly important in the lead up to the implementation of the GDPR in May 2018.