The automobile industry has been working for many years with (partially) automated manufacturing processes and intelligent control systems in vehicles. The rapidly advancing networking of individual components and systems creates a flood of interconnected data sets. Generally classifying such “machine data” as “not personal” carries considerable liability risk.
As a matter of fact, conclusions about people and their behavior can frequently be drawn directly or indirectly from machine data and component data.
In the production of vehicles or vehicle components, conclusions can be drawn about the behavior of the people who operate or control the machine based on data from the manufacturing machinery. Data from vehicle assistant systems permit conclusions to be drawn about the driver, his driving behaviors and even his whereabouts. In this way, pure machine data become personal data that are subject to the German and European regulations on data privacy protection – with far-reaching consequences for the data security requirements and the drafting of contracts between the manufacturers, operators, users and service partners.
For our clients, we devise the oftentimes complex contractual agreements with partners, service providers and customers, and also ensure the fulfillment of statutory information obligations. This involves already considering and implementing the requirements of the EU General Data Protection Regulation, which have grown considerably.
The personal nature of such data substantially limits the usability and re-usability of the data. We therefore also support our clients in developing and implementing strategies for aggregating and anonymizing personal machine data. The goal is to obtain meaning from the data without retaining the relation to individual persons, and thereby to guarantee the business value of the data without risks for the personal rights of end clients or employees.
Conclusion: Even data that is purportedly pure machine data can legally qualify as personal data. Contracts and information from customers and employees must take this into account. The requirements for such contracts and information material will change significantly with the EU’s General Data Protection Regulation. Companies should not underestimate the effort of reviewing their existing documents.