Every day, new and innovative data services from the connected car universe are introduced to the public: telecommunications providers connect the driver to tailor-made insurance products via a mobile app which generates driving and movement profiles; users are offered the opportunity of monetising their data collected from their vehicles by providers ranging from public garage operators to insurers; a German university sets up a connected car test drive in the heart of Berlin to collect IoT data from connected vehicles for research purposes; the list goes on.

Data from connected cars is often personal data

The data collected from connected and autonomous vehicles (CAVs) is not just technical data on the condition of the car, but also personal data relating to the driver or owner. Simple technical details such as speed, acceleration, lane change and brake activation, allow conclusions to be drawn about the driving behaviour of a specific driver. Combined with other data, for example, geolocation data, this can lead to comprehensive profiles being built up which may, depending on the granularity of the datasets, even include sensitive information about visits to, say, a doctor or therapist. Depending on the circumstances and how the data is combined, the created datasets and profiles may allow conclusions to be drawn about a natural person.

Any processing of personal data in the EU and in many other jurisdictions, is subject to data protection laws which govern the way the data is collected and used. In the EU, the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It contains strict rules around the lawful basis for processing personal data, and gives data subjects a number of rights including the right to prevent automated decision making and profiling. For the purposes of this article, we are concentrating on GDPR rather than current EU requirements.

There are a number of grounds which may apply to the processing of personal data from connected cars. Personal data can be processed lawfully in order to comply with a legal obligation, where it is necessary for the performance of a contract, or where it is in the legitimate interests of the data controller, provided these are not overridden by the rights of the data subject. This may cover the processing of personal data for predictive maintenance under certain circumstances, or the use of vehicle registration numbers, again, under certain circumstances. Other processing, however, may only be lawful with the consent of the data subject which, under the GDPR, must be freely given, specific, informed and unambiguous. This presents a challenge to those seeking to exploit the personal data from connected cars.

Further challenges will be imposed by the new GDPR principles of privacy by design (protection of personal data as part of the product concept) and privacy by default (privacy-friendly standard settings). These will force manufacturers to take into account data protection requirements at an early stage and to implement data-minimising factors in connected cars in order to avoid costly retrofitting of their own products and potential fines for non-compliance with the GDPR of up to 4% of annual global turnover or Euros 20m (whichever is higher).

Connected car data – the approach of regulators

Data protection regulators are starting to look at the issue of connected car data, both in the EU and internationally. For example:

Germany

As early as 2014, the German Association of the Automotive Industry (VDA) presented its Data Protection Principles for Networked Vehicles. These were followed by the Joint Declaration of the Conference of the Independent Data Protection Authorities of the Federal Government and the States (Germany) and the VDA of 2016, in which the principle of data sovereignty of vehicle users as an essential component of a proper data protection strategy in the handling of personal data from connected cars was set out.

Taking the new requirements of the GDPR into account, the new German data protection law , Bundesdatenschutzgesetz (BDSG-neu,) was enacted in mid 2017. The German Road Traffic Law was amended to deal with (partly) autonomous driving (Strassenverkehrsgesetz, including controversial new rules on connected car black boxes and came into force on 20 June 2017 (see our article for more). Andrea Voßhoff, the Federal Data Protection Commissioner for Data Protection and Freedom of Information in Germany, joined in the discussion around strategies to protect personal data in the connected vehicle context. On 1 June 2017, she held a symposium on "Data Protection in Automated and Networked Vehicles" in Berlin. At the same time, 13 recommendations for data protection in digitalised transport systems (including connected cars) were announced, including proposals on transparency, privacy by default and measures for data security in connected cars.

Even though the recommendations are not binding, manufacturers will have to take the regulator guidance seriously. Among other things, the regulator requires all information for data collection and use to be visible and accessible via the head unit (car display) and convenience driving functions should always be controlled via data processing processes that run "inside the vehicle". This means that the processing of personal data for such a process is not to be operated “outside” the vehicle, e.g. on a connected (cloud-) server. Given the limited size of the car displays and the increasing importance of cloud services and external IT services which are needed to cope with the enormous amounts of data generated by connected cars, this is not an easy task and complying with the recommendations will pose major challenges for car makers’ development teams.

The VDA's (an association rather than a regulator) new "Neutral Extended Vehicle for Advanced Data Access" (Nevada concept) addresses the privacy and IT security issues in CAVs in Germany. It advocates the approach that vehicle-generated data be initially stored on a neutral server. At this point, the customer can decide on further data use and sharing, including which third parties can receive and use their personal data for other purposes and to what extent. As a general rule, nothing should leave the server without the user's consent. This is a sensible approach in light of GDPR requirements.

France

The CNIL, the French data protection authority, launched a connected car compliance package in October 2017, in consultation with the car industry, insurance companies, telecoms service providers and public authorities. The intention is to provide guidelines on using data privacy by design and default (in line with GDPR requirements), and on how to give individuals control over their data. The CNIL also encourages the processing of personal data locally in the vehicle wherever possible, rather than it being transferred to a service provider.

International regulators

International data protection regulators recently adopted a resolution making recommendations around the processing of personal data from CAVs. The recommendations are aimed at various stakeholders including manufacturers, public authorities and car rental companies. The importance of transparency and granularity is stressed as is the use of data anonymisation and pseudonymisation to reduce the amount of personal data being processed. The regulators also recommend that certain algorithms used in CAVs should be subject to prior approval by an independent body to reduce the risk of unfair automated decisions.

Many data protection issues remain unresolved

As these recommendations remain rather vague and are not binding, they leave certain questions unanswered. When is data from CAVs deemed personal data and when is it (sufficiently) anonymised in order to avoid falling within the scope of the strict data protection laws? Is geolocation data always personal data and how can technical protective measures such as encryption, blurring, hashing or the integration of external anonymisation officers or "trustees" achieve a setup that is acceptable in terms of data protection? How can connected cars be identified in accordance with data protection regulations within machine-to-machine communication and which identifiers should be used for this purpose given the GDPR principle of data minimisation? What are the use cases for vehicle registration numbers to be used without consent? To what extent can data from CAVs be used without the user's consent for predictive maintenance purposes? And how do you obtain legally compliant consent from all relevant data subjects - drivers, owners or even passengers - taking into account the special circumstances in the connected car, such as small displays or the fact that people may be driving while the data is collected?

What’s to take away? CAVs require creative data protection solutions!

If data is the new oil, CAVs provide a potentially bottomless well. Manufacturers, regulators and driver and vehicle associations have understood and appear to want to rise to the challenge of engaging lawful and practical privacy concepts in connected cars, which is to be welcomed. The initiatives of the automotive industry are moving in the right direction. It is to be hoped that the players will succeed in resolving the many questions that remain unanswered regarding data protection and CAVs, in order to exploit their great technical and social possibilities. Developing creative technical and legal solutions will help to make CAVs standard on the road.