Draft guidelines published by the European Data Protection Board (“EDPB”) highlight the significant data protection and privacy concerns which arise in relation to connected vehicles and mobility related applications. The Guidelines outline the applicability of both the GDPR and the ePrivacy Directive in this context. The EDPB’s view is that consent should generally be the legal basis for the processing of personal data in relation to connected vehicles.
The Guidelines are open for public consultation until 20 March 2020 and will be of particular interest to vehicle manufacturers, rental and car sharing companies, motor insurance companies and public authorities, as well as drivers, owners, renters and passengers of connected vehicles.
Scope of the Guidelines
The concept of a connected vehicle is broad and is defined by the EDPB as a “vehicle equipped with many electronic control units that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle”. The Guidelines specifically apply to both connected vehicles and mobile applications that relate to driving. For example, applications which provide information to drivers on weather conditions or traffic congestion, applications which monitor a driver’s ability and fitness to drive, and applications which involve partially or fully automated driving all fall within the scope of the Guidelines.
The GDPR applies to the processing of all personal data generated by connected vehicles. In addition, the Guidelines confirm that the ePrivacy Directive is also partially applicable. According to the EDPB, a connected vehicle and all devices connected to it are to be considered ‘terminal equipment’ (similar to a computer, a smartphone or a smart TV) for the purposes of Article 5(3) of the ePrivacy Directive. Article 5(3) of the ePrivacy Directive requires prior consent for the storing of information or the gaining of access to information already stored in terminal equipment, except in limited circumstances. The EDPB reiterates that consent for the purposes of the ePrivacy Directive should be construed as GDPR-standard consent.
The EDPB further indicates that consent “will likely constitute the legal basis” for both the storing and gaining of access to information (for the purpose of the ePrivacy Directive) and any subsequent processing of personal data (for the purpose of the GDPR). The Guidelines stress that, according to the EDPB, “article 6 of the GDPR cannot be relied upon by controllers in order to lower the additional protection provided by article 5(3) of the ePrivacy Directive”.
The EDPB’s view is likely to be contentious. In principle, it should be possible to rely on alternative legal bases for processing under Article 6 of the GDPR in certain circumstances. Indeed, the EDPB appears to concede this point in a number of the case studies considered in the Guidelines. For example, in the context of ‘pay as you drive’ insurance, the EDPB accepts that insurance companies can rely on article 6(1)(b) (processing necessary for the performance of a contract) for the processing of personal data following the storage or access to the end-user’s terminal equipment. Moreover, where there is a legal obligation to process personal data, the EDPB considers Article 6(1)(c) to be applicable.
What personal data is involved?
Connected vehicles have the potential to collect and process vast amounts of personal data. The EDPB considers personal data to include directly identifiable data such as a driver’s name or fingerprint and indirectly identifiable data such as details of journeys made, data relating to driving style or distance covered.
The EDPB has identified three categories of personal data which warrant special attention:
- Geolocation data: The EDPB considers geolocation data to be particularly invasive as it may reveal many personal aspects of a data subject’s life. Industry participants must be “particularly vigilant” not to collect location data except where “absolutely necessary” for the purpose of processing.
- Biometric data: Biometric data may include the use of fingerprints, eye movements, facial recognition or voice control by connected vehicles to enable certain functions. Given the sensitive nature of biometric data the EDPB recommends that such data should be stored locally in the vehicle and the use of biometrics should not be mandatory on data subjects.
- Data that could reveal offences of traffic violations: In certain circumstances, personal data from connected vehicles could reveal the commitment of a criminal offence, e.g. the instantaneous speed of a vehicle combined with precise geolocation data could be considered offence-related data. As such, appropriate safeguards are required to protect the rights and freedoms of data subjects under Article 10 of the GDPR.
The Guidelines recommend a number of mitigation measures to reduce the data protection and privacy risks associated with connected vehicles, including:
- Rights of data subjects: The Guidelines focus heavily on the need for connected vehicles to facilitate data subjects’ control over their data and in particular, their ability to exercise their data subject rights. The EDPB recommends implementing a profile management system inside connected vehicles to store the preferences of known drivers and to enable data subjects to easily change their privacy settings at any time, or to directly access, delete or remove their personal data from the vehicle’s systems. A change of ownership of the vehicle should also trigger the permanent deletion of any personal data.
- Local processing of personal data: Where possible, personal data collected by a connected vehicle should not be transferred outside of the vehicle and should be processed internally (i.e. in the connected vehicle). Local processing presents fewer cyber security risks and mitigates the risks of cloud processing. In particular, the EDPB recommends developing a secure in-car application platform, “physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary cloud capabilities”.
- Anonymisation and pseudonymisation: If local processing is not possible, the EDPB recommends anonymising or pseudonymising personal data to minimise the risks generated by the data processing.
- Data protection by design and by default: The technologies deployed in connected vehicles should be designed in such a manner as to minimise the collection of personal data and to provide privacy-protective default settings. Data subjects should have the option to easily activate or deactivate the data processing for each purpose and only personal data which is strictly necessary for the vehicle functioning should be processed by default.
- Data protection impact assessments (DPIA): The EDPB is of the view that the processing of personal data generated by connected vehicles will require a DPIA in accordance with Article 35 of the GDPR and best practice would be to conduct the DPIA as early as possible in the design process for connected vehicles.
- Security and confidentiality: Measures should be put in place to guarantee the security and confidentiality of personal data processed in connected vehicles. The EDPB recommends that industry participants consider putting in place a unique encryption-key management system in each vehicle, encrypting all communication channels by means of a state-of-the-art algorithm and making access to personal data subject to reliable user authentication techniques, such as passwords and electronic certificates.
Industry participants have until 20 March 2020 to make submissions on these draft Guidelines. It will be interesting to see whether any material changes will be made by the EDPB when it finalises the Guidelines.
Also contributed by Ruth Hughes