On October 17, 2017, the French data protection authority, the CNIL, released a “compliance pack” for connected cars. This toolkit provides guidance to stakeholders on how to integrate data protection by design and by default into their production pipeline, enabling data subjects to have effective control over their data. Developed by the CNIL in consultation with 21 stakeholders from the automotive, insurance and telecoms industries as well as public authorities, the toolkit takes into account current French data protection regulations as well as the GDPR.
The document identifies three scenario for processing personal data:
- Scenario No. 1 “IN => IN”: the data collected in the vehicle remains in the vehicle without transmission to the service provider
- Example: an electric vehicle that processes data directly in the vehicle for display with tips in real time on the on-board computer
- Envisaged purposes: improving driving or on-board experience (infotainment); improving driving behaviour for security purpose and maintenance; automated driving assistance; unlocking; activation of certain vehicle controls with the driver’s biometric data.
- Scenario No. 2 “IN => OUT”: the data collected in the vehicle is transmitted outside to provide a service to the data subject
- Example: “Pay as you drive” contract with an insurance company
- Envisaged purposes: improving products and services; providing commercial services to the user; combatting theft, accident studies; eCall
- Scenario No. 3 “IN => OUT => IN”: the data collected in the vehicle is transmitted outside to trigger an automatic action in the vehicle
- Example: dynamic “Information on traffic” with calculation of a new route following an incident on the road
- Envisaged purposes: remote maintenance; improving the driving experience.
For each type of processing activity within a given scenario, the guidelines identify:
- Possible purposes for processing
- Categories of data collected and their retention periods
- Information to be provided to data subjects (and on which type of document it could appear)
- Rights of the data subjects (right to object, right to withdraw consent, right to erasure, right to restriction of processing, access rights and right to portability)
- Security measures to be implemented
- Recipients of the data, in which the pack is very detailed and dense.
Key takeaways from the compliance pack include:
- All data related to an identified or identifiable individual, particularly in connection with the registration plate number or the serial number of the vehicle, is considered “personal data” and, as such, protected by the French Data Protection Act and the GDPR. For example, data relating to journeys made, parts used, dates of technical checks, number of kilometres or style of driving are effectively personal data when they can be linked to an individual.
- The pack aims to bring awareness of stakeholders in the automotive sector to the principles of “informational self-determination” (giving the data subject control over their data), transparency and fairness of collection, which involve, at least informing the data subjects and in some cases obtaining their consent.
- A privacy by design approach should be favoured. The approach may be achieved by the implementation of dashboards that can easily have set parameters, to guarantee the user’s control of his/her data.
- The CNIL encourages stakeholders to favour the “IN => IN” scenario, where data is only processed locally, in the vehicle, and not transmitted to the service provider. This approach provides good guarantees in terms of privacy for users and involves reduced obligations for controllers.
The compliance pack is an evolving document, which is intended to be completed and updated after the GDPR comes into effect on 25 May 2018. The CNIL intends for the toolkit to be used across the EU level.
Link to the compliance pack https://www.cnil.fr/fr/vehicules-connectes-un-pack-de-conformite-pour-une-utilisation-responsable-des-donnees