Privacy Challenges in the CarTech Landscape – What has been keeping Automotive Companies busy in 2019 … and will continue to do so in 2020!
2019 was – once again – an exciting year for data protection organisations of automotive manufacturers, suppliers and other players in the automotive sector!
The orientation and familiarisation phase with the GDPR, which came fully into force in May 2018, is over. While the data protection supervisory authorities have been lenient for a comparatively long transitional period in implementing the new requirements of the GDPR, the data protection supervisory authorities in Germany appear to have “armed”“ their enforcement practice by this year at the latest. While the first year of the GDPR was still marked by the implementation of key requirements for many companies, the focus of work has now shifted further towards the development of sustainable data protection concepts. Here, companies from the automotive sector have faced and continue to face special challenges, especially in the implementation of data protection regulations in the development and application of new technologies for connected and autonomous driving, which will change the entire industry forever.
In this brief review and outlook, we will take a look at three key legal challenges that the data protection organisations of many companies in the automotive sector have been dealing with over the past year – and will certainly continue to do so intensively in the forthcoming new year of 2020.
TOP 1: Data protection in automotive aftersales
One of the “evergreens”“ in both the old and the new year remains the data protection-compliant organisation of data flows in automotive aftersales, including the transfer of customer data between dealers, manufacturers and distributors, e.g. for the purpose of administering warranty and goodwill cases, product monitoring and supporting the aftersales network with technical information.
Following the inspection activities of the German regulatory authorities in 2017 and 2018, the first comments are now to be found in the activity reports of the authorities involved (including Baden-Württemberg). Good news for all companies concerned: After reviewing the results of the test actions, the typical processing operations in automotive aftersales should continue to be legitimised under data protection law, provided that the general data protection principles (in particular data minimization and purpose limitation) are observed.
The supervisory authorities still appear undecided on individual aspects, including the permissibility of processing personal customer data for the purpose of creating and managing a central electronic service and repair history by the respective manufacturer. There still seems to be a need for discussion here. However, a solution through a corresponding balancing of interests in accordance with Art. 6 (1) (f) GDPR seems possible.
The authorities also appear to be equally undecided on the question of the extent to which the respective data flows in after-sales require the conclusion of agreements under Art. 26 GDPR (joint responsibility). Not least in view of the current case law of the European Court of Justice (most recently in the „Fashion ID“ case with its ruling of 29.07.2019, C-40/17), the parties will continue to follow the issue closely in the new year. Irrespective of the classification of individual processing activities as a case of joint controllership, it seems advisable, however, to regulate the respective activities and in particular the handling of data subject rights between the companies involved in corresponding contracts in a transparent manner, at least by applying Art. 26 requirements accordingly.
When implementing the information obligations under Art. 13, 14 GDPR, pragmatic solutions should remain possible in the future (e.g. by combining „physical“ notices at the dealer with the provision of further information by the manufacturer in electronic form, e.g. on a website).
The basis of a sound data protection assessment of the process in after-sales, such as the preparation of appropriate contractual regulations and transparent information for those concerned, is always the careful determination of all relevant processing details. To this end, data protection organisations will have to work closely with the respective specialist departments. In order (also) to be able to implement corresponding work quickly and effectively in 2020, it seems sensible to develop appropriate coordination mechanisms and processes at an early stage, also in order to be able to react quickly and adequately to changes in the service landscape and the associated “ “new”“ data processing activities and to be able to embed these in the existing concepts in a data protection-compliant manner.
For further details on the data protection requirements in automotive aftersales please see the author’s article in RAW 2/2019, p. 70 ff. (“Datenschutz im Automotive-Aftersales”).
TOP 2: Data protection aspects in the development of new technologies related to autonomous driving
In 2019, users were already able to purchase and use a wide range of vehicles that enable highly automated driving functions (e.g. Lane Assist, Self-Parking or Cruise Control functionalities), while the development of the technologies required to implement fully autonomous driving is in full swing.
To develop safe technologies, companies need a large amount of data including sensor information and camera images of routes, traffic situations, road signs, weather conditions and – last but not least – interactions with people in traffic (e.g. images of pedestrians). This data is necessary to train the algorithms, which must then be able to react adequately to the traffic situation in the future. The recording of such data is typically done by specially equipped vehicles, which record the traffic situation with specialised sensors and cameras.
Since the development of the algorithms will continue to require the processing of personal data, at least to a certain extent, the participating companies are regularly faced with the question of the extent to which such processing activities are covered by the GDPR and what measures must be taken to ensure that the development activities are legally compliant.
In this respect, it often seemed unclear, among other things,
- the extent to which such development activities may already be permissible due to the privileged treatment of research and development in Article 89 or Recital 159 of the GDPR or on the basis of a balancing of interests in accordance with Article 6 (1) lit f GDPR, and
- how data subjects are to be informed about corresponding processing operations in a data protection-compliant manner.
With an initial statement by the Bavarian state data protection supervisory authority from 2018 and further details in the 8th Activity Report from March 2019, affected companies now receive an initial overview and „boilerplates“ for the implementation of corresponding development activities. Fortunately, the supervisory authorities also seem to recognise a legitimate interest of the manufacturers of corresponding technologies with regard to the processing of personal data in the context of development activities, although the limits of permissible data processing must still be determined on a case-by-case basis.
However, the comments of the supervisory authorities also clearly show that companies must give priority to implementing the principles of data minimisation, purpose limitation and privacy-by-design and privacy-by-default in their development activities. The data protection supervisory authorities (see Section 4.1 of the Activity Report 2018 of the Data Protection Authority of Baden-Württemberg) also believe that the performance of a data protection impact assessment will be an indispensable instrument for prior checking of relevant processing activities in order to identify and address data protection risks of the respective technologies at an early stage.
TOP 3: Processing of personal data in and from the connected vehicle
As the technologies of connected driving continue to develop, connected vehicles generate steadily increasing amounts of data from year to year.
Much of this data is required for controlling internal vehicle processes and does not leave the vehicle (e.g. for controlling comfort settings and other “pure”“ in-car applications). Other data is transmitted to locations outside the vehicle in order to provide functionalities and services (e.g. telediagnostics and remote maintenance; so-called “IN>OUT“ or “IN>OUT>IN”scenarios; cf. the 2018 opinion of the French data protection authority CNIL on data protection in connected vehicles). Other data from the connected vehicle may also be passed on by the manufacturer to third parties (e.g. to enable third parties to provide services in the Connected Car environment at the customer’s request, the so-called “Extended Vehicle” concept; see also the VDA’s information material on the „NEVADA Share & Secure“ concept or the material of the European Automobile Manufacturer Association (ACEA).
The (data protection) issue surrounding the implementation of the ”Extended Vehicle” concepts will certainly continue to gain momentum in 2020, so that we will deal with this exciting topic in a separate article in the new year.
Besides, in the coming year, the question will increasingly arise as to what “other” purposes and to what extent manufacturers, suppliers and other companies involved can and may use personal data obtained from the connected vehicle. In the future, there will be an increased interest on the part of the parties involved to be able to use data obtained in the course of connected driving for purposes of product development, (data) security, but also product defence.
In particular in connection with the use of autonomous technologies, manufacturers will in future want to receive and store information about the condition of a vehicle, malfunctions and the involvement of a machine or a human being in a specific traffic process, due to possible product liability obligations, in order to be able to defend themselves effectively against accusations of a defective product, for example. As is so often the case, it will only be possible to determine the limits of data protection law for corresponding data storage by weighing up the interests involved, whereby here too the principles of data minimization, strict purpose limitation and the use of data-minimizing technologies (e.g. pseudonymization and targeted limitation of data processing) will be of the greatest importance.
Last but not least, in the context of the development of new in-car technologies, also in 2020 the question will arise for automotive manufacturers to what extent the principles of data protection law, in particular “Privacy-by-Design” and “Privacy-by-Default”, will have to be observed. The “controversy” has been triggered by the unclear provisions of the GDPR, according to which it will probably be difficult to justify the responsibility of car manufacturers under Art. 4 No. 7 GDPR for data processing processes that take place exclusively in the vehicle.
While the Joint Declaration of the Conference of the Independent Data Protection Authorities of the Federal and State Governments and the German Association of the Automotive Industry (VDA) of 2016 already provided for a corresponding obligation on the part of manufacturers to observe the “privacy-by-design” principle in the development of new products, the issue appears to remain a “permanent topic” for the data protection supervisory authorities in 2019. In their November 2019 report on the application of the GDPR, the German supervisory authorities are already calling for corresponding changes to the law so that in future manufacturers without direct access to specific data processing processes can also be more strongly obliged to comply.
Given the most recent discussions, (automobile) manufacturers will be well advised in 2020 to integrate the principles of “Privacy-by-Design” and “Privacy-by-Default” as an integral part of their development processes. How far the manufacturer’s responsibility then extends in individual cases, which mandatory presettings and data minimizing measures are to be taken and to what extent the user can be left with the responsibility for the corresponding configuration of the systems and services, remains to be clarified in each individual case. A “data protection-friendly” product development will, however, pay off in every case.
Conclusion and outlook
An exciting year lies ahead for the automotive industry!
This article can and should only provide a small excerpt of the data protection topics that will continue to be important in 2020.
What all questions have in common is that, due to the high complexity of the new technologies and products in the automotive sector, it is only possible to develop solutions that are viable in terms of data protection law with effective cooperation between the individual stakeholders within the companies concerned – data protection organisation, legal department, compliance and R&D.
A key intention for data protection organisations in the new year should therefore be to further optimise the relevant processes for coordinating data protection issues, including the development of new automotive products and services, and to make them fit for the future.
The respective legal issues will not always be resolved on their own, but in any case more easily and quickly, which is already a great benefit!