The emergence of connected and autonomous vehicles (“CAVs”) will lead to numerous industry participants collecting, analyzing and exploiting immense amounts of data from those vehicles for many different purposes. Original equipment manufacturers (“OEMs”) may use data transmitted by CAVs, such as vehicle speed, battery life, engine injection behavior and fuel pump performance, to develop more efficient, safer and more advanced vehicles. Insurers could capitalize on car data by offering usage-based insurance contracts based on the analysis of data indicative of driving behavior. Roadside assistance providers could collect and process distress calls in real time from vehicle sensors and automated alerts, optimize the dispatch of rescue vehicles and analyze accident and breakdown data to provide valuable information to car OEMs and road infrastructure operators. Retailers and service centers could use car data analytics and in-vehicle technology for in-car monetization opportunities such as by advertising shops and restaurants that may be of interest en route. CAVs will also be able to communicate with other CAVs and on-road infrastructure to make lane changing and junction crossing easier and safer. But before industry participants can truly benefit from the wealth of business opportunities that CAV-generated data presents, key legal issues will have to be addressed. In Europe, there are several challenges, which are discussed here. Ownership of the Data Given the many possible opportunities that arise from CAVs, a key question is which individual or industry participant owns the data that is being recorded and transmitted by different systems within the vehicle. Naturally, manufacturers and OEMs will be keen to assert that they are the rightful owners of the data because of the role that their IT infrastructure (whether it forms part of equipment installed onto the CAV or otherwise) plays in the collection and transmission of the data and, as a result, that they have the right to restrict how others can use the data. In Europe, the European Automobile Manufacturers Association (“ACEA”) recently published a position paper that discusses a desire to charge for access to the data generated by vehicles.1 However, the answer to who owns the data is not clear cut. To explore this point, an analogy can be drawn between Event Data Recorders (“EDR”) and telematics data transmitted from CAVs. EDRs are akin to the “black boxes” found on airplanes and record information about vehicle functions around the time of a crash. In Europe, a report for the European Commission in 2014 concluded that the most likely owner of the data is the vehicle owner.2 CAVs record similar types of data as EDRs, such as speed, acceleration and braking, but CAVs record a greater number of categories of data than EDRs. Furthermore, the EDR data is relooped so that only the minutes just before an incident are retained as opposed to CAV data, which is continuously recorded and stored. 2 Mayer Brown | Connected and Autonomous Vehicles in Europe: The Challenges with Using the Data They Generate Finally, CAVs will likely store data for a much longer time period than EDRs. Given that the type, quantity and retention period of the data may differ significantly with EDRs, ambiguities remain over who owns the data. In some jurisdictions, it may be the car owner; in others, it may be the car manufacturer. In addition, it is likely that OEMs of different devices in a vehicle will lay claim to the data emanating from their particular devices. These different stakeholders in the vehicle will need to come to an agreement to establish who exactly owns the data, to whom it should be licensed and how that data can be used by successive vehicle owners, their passengers and third parties that they interact with (such as insurance companies, car dealerships etc.). In fact, it has been reported in the Financial Times that a consortium consisting of insurers, technology companies and others in the transport industry have, in a recent report, asked the UK government to clarify who has ownership of and access to this data.3 Dealing with Personal Data Whoever owns the data, to the extent it consists of personal data, manufacturers must notify and obtain the consent of the owner and other drivers of a vehicle or rely on astatutory justification before sharing “personal data” with third parties (such as insurance companies) to use that data in compliance with EU data protection laws. The European Data Protection Directive 95/46/EC (“Directive”) defines “personal data” as any information relating to an identified or identifiable natural person (“data subject”).4 The General Data Protection Regulation 2016/679 (“GDPR”), which will replace the Directive in May 2018, has a very similar definition of “personal data.” Personal details such as a driver's name, address and contact details (whether those have been directly inputted into a digital interface or infotainment system by the user or collected or inferred by the car manufacturer or systems provider) will be personal data, and European data privacy laws will apply to the use of that data. In the European Union, location data collected by smartphones is generally considered to be personal data because individuals can be directly or indirectly identified through their patterns of movement,5 and so geolocation data collected by CAVs is likely to be considered personal data where this data alone or in conjunction with other information identifies an individual driver, passenger or user of a CAV through their patterns of movement. The GDPR has confirmed this position by expressly stating that an individual can be identified directly or indirectly by reference to “location data.”6 Even technical telematics data produced by sensors in the vehicle, such as about speed, acceleration and use of brakes, could constitute personal data. The unique identification number given to vehicles can be linked with the individuals who have registered as owners of those vehicles. The technical data generated by vehicles and associated with the unique vehicle identifier could, therefore, be linked to individual drivers and relay information about their driving habits, for example. In Germany, the data protection authorities and the German Association of the Automotive Industry have already stated this to be the case.7 As a result, connected car data will in most cases be deemed personal data, unless data processing has been designed to avoid data becoming personally identifiable (e.g., where sensors and other data-generating items have been designed to only generate anonymous data and aggregate it when recorded on an industry participant's system). Legal Grounds for Using Personal Data from CAVs In practice, there are three legal bases for the use of such personal data under European data protection law. Consent is one legal basis that could be relied on in the context of processing personal data emanating from CAVs, whether by the manufacturers, social or data platforms or thirdparty developers. However, written consent from 3 Mayer Brown | Connected and Autonomous Vehicles in Europe: The Challenges with Using the Data They Generate the owner of the vehicle at the outset (i.e., when the vehicle is purchased or hired) may not be sufficient. One issue is that the driver's consent must be fully informed, which can be difficult to demonstrate as time passes, and that the driver must be capable of withdrawing his or her consent at any time, which can be difficult to accommodate in the design of an IT system. Another issue is that if the purchase of the CAV or the performance of the CAV is conditional on consent to the processing of the personal data, the consent may not be deemed to be freely given. Owners should not have degraded access to the capabilities of their vehicles if they decide not to consent to processing of personal data. Finally, obtaining consent from future users who the vehicle may be shared with or sold to will be difficult. In essence, consent will only work as a legal basis if the data subject is fully and clearly informed and has full control over the processing of his or her personal data. A suitable level of control could be achieved by adopting a “data protection by design” approach as required by the GDPR.8 This approach consists of ensuring that privacy protections are built into the design and development of new products and services as opposed to being implemented later on as part of a legal review process. For example, obtaining consent as a legal ground for processing personal data could be demonstrated if the data subject is able to, via an interactive dashboard, turn on or off or customize the CAV's ability to collect and transmit different types of personal data, thereby giving the data subject more control over the processing of his or her personal data. Also, a mode that distinguishes between different individuals using the same car could allow different drivers, passengers and owners of the same car to control their own separate privacy preferences. Manufacturers should also consider a “privacy by default” approach by, for example, having sensors that collect personal data switched off by default. This would help to ensure that data subjects' personal data are not processed automatically without their consent. Personal data can also be legally processed where it is necessary for the purposes of a contract to which the data subject is party. However, the scope of this legal ground is limited by the criterion of “necessity”, which requires a direct and objective link between the processing itself and the purposes of the contractual performance expected from the data subject. A manufacturer could also legally process personal data from the CAV if it is necessary for the purposes of the legitimate interests pursued by the manufacturer or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The Article 29 Working Party has stated that, in the context of internetconnected devices, such as CAVs and the Internet of Things (“IoT”) more broadly, the processing of an individual's personal data is likely to affect significantly his or her fundamental rights to privacy and to the protection of personal data in situations where, without the IoT, data could not have been interconnected or only with great difficulty.9 Therefore, in light of the potential seriousness of that interference, it is clear that such processing may not be justified by merely the economic interest that a stakeholder in a CAV has in that processing. On the other hand, where the inability to process personal data will undermine CAV safety features, it has been argued that protecting third parties' rights to life under the European Convention on Human Rights may override the data privacy rights of the CAV owner. For example, if an owner denies consent or opts out of transmissions of location data from the CAV, this may hinder the autonomous vehicle's ability to connect with surrounding cars and other elements of the environment and to navigate the roads safely. It is also possible that insurance companies and the police could use the legitimate interest ground to access personal data from CAVs after an accident to ascertain what has happened and who (or what) was at fault.10 4 Mayer Brown | Connected and Autonomous Vehicles in Europe: The Challenges with Using the Data They Generate Other Data Protection Requirements European data protection law imposes purpose limitation and data minimization requirements that may restrict the manner in which “big data” is typically collected and used. Specifically, under the Directive and the GDPR, the use of personal data for different purposes than the purpose for which it was originally collected is prohibited.11 The processing of personal data is also required to be kept to a minimum,12 and it should not be held for longer than necessary.13 Again, manufacturers and other stakeholders will need to ensure that the “Privacy by Design” requirement is followed and think carefully in advance about the potential opportunities to use data collected by cars for new purposes so that data protection safeguards can be incorporated from the beginning. Furthermore, many stakeholders may only need to have anonymized, aggregated data and will have no need to receive the raw data collected by the CAVs. The Article 29 Working Party recommends that such stakeholders delete the raw data as soon as they have extracted the data required for their data processing.14 Data subjects also have the right to access any personal data that has been collected concerning them15 and to exercise that right easily and at reasonable intervals.16 The GDPR also provides data subjects with the right to transmit the data they have provided to another service provider (the right to data portability).17 To protect these rights, data subjects should be provided with remote access to a secure system that would provide the data subject with direct access to his or her personal data.18 The ACEA and the European Association of Automotive Suppliers (CLEPA) have proposed a system whereby vehicle-generated data will be relayed to a backend server maintained by the manufacturer. The data could then be directly transferred from the manufacturer's secure back-end interface to third parties for the provision of services.19 Presumably, data subjects would need to be provided direct access to the back-end server to satisfy their data access and data portability rights. In addition, such data should be machinereadable and in an interoperable format.20 Data subjects will clearly hold a more immediate interest in the interpreted data (e.g., driving habits) than in the raw data that may not make sense to them (e.g., movement data of the vehicle). However, such data can prove useful for the data subjects to understand what the manufacturer can infer from it about them. Also, obtaining this raw data would give them a capacity to transfer their data and switch vehicles more easily. Finally, although manufacturers may refuse a portability or access request if it would adversely affect intellectual property rights or trade secrets,21 data protection authorities still expect that some steps should be taken to provide the personal data in a form that does not release information covered by trade secrets or intellectual property rights.22 How to Address the Challenges To tackle the various ownership and privacy issues arising from data generated by CAVs, the various stakeholders seeking to access and use CAV data will have to enter into carefully structured agreements that clearly identify each party's respective obligations with respect to the ownership of data collected, the use and protection of personal data and the apportionment of risk, particularly in the case of a loss or misuse of data. This is particularly important given that European data protection authorities may impose fines of up to 4 percent of the annual global turnover of an industry participant that is responsible for breaches of, for example, the principles governing data processing and data subjects' rights under the GDPR. A “Privacy by Design” and “Privacy by Default” approach should be taken by stakeholders to ensure that data protection is put at the heart of the CAV design. For example, many of the legal risks identified above could be reduced if data can 5 Mayer Brown | Connected and Autonomous Vehicles in Europe: The Challenges with Using the Data They Generate be used on an anonymized and aggregated basis. In any case, prior to carrying out “big data” analyses that might involve the profiling of individuals who use CAVs, the relevant stakeholders should carry out a privacy impact assessment to identify any data protection risks and how those risks should be mitigated. For more information about this topic, please contact either of the following lawyers. Oliver Yaros +44 20 3130 3698 firstname.lastname@example.org Ryota Nishikawa +44 20 3130 3189 email@example.com Visit us at mayerbrown.com. Endnotes 1 https://www.acea.be/uploads/publications/ACEA_ Strategy_Paper_on_Connectivity.pdf 2 https://ec.europa.eu/transport/sites/transport/ files/docs/study_edr_2014.pdf 3 https://www.ft.com/content/0ebdd2aa-5dc5-11e7-9bc8- 8055f264aa8b 4 Article 2(a) of the Directive 5 Article 29 Data Protection Working Party – Opinion 13/2011 on Geolocation services on smart mobile devices 6 Article 4(1) GDPR 7 http://germanitlaw.com/smart-cars-industry-and-germanauthorities-agree-on-certain-aspects-of-data-protection/ 8 Article 25 GDPR 9 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC 10 House of Lords Science and Technology Select Committee – “Connected and Autonomous Vehicles: The future?” 11 Article 5(1)(b) GDPR 12 Article 5(1)(c) GDPR 13 Article 5(1)(e) GDPR 14 Article 29 Working Party Opinion 08/2014 on the Recent Developments on the Internet of Things 15 Article 15 GDPR 16 Recital 63 GDPR 17 Article 20 GDPR 18 Recital 63 GDPR 19 https://www.smmt.co.uk/wp-content/uploads/sites/2/SMMTCAV-position-paper-final.pdf 20 Recital 68 GDPR 21 Article 20(4) GDPR 22 Article 29 Working Party Guidelines on the right to data portability Mayer Brown is a global legal services organization advising clients across the Americas, Asia, Europe and the Middle East. Our presence in the world’s leading markets enables us to offer clients access to local market knowledge combined with global reach. We are noted for our commitment to client service and our ability to assist clients with their most complex and demanding legal and business challenges worldwide. We serve many of the world’s largest companies, including a significant proportion of the Fortune 100, FTSE 100, CAC 40, DAX, Hang Seng and Nikkei index companies and more than half of the world’s largest banks. We provide legal services in areas such as banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; US Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory and enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management. Please visit www.mayerbrown.com for comprehensive contact information for all Mayer Brown offices. Any tax advice expressed above by Mayer Brown LLP was not intended or written to be used, and cannot be used, by any taxpayer to avoid U.S. federal tax penalties. If such advice was written or used to support the promotion or marketing of the matter addressed above, then each offeree should seek advice from an independent tax advisor. Mayer Brown comprises legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown EuropeBrussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown Mexico, S.C., a sociedad civil formed under the laws of the State of Durango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein. © 2017 The Mayer Brown Practices. All rights reserved.