On 7 February 2020 the European Data Protection Board ("EDPB") published its draft guidelines on processing personal data in the context of connected vehicles and mobility related applications. The draft guidelines are open for public consultation until the 20 March 2020.
Background
Connectivity is rapidly expanding and the surge towards the Internet of Things is accelerating with the arrival of 5g. Vehicles are increasingly becoming massive data hubs and connected vehicles will collect a wide variety of data including data relating to engine performance, driving habits, locations visited, driver eye movements, pulse or other biometric data. This data will be processed in a complex eco system involving many different digital participants, covering aspects such as infotainment, music, traffic conditions, driver assistance, autopilot software, vehicle condition, vehicle usage and dynamic mapping. It is against this background that the EDPB has published draft guidelines to consider the inevitable data protection, privacy and security challenges that connected vehicles present.
What is the scope of the guidelines?
The guidelines focus on the non professional use of connected vehicles, by drivers, passengers, vehicle owners, renters etc. A connected car is defined by the EDPB as a vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside of the vehicle. The guidance deals with personal data processed within a connected vehicle, exchanged between the vehicle and personal devices connected to it (such as the user's smartphone) and personal data collected within a connected vehicle and exported to external entities (such as vehicle manufactures or insurance companies).
Summary of the key points
The EDPB's view is that most data generated by connected cars can be considered personal data. This includes not only data that directly identifies drivers or passengers but also technical data, such as data relating to driving style, distance covered or even vehicle wear and tear. This is consistent with existing principles, but the fact that the EDPB cites, in its examples of what may constitute personal data, technical data such as coolant temperature and tyre pressure, is likely to cause alarm in some quarters.
When considering the most appropriate lawful basis to process personal data, the EDPB, through its guidelines reminds data controllers that in the context of connected cars, the e-Privacy Directive will be the starting point. Specifically, Article 5 (3) of the e-Privacy Directive shall take precedence over Article 6 of GDPR and requires prior consent to store or access information stored on 'terminal equipment'. Connected vehicles and every device connected to them shall be considered 'terminal equipment'.
There are three categories of personal data that the EDPB state warrant particular attention. Firstly, geolocation data. The frequency and level of collection of geolocation data should be carefully configured to the purposes of processing. There should be an option available to users to deactivate geolocation data collection. Secondly, biometric data. Data such as finger prints may be collected as part of an identity authentication solution. However, biometrics should not be mandatory and if deployed, a non biometric alternative, such as key should also be made available. Finally, criminal offence data. The combination of precise location data and speed data might reveal criminal offences and could therefore constitute criminal offence data, necessitating additional safeguards in accordance with Article 10 GDPR.
Key data protection risks highlighted by the EDPB include; drivers and passengers not being adequately informed about data collection and transparency information only being provided to vehicle owners (who will change over time); a lack of information may in turn lead to issues with the quality of a users consent (if processing is based on consent) and the guidelines underline that such consent must not be bundled with a contract to buy or lease a car and must be capable of being easily withdrawn.
In order to mitigate these and other risks, the EDPB sets out a series of recommendations including:
- To help increase user control and enhance cyber security, processing of personal data should, insofar as possible, be restricted to local processing within the vehicle. If it is necessary to transfer data externally then anonymisation or pseudonymisation of data is recommended.
- To combat the high risk of excessive data collection and comply with data minimisation principles, controllers are urged to pay special attention to the categories of data, ensuring that data collected is limited to what is relevant and necessary for the processing.
- Controllers are required to ensure that technologies deployed are configured to respect privacy by default, as required by Article 25 GDPR. The EDPB recommends a default setting of local processing only. .
- Given the scale and sensitivity of personal data that can be generated via connected vehicles, data protection impact assessments (DPIA) are likely to be mandated.
- Controllers should implement specific tools that allow data subjects to control their data over the processing period. Such tools might include an in vehicle profile management system and functionality that easily enables the deletion of data.
- The measures required to help ensure adequate data security, should include encrypted communication channels; an encryption key management system that is unique to each vehicle; regularly renewal of encryption keys; effective authentication of data receiving devices.
Conclusion
This is welcome guidance, setting out manageable recommendations to help those within or entering the connected vehicles environment, to successfully navigate regulatory and legal requirements. Adopting a mature privacy by design approach, with a close eye on the tech and data layers of any connected vehicles proposition, will provide strong foundations.
The guidance has a clear focus on the future as we continue to see the expansion of vehicle connectivity and data digitalisation. However, the guidance also covers aspects of processing that are already taking place today, including telematics, eCall and theft tracking and therefore represents an important document for organisations such as vehicle manufacturers, rental companies, insurance companies and their service providers. The direction of travel is clear. The protection of personal data will be a cornerstone of the continued development of the connected vehicle ecosystem.
