The European Data Protection Board (EDPB) is finalising its guidelines on data protection law as it applies to connected vehicles. The first draft of the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications was adopted on 28 January 2020 and will soon be finalised following a public consultation.
The draft guidelines define a connected vehicle as a “vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle.”
The draft guidelines state that the GDPR and the ePrivacy Directive form the relevant legal framework governing the processing of personal data via connected vehicles. The guidelines identify and consider the following three types of personal data , in particular:
- geolocation data: this data is noted to be “particularly revealing of the life habits of data subjects”, as it can enable one to infer someone’s place of work and of residence, and other, even more sensitive information, through the places visited. Accordingly, controllers are advised to be vigilant to not to collect location data unless it is absolutely necessary for the purpose for which it is collected;
- biometric data: this data may be used, for example, for access, authentication and preferences purposes. The EDPB advise that use of such data should not be mandatory; that is, the systems should encompass an alternative, and that the biometric template should be stored in encrypted form locally, in the connected vehicle only; and
- data revealing criminal offences or other infractions: this is data that, either on its own (such as data indicating that a vehicle crossed a white line) or in combination (such as a vehicle’s instantaneous speed and geolocation), could reveal the commission of criminal offences or other infractions. The guidelines note that such personal data can only be processed under the control of official authority or as authorised by EU or Member State law.
More generally, the draft guidelines advise that:
- personal data should be processed internally, i.e. inside the connected vehicle, insofar as possible. The draft guidelines promote this approach as strong “data protection by design” and as minimising security risks by ensuring certain personal data is not unnecessarily transferred outside of the vehicle;
- any personal data that must leave the vehicle should be anonymised or pseudonymised as much as possible. The guidelines reiterate that truly anonymised data is not “personal” and so is not subject to the GDPR, whereas pseudonymised personal data is that in which directly identifying data has been replaced by a non-signifying pseudonym;
- industry participants should undertake data protection impact assessments to identify and mitigate data protection risks as early as possible in the design process, as a best practice to factor the results into their design choices before rolling out new technologies; and
- to enable data subjects to easily exercise their rights, connected vehicles should be fitted with profile management systems to store the preferences of drivers and enable them to change their privacy settings at any time. The draft guidelines even go as far as to say that the sale of a connected vehicle and its change of ownership should trigger the deletion of stored personal data.
The public consultation on these guidelines saw more than 60 submissions from industry participants including the Swedish Transport Agency, Volkswagen, the Association of British Insurers and Tesla. The EDPB is expected to complete its review of this feedback and finalise the guidelines by the end of the year in line with its work programme for 2019/2020. Businesses in this sector looking for a steer towards better compliance will be keenly following any developments or material changes to the guidelines.
Please call a member of the William Fry Technology department or your usual William Fry contract for help or advice on any of the matters raised in this article.
Contributed by: Andrew Desmond