EDPB issues guidelines on Connected Cars

EU

After a public consultation procedure, the European Data Protection Board (EDPB) adopted and published the final version of Guidelines 01/2020 on the processing of personal data in the context of connected vehicles and mobility-related applications (“Connected Cars Guidelines”).

These Connected Car Guidelines are addressed to traditional stakeholders in the automotive industry (e.g. vehicle or equipment manufacturers, automotive suppliers, car dealerships) and to the new players of the digital industry (e.g. entertainment providers, telecommunication operators).

The EDPB does not attempt to tackle the many issues surrounding connected vehicles, but focuses on personal data processing inside the vehicle, the exchange of personal data between the vehicle and the personal devices connected to it, and local in-vehicle data collection where the data is transferred to external entities for further processing.

In particular, the guidelines make recommendations on specific technology-related data protection issues, such as: that data protection should be considered a factor from the onset; and that data protection by design requires that data should be processed internally, using processes that do not involve transferring the data to third parties outside of the vehicle. Further to this, where exporting data is deemed necessary, the data should be anonymised or at least pseudonymised. In addition, the EDPB recommends the installation of a secure in-vehicle application platform that is separated from safety-relevant car functions.

The EDPB also addresses the use of highly sensitive data, such as biometric data or location data. Since location data reveals direct information on habits and routines, it should only be processed where absolutely necessary. For the use of biometric data, sufficiently reliable biometric authentication methods should be in place, which compares encrypted biometric samples locally only, and does not use an external system.

In terms of transparency and user control, the guidelines emphasise that the users must be able to control how their data is collected and processed in the vehicle. The EDPB notes that a notification system should be installed in the car that signals when and what kind of personal data is being collected (e.g. by using lights or standardised symbols that are the same regardless of the vehicle type or design).

The guidelines also address issues surrounding the general use of personal vehicles, such as the fact that collection of personal data in a connected vehicle typically affects the owner, the driver (if a different person), the others sitting in the car, and the user in case of a rental or leased car. In addition, when using an Internet of Things (IoT) device inside the car (e.g. a smart phone with a voice assistant), the personal data of multiple subjects will be collected.

Another issue is that cars usually have multiple owners and hence different data subjects over their lifespan, which highlights the importance of permanently deleting and erasing the processed personal data before the vehicle is put up for sale.

The guidelines include an additional section with case studies to provide practice-oriented recommendations, such as:

  • defining contractual obligation as a legal basis for the data processing of “Pay-as-you-drive” and “Pay-how-you-drive” usage-based insurance services;
  • for usage-based insurance services, insurance companies should only receive generated numerical scores, not the raw data of the car telematics;
  • defining a contractual obligation as a legal basis for the data processing of rental-parking services;
  • only transmitting data of in-vehicle systems to emergency services and service partners in case of a serious accident, which trigger an emergency eCall to 112 that has been mandatory since 2018;
  • only retaining the data obtained in an eCall to 112 until it is needed for the processing of an emergency situation;
  • using consent as the legal basis for studies or research for which the data subjects voluntarily provide data;
  • using consent as the legal basis for the processing of vehicle location data in the event of a car theft where data subjects wish to find the vehicle.

You can read the guidelines here.

For more information on these guidelines, contact your regular CMS partner or local CMS experts:

The article is co-authored by Anna Horváth