- On 5 May 2020
- Data Protection
By Patrick Van Eecke and Anne-Gabrielle Haie
Vehicles, drivers and passengers are becoming more and more connected, generating increasing amounts of data. The latest evolution of digital technologies, such as robotics, Internet of Things, Artificial Intelligence, high-performance computers and powerful communication networks leads self-driving cars out of an imaginary world and into our daily lives.
While these technologies are progressing rapidly, the EU intends to ensure common rules. Heeding the call, the European Commission issued some communications, such as the communication on “Europe on the Move” (COM(2018) 293 final), to guarantee a smooth transition towards a European mobility system which is safe, clean, connected and automated. Following this communication, the European Parliament adopted a resolution on autonomous driving in European transport (2018/2089(INI)). Adjacent to these initiatives, the European Data Protection Board (“EDPB”) recently published draft guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications.
These draft guidelines highlight the data protection risks related to such applications, with general recommendations regarding the processing of personal data in relation to the non-professional use of connected vehicles and present some use cases. In this regard, “connected vehicles” has to be understood in a broad sense, including applications on mobility management, vehicle management, road safety, entertainment, driver assistance and well-being. Hence, personal data can be collected through vehicle sensors, telematics boxes or mobile applications.
Main takeaways from the EDBP guidelines are:
- Connected vehicles raise various privacy and data protection concerns, such as the lack of control and information asymmetry, the risk of excessive data collection; the risk of unlawful further processing of personal data;
- Most data associated with connected vehicles are considered as personal data (e.g. geolocation data; biometric data; etc.) and must be processed in accordance with data protection principles, such as the principles of purpose limitation; data minimization;
- The technologies deployed in the context of connected vehicles must be configured to respect the privacy of individuals and to mitigate the risks to their rights and freedoms. To achieve these, local data processing or anonymization of data must be considered;
- The security and confidentiality of the personal data processed in the context of connected vehicles must be guaranteed, in particular by implementing measures such as the encryption of the communication channel.
1. Risks identified by the European Data Protection Board
Following the EDBP, the introduction of connected vehicles is associated with various privacy and data protection risks. In addition to significant concerns regarding Internet of Things systems and the processing of location data, the EDPB discusses in particular the following risks:
- Lack of control and information asymmetry: Drivers and passengers may not be adequately informed about the processing of data taking place in or through a connected vehicle. This would cause the risk that there are insufficient functionalities or options offered to exercise the control necessary for affected individuals to avail themselves of their data protection and privacy rights. Moreover, when communication in the vehicle is triggered automatically or by default (without the individual being aware of it), it becomes very difficult to control the flow of data and its subsequent use.
- Quality of the user’s consent: The fact that a user is not aware of the data processing carried out in his vehicle constitutes a significant barrier to demonstrate valid consent under the GDPR, as the consent must be informed. Also, classic mechanisms used to obtain individuals’ consent may be difficult to apply.
- Further processing of personal data: Data collected can only be further processed either if the controller seeks additional consent for this other purpose or if the data controller can demonstrate that it is based on a Union or Member State law to safeguard the objectives under art. 23(1) GDPR. Initial consent will never legitimize further processing as consent needs to be informed and specific to be valid. Furthermore, data collected by connected vehicles may be processed by law enforcement authorities to detect speeding or other infractions if and when the specific conditions in the law enforcement directive are fulfilled. Such data will be considered as relating to criminal convictions and offences under the conditions laid down by art. 10 GDPR and any applicable national legislation.
- Excessive data collection: With the ever-increasing number of sensors being deployed in connected vehicles, there is a very high risk of excessive data collection compared to what is necessary to achieve the purpose.
- Security of personal data: The plurality of functionalities, services and interfaces offered by connected vehicles increases the attack surface and thus the number of potential vulnerabilities through which personal data could be compromised. In addition, personal data stored on vehicles and/ or at external locations may not be adequately secured against unauthorized access.
2. Recommendations suggested by the European Data Protection Board
Categories of data being processed
According to the EDPB, most data associated with connected vehicles will be considered as personal data. Geolocation data, biometric data and data revealing criminal offenses or other infractions warrant special attention given their sensitivity and/ or potential impact on the rights and interests of data subjects.
- Geolocation data: This data category is particularly revealing the life habits of data subjects (e.g. workplace, residence, leisure activities and religion). Therefore, data controllers must be particularly vigilant not to collect location data except when absolutely necessary for the purpose of processing.
- Biometric data: When considering the use of biometric data (e.g. to enable access to a vehicle, to authenticate the driver and/ or to enable access to a driver’s profile settings and preference), it is recommended to offer a non-biometric alternative, such as a physical key, and to store and compare such data only on a local basis.
- Data revealing criminal offenses or other infractions: Personal data from connected vehicles revealing the commitment of a criminal offence or other infraction (e.g. the instantaneous speed of a vehicle combined with precise geolocation data) are subject to special restrictions. The processing of such data can only be carried out under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects under art. 10 GDPR.
Purposes for which the data are being processed
Personal data may be processed for a wide variety of purposes such as driver safety, insurance and efficient transportation. These purposes must be specific, explicit and legitimate, not further processed in a way incompatible with those purposes and have a valid legal basis as required in art. 5 GDPR.
Relevance and data minimization
To comply with the data minimization principles, the EDPB recommends vehicle and equipment manufacturers, service providers and any other party involved in the processing to pay special attention to the categories of data they need for the processing. In particular, they should make sure that only personal data that are relevant and necessary for the processing are collected.
Data protection by design and by default
Data controllers must ensure that technologies deployed in the context of connected vehicles are configured to respect the privacy of individuals by applying the obligations of data protection by design and by default as required under art. 25 GDPR. In this regard, the EDPB provides certain general practices to mitigate the risks to the rights and freedoms of natural persons:
Local processing of personal data: Data controllers should use processes that do not involve personal data or transferring personal data outside of the vehicle (i.e. data should processed internally) Such local data processing could include e.g. eco-driving applications that process data in the vehicle in order to display eco-driving advice in real time on the on-board screen or applications for unlocking, starting and/or activating certain vehicle commands using the driver’s biometric data that is stored within the vehicle. This type of solution guarantees o.a. the sole and full control of the user’s personal data, fewer cybersecurity risks and risks of cloud processing, and little latency. Additionally, the EDPB underlines that local processing applications could be considered as processing carried out for the performance of purely personal activities by a natural person and thus fall within the scope of the household exemption.
The EDPB nevertheless emphasizes that the GDPR would still apply to controllers and processors (e.g. car manufacturers, services providers) which provide the means for processing personal data for such personal or household purpose. Such controllers and processors are thus encouraged to develop a secure in-car application platform, physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary external cloud capabilities.
While it may not always be possible to resort to local data processing for every use-case, “hybrid processing” can often be put in place. For instance, in the context of usage-based insurance, personal data regarding driving behavior could either be processed inside the vehicle or by the telematics service provider on behalf of the insurance company to generate numerical scores that are transferred to the insurance company on a defined basis. In this way, the insurance company does not gain access to the raw behavioral data and the principles of data minimization are satisfied.
Anonymization and pseudonymization: If local data processing is not possible, anonymization or pseudonymization may be a good strategy to keep the benefits and mitigate the risks in relation to connected vehicles.
Data protection impact assessments (DPIA): The processing of personal data generated via connected vehicles will often result in a high risk to the rights and freedom of individuals. Consequently, industry participants are required to perform a DPIA to identify and mitigate the risks as detailed in art. 35 and 36 GDPR. Even when a DPIA is not required, it would be a best practice to conduct a DPIA as early as possible in the design process.
The data subject must be informed of o.a. the identity of the data controller, the purpose of processing, the data recipients, the period for which data will be stored and the data subject’s rights under the GDPR, prior to the processing of personal data. This information may be provided in layers: (i) first level information, which is the most important and (ii) information that presumably is of interest at a later stage. Standardized icons could be used in addition to the information necessary.
Rights of the data subject
Data subjects must maintain control over their data during the entire processing period through the implementation of specific tools providing an effective way to exercise their rights. To this end, the EDPB emphasizes the implementation of a profile management system inside the vehicle to store the preferences of known drivers and help them to change easily their privacy settings anytime. It is also noted that the change of ownership of a connected vehicle should trigger the deletion of any personal data no longer needed.
Security and confidentiality
Measures must be put in place to guarantee the security and confidentiality of processed data. Moreover, data controllers should take all useful precautions to prevent control being taken by an unauthorized person. In particular, industry participants should a.o. consider to encrypt the communication channels by means of a state-of-the-art algorithm, to put in place an encryption-key management system that is unique to each vehicle (and not to each model) and to regularly renew encryption keys. Concerning more specifically vehicle manufacturers, the EDPB advises e.g. to partition the vehicle’s vital functions from those always relying on telecommunication capacities and to implement technical measures that enable vehicle manufacturers to rapidly patch security vulnerabilities during the entire lifespan of the vehicle.
Transmitting personal data to third parties
In light of the possible sensitivity of the vehicle-usage data, the EPDB recommends to systematically obtain the data subjects’ consent before their data are transmitted to a commercial partner acting as a data controller. The commercial partner in turn becomes subject to the GDPR provisions for the received data.
Transfer of personal data outside the EU/ EEA
Personal data may only be transferred outside the EEA to the extent that such transfer is in accordance with the requirements under Chapter V GDPR.
Use of in-vehicle Wi-Fi technologies
The proliferation of Internet connection interfaces via Wi-Fi poses greater risks to the privacy of individuals. In order to prevent tracking, the EDPB encourages vehicle and equipment manufacturers to implement easy to operate opt-out options ensuring the service set identifier (SSID) of the on-board Wi-Fi network is not collected.
The draft guidelines conclude with some case studies. For instance, the EDPB discusses data subjects contracting with a service provider to obtain added-value services relating to their vehicle, data subjects voluntarily agreeing to take part in accidentology studies aimed at better understanding the causes of road accidents and data subjects whishing, in the case of theft, to find their vehicle using geolocation.
The EDPB thus tries to guide actors in the automotive industry through the complex connected vehicle ecosystem. We now await the final guidance which will be adopted after the public consultation period (until 20 March 2020). The EDPB has received more 60 contributions from companies and industry associations to the public consultation. It will now analyze these comments and prepare the final version of the guidelines. The final version should be published within 6 months.
What should businesses consider when being active in the connected vehicles industry?
Next to the usual GDPR compliance requirements, the EDPB has highlighted a number of technological recommendations that should be considered, such as:
- “In vehicle” data processing to mitigate the potential risks of cloud processing;
- Unique encryption-key management system per vehicle to prevent control being taken by an unauthorized person;
- Implementation of profile management system inside the vehicle to store the preferences of the driver and to enable him/her to change his/her privacy settings anytime;
- Partition of the vehicle’s vital functions from those always relying on telecommunication capacities to ensure the security of connected vehicle;
- Implementation of opt-out options for the collection of service set identifier (SSID) of the on-board Wi-Fi network in order to prevent tracking.