In 2017, the French data protection authority ('CNIL') worked with the automotive supply chain, manufacturers, insurance companies, public authorities, and telecoms operators to finalise a compliance package, 'Connected vehicles and personal data'¹ ('the Compliance Package'). The Compliance Package provides a reference framework that serves as a guideline for companies in terms of collecting and exploiting personal data derived from the use of connected vehicles. CNIL has also provided guidance on the use of geolocation services in the automotive sector, having reference to privacy rights and regulations applicable to the geolocation of employees by their employers. However, CNIL and French legislation does not cover all matters concerning vehicles and personal data, such as the use of CCTV cameras in vehicles, which is neither prohibited nor fully lawful.

How do the decisions – and omissions - of CNIL, French, and European legislation interplay with the automotive sector? An overview of the key area of consideration is provided below:

What data is involved?

Vehicle registration

Stakeholders in the automotive sector collect a wide range of personal data relating to the holder of the vehicle registration certificate, such as the name, surname, first name, sex/gender, date and place of birth, company name, SIREN and/or SIRET number, address, and telephone number.

Such stakeholders also collect data relating to the vehicle and the authorisation to drive, such as registration number and country, VIN number (vehicle identification number), technical characteristics of the vehicle, status of the vehicle with regard to the technical inspection, specific and customary mentions, oppositions to the transfer of the registration certificate, declarations of seizure, pledges, withdrawal of the title following the immobilisation of the vehicle, suspension of the registration, destruction of the vehicle, cancellation of the registration, declaration of purchase, declaration of transfer, declaration and conclusion of the expertise reports of damaged vehicles, amount of taxes, registration certificate form number, and date of the first registration.

The French vehicle registration system also involves data relating to the identification of professionals authorised² to transmit such data (motor trade professionals, bailiffs, experts, insurers, wreckers, and credit companies): name, surname, first name, sex/gender, date and place of birth, company name, SIREN and/or SIRET number, contact details, address, number, status and type of authorisation, and method of access to the vehicle registration system.

CNIL provides additional guidance depending on the processing activities which are carried out.

Connected vehicles

For connected cars³, in accordance with the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Compliance Package targets all data that can be related to an identified or identifiable natural person, via the number plate or the vehicle serial number. For example, data relating to journeys made, the state of use of parts, the dates of technical inspections, the number of kilometers, or the driving style constitute personal data when they can be linked to a natural person. CNIL identifies three scenarios which companies can be involved in:

• Scenario 1 known as 'IN => IN': the data collected within the vehicle remains within the vehicle without transmission to the service provider. For example, ecodriving solutions in the vehicle process internal data directly in order to provide eco-driving tips in real time. Since IN => IN processing involves data processing which remains within the vehicle (i.e., internal), this is the scenario that CNIL encourages. This situation offers users good guarantees of confidentiality and reduces the obligations of controllers.
• Scenario 2 known as 'IN => OUT': the data collected within the vehicle is transmitted externally to provide a service to the data subject. For example, a 'Pay as you drive' contract entered into between the driver/vehicle owner and an insurance company.
• Scenario 3 known as 'IN => OUT => IN': the data collected within the vehicle is transmitted externally to trigger an automatic action in the vehicle. For example, such a service could be the 'Infotrafic' tool which calculates a new and faster route in the event of a roadtraffic incident.

The Compliance Package includes all 'ordinary' data, linked to an identified or identifiable natural person, via the vehicle registration number or serial number. In addition, the Compliance Package aims to raise awareness on the principles of informational self-determination, transparency, and fairness of collection, which are detailed in the GDPR and the Act. These principles imply, as a minimum, providing information to data subjects and even, in some cases, obtaining their consent. CNIL recommends that stakeholders use a Privacy by Design approach, involving the implementation of easily configurable dashboards, in order to guarantee the user control over their personal data.

Geolocalisation systems and Pay As You Drive

In the context of the implementation of a vehicle geolocation system⁴ such as tracking and eCall technology, the collection of geolocation data is carried out on an exceptional and ad hoc basis at the request of the data subject, with the aim of finding or assisting the driver of the vehicle. In contrast, for Pay As You Drive ('PAYD') geolocation systems, geolocation is used in conjunction with more advanced processing. The processing activity is carried out continuously whilst the vehicle is being driven, which may cause significant privacy concerns. PAYD collects data relating to speed, the processing of which is likely to enable the detection of any speeding offences, which constitute breaches of the highway code. However, Article 9 of the Act lists the persons authorised to implement processing for the purpose of direct disclosure of data relating to offences, which do not include insurance companies or car manufacturers. Therefore, CNIL advises that possible traffic infringements must not be identified and that only the processing of the average speed of the vehicle should be implemented. As regards PAYD, CNIL recommends ensuring data minimisation and to keep processing activities as simple as possible to avoid putting pressure of constant surveillance for drivers. It notes that whilst the collection of data relating to the driving style (e.g. the collection of vehicle acceleration or deceleration, generally used for other purposes such as eco-driving) is technically possible, that processing of such data could be used to ascertain safe or unsafe driving practices which creates challenging proportionality issues.

In-vehicle CCTV and dash-cams

The data collected by CCTV cameras extends to information about an identified or identifiable natural person as it appears on a CCTV system, and may include special categories of personal data of both drivers and passengers revealing racial or ethnic origin, and potentially religious beliefs, as well as data concerning health or data concerning the sex life or sexual orientation, where this is apparent from the footage collected. It may also be possible that CCTV cameras could collect data relating to criminal offences (when recording a traffic accident or an assault) especially where CCTV systems are used in public vehicles, such as buses, taxis, and private hire (VTC) vehicles.

Data collected by facial recognition⁵, a biometric technique of automated recognition of a person based on facial characteristics, is also important to consider. Facial recognition offers a wide range of possible uses, from unlocking a mobile phone to recognising a person wanted by the police, to opening bank accounts. Not all of these uses present the same level of risk, however, when used-in vehicle, facial recognition may present privacy concerns depending on how the data is used (for example, ascertaining an individual's precise location when combined with geolocation data or monitoring a driver's reaction to various incidents, or monitoring for signs of fatigue for accident monitoring and insurance purposes.

Which categories of data subject are involved?

The European Data Protection Board's Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications⁶ apply to vehicle manufacturers, automotive suppliers, car repairers, car dealers, car service providers, car rental and car sharing companies, fleet managers, car insurance companies, entertainment service providers, telecommunication operators, road infrastructure managers, and public authorities, as well as to drivers, owners, vehicle leasees, and passengers.

Controllers may be service providers who process vehicle data to send the driver traffic information, eco-driving messages, or alerts about the operation of the vehicle; insurance companies who offer PAYD contracts; or car manufacturers who collect data on the wear and tear of vehicle parts to improve their quality.

Processors can be equipment manufacturers and automotive suppliers who can process data on behalf of car manufacturers.

What are the obligations of controllers to ensure the rights of data subjects?

French and European legislation sets out data protection rules applicable across all industry sectors. These rules are discussed insofar as they apply to automotive sector below:

The protection of human dignity, rights, and privacy

According to Article 1 of the Act, technologies must be available to all citizens and must not infringe on human identity, human rights, privacy, or individual or public liberties. Paragraph 2 of this article expresses that every individual has the right to decide and regulate how their personal data is used. This right to informational self-determination means that individuals must be able to control the use of their personal data throughout the entire processing procedure.

The data obtained from connected vehicles and geolocation or CCTV systems are not free of rights. The most prominent example is the recordings obtained while travelling. It is therefore forbidden to publish footage on the internet or social media, etc. without the consent of the people appearing in these recordings. When utilised outside a private space, faces, number plates, and anything else that identifies a person in the recordings must be blurred out or deidentified.

The obligation to inform data subjects

The controller is obliged to inform individuals of the existence of a data processing system, the identity of the controller, the purposes of the processing, the categories of data concerned, the recipients (insurer, judge, lawyer, police services), the characteristics of the processing, any transfers of data outside the EU, and the length of time the data is kept. Furthermore, as in any data processing, the rights of the data subjects (access, rectification, deletion, limitation, and opposition) must be made known to them and they must be able to refer to CNIL if these rights are not respected.

However, this obligation may be difficult to implement in the automotive sector. While a sticker or signage can be placed on vehicles equipped with a video surveillance or geolocation system to indicate that it is a connected vehicle, is it nonetheless required to refer to a privacy policy, for example, through providing access via a QR code or URL within any in-vehicle signage.

The obligation to set a data retention period

A precise retention period must be determined by the data controller, depending on the purpose of each processing operation (Article 4(5) of the Act and Article 5(1)(e) of the GPDR). For example, unless the data is anonymised, a data controller cannot retain technical data relating to identified vehicles (particularly by serial number) for an indefinite amount of time. However, situations may occur under which regulations may require a data controller to retain data beyond the time determined time limit. Such data may then be kept in an archive so as long it is necessary to fulfil the obligation in question, subject to the conditions set forth by CNIL⁷.

The obligation on controllers to implement an applicable lawful basis

The entities that process the data must have a legal basis to undertake the processing. According to Article 5 of the Act, a processing operation can occur once the consent of the data subject has been given or when meeting specific conditions that are in compliance with the legal obligation incumbent on the controller, to safeguarding of the data subject's interests during the performance of the service provided by the Controller or the recipient of the data subject to processing.

According to the GDPR, the most appropriate legal basis for the use of CCTV would be legitimate interest, which targets the protection of property and persons for the user as well as the provision of evidence in the event of a claim. However, this legal basis requires the preservation of individual rights, which can be difficult to demonstrate.

The general obligation to have a specific purpose

Companies that carry out processing activities must collect and process the personal data for a specific, explicit, and legitimate purpose. Controllers need to pursue objectives that are defined in advance, in a clear, explicit, and exhaustive manner (Article 4 of the Act and Article 5(1)(b) of the GDPR). Any final use of personal data for a purpose which is not compatible with the primary and stated purpose, will be considered as a misuse. The controller would therefore be subject to administrative or criminal sanctions.

Concerning geolocation, CNIL makes the implementation of automated processing of personal data subject a legitimate purpose. Given the intrusive nature of devices processing vehicle location data and the information that may be associated with it, CNIL considers that, depending on the processing envisaged, the purposes should be defined as follows:

• The purpose of PAYD systems is to adjust the calculation of insurance premiums in light of objective factors observed and, therefore, to encourage drivers to reduce the risks, by refraining from driving during busy period, by limiting the number of kilometres travelled, and by moderating their speed, etc. Processing for this purpose is intended to ensure that policyholders adhere to their commitments in terms of driving time, mileage, and even driving style, which is reflected in their cost of motor insurance.
• The aim of tracking devices is to geolocate a vehicle that has been reported stolen in order to assist with recovery. similarly, emergency call systems allow, following an incident or an accident involving a vehicle, to be put in manual or automatic communication with emergency services and to provide the emergency services with essential information relating to the vehicle and its geolocation in order to provide assistance. The purpose of processing in this instance is to contribute to the protection of human life and road safety. Information supplied and processed for emergency purposes must only be used to provide emergency assistance and for no other purpose.

The obligation of fairness

Article 4(1) of the Act (and Article 5(1)(a) of the GDPR) asserts that any processing of personal data must be carried out under conditions that ensure transparency⁸ and communication of information to the people involved, and should not be implemented without consent or against their interests.

Information provided should be tailored to meet the purpose of the processing operation and proportionate to its objectives. The more complex or intrusive the data is, the more transparency is required, together with appropriate mechanisms for its collection and processing. First, information should be prioritised, i.e., essential information should be highlighted, and other non-essential information should be easily and immediately accessible in an appropriate format. Providing all information in a single block, for example, would not achieve the objective of transparency.

Secondly, the controller should provide an overview of the data processing to be carried out. Where the data processing requires several streams or processes, information relating to each of these streams should be provided in a single document or centralised way, in order for ease of access for data subjects. The information must be clear and understandable format.

Furthermore, according to Article 26 of the GPDR, multiple companies can be jointly recognised as data controllers. It is their joint responsibility to define in a transparent manner their respective obligations, particularly regarding the exercise of rights and the information of the data subject.

In the case of geolocation, a controller/processor may only keep data relating to the location of a vehicle for a period that is relevant to the purpose of the processing operation which justified the geolocation.

In the context of PAYD, if the collection associated with the retention of vehicle location data does not appear to be proportionate to the purpose, the geolocation data should only be retained for the time necessary to characterise each item relevant to the calculation of the insurance premium. If such data were to be kept, it would infringe on the privacy of the persons concerned and violate the freedom to move around anonymously.

In the context of tracking, CNIL recommends that vehicle location data be retrieved and retained only after the theft has been reported. Furthermore, CNIL recommends that vehicle location data should only be recorded from the time the theft is reported and that the retention of such data be limited to the strict requirements of the investigation and prosecution by the relevant law enforcement authorities. In any case, personal data should be deleted at the request of the insured or at the request of any person authorised by the latter, where an investigation does not result in the confirmed theft of the vehicle, or otherwise at the end of the contractual relationship.

In eCall, vehicle location data is only retrieved once the call has been initiated. Following the use of assistance and rescue mechanisms the data must be erased from the processing systems, subject to the requirements of the relevant legislation. This approach follows the principle of data proportionality

Article 4 of the Act and Article 5(1)(c) of the GDPR states that only relevant, adequate, and non-excessive information regarding the purpose of the processing, i.e. its objective, should be processed. The GDPR specifically refers to the principle of 'data minimisation'.

The obligation of safety

In accordance with Article 4(6) of the Act and Article 5(1)(f) of the GPDR, the data controller must implement measures to guarantee the security and confidentiality of the data collected and to prevent disclosure to unauthorised third parties.

The need for data privacy and security applies to the data collected and processed internally within the connected vehicle, as well as to the data transmitted outside the vehicle. General security measures will have to be taken, such as implementing communication channel encryption measures, management of authorisations within the information system processing the data, a robust and secure process for updating equipment, and effective partitioning of the different domains taking part in the processing (vital vehicle functions, communication functions etc.). In order to ensure that security measures are adapted to the risks involved in the processing, CNIL favours the 'IN => IN' scenario, which presents fewer security risks than data processed outside the vehicle. When data is processed internally, the security requirements may be reduced. However, regardless of their location, sensitive data imposes an additional level of security requirements due to the privacy implications if such information were to be accessed by an unauthorised third parties.

The controller shall ensure rigorous management of access controls. CNIL recommends that access to data processing operations should be carried out by an individual with a unique identifier and password, which should be regularly renewed, or by any other means of identification guaranteeing the same level of security. The data controller shall draw up a daily statement of accesses for monitoring purposes. In addition, the controller must also have sufficient and well-trained human resources. CNIL recommends prohibiting the local extraction of location data from the on-board unit. For PAYD and tracking, CNIL recommends that remote access or that the transmission of data via an electronic communications network be carried out using secure protocols (i.e., encryption) enabling the controller to protect against the risks of interception and misuse. Furthermore, CNIL also recommends that procedures be certified by independent experts. More specifically for PAYD, CNIL advises that data be aggregated, if possible, directly in the box so that no detailed information is sent to either the service provider or the insurer. Failing that, CNIL proposes that the data be aggregated by the service provider, who is responsible for sending the data to the insurer.

Security measures must be regularly reviewed and updated relative to risks related to processing, particularly in proportion to the potential seriousness of the impact on the privacy of the individuals concerned. The ability to update security measures over time is therefore also a challenge, particularly regarding the number of vehicles involved and the longevity of these type of products. The controller must take all necessary precautions to ensure the security and confidentiality of the data processed and to prevent it from being distorted, damaged, or made available to unauthorised third parties. CNIL encourages insurance companies and car manufacturers to employ service providers when using these geolocation devices. In accordance with Article 35 of the Act, as amended in August 2004, these relationships should be governed by a contract containing confidentiality and security clauses.

Making consent operational

Article L.34-I-IV of the French Post and Electronic Communications Code ('CPCE') establishes the principle of prior consent of the person subject to the use of any geolocation service. Consequently, the persons concerned must individually and in writing express their consent prior to the implementation of the processing. CNIL recommends that a specific document attached to the contract or a standard contractual clause, indicating that the client's signature constitutes consent to the implementation of geolocation processing. This recommendation applies to all purposes, including emergency call devices, even though any call intended for an emergency service constitutes consent by the user until the of the emergency operation that it initiates is completed. In addition to the consent of motorists, prior information of the latter is mandatory, in accordance with Article 32 of the Act and Article L.34-1-IV of the CPCE. Motorists must be informed individually, prior to the implementation of the processing, of: the purposes for the processing; the categories of data collected; the length of time the geolocation data concerning them will be kept; the recipients or categories of recipients of the data; the existence of a right of access, rectification, and opposition; and the procedures for exercising these rights; if applicable, of the transfers of personal data envisaged to a State outside the EU.

CNIL recommends that the individuals subject to a geolocation device must be informed when the contract is concluded, via the on-board computer, by a distinctive sound signal, by a light on the vehicle's dashboard, or by a reminder on the invoices issued by the data controller. CNIL recalls that each motorist must be able to access the data concerning them by contacting the service or the person previously indicated. Where there is an automatic deactivation system for the geolocation device, Article L. 34-I-IV of the CPCE provides that the possibility for the person concerned to withdraw or suspend their consent to be geolocated at any time and free of charge must be provided for. In the case of geolocation, the withdrawal of consent is generally achieved by deactivating the system.

For anti-theft systems, this should be possible via a deactivation button on the device, which can be combined with a request to the insurance company or car manufacturer to remove the on-board device. For PAYD, however, the possibility of deactivation is somewhat contradictory to the contract itself, as it would no longer allow verification of the driver's commitments. In regards to the emergency call, CNIL states that the installation of an instantaneous deactivation device was recommended in the framework of the Data Protection Directive (Directive 95/46/EC). However, after several years of implementation of emergency call devices in France, CNIL has found that the risks of invasion of privacy appear limited, since geolocation data is only collected and transmitted in the case of a voluntary connection or in the event of an accident involving the triggering of an airbag. In addition, the possibility of manual deactivation would create legal uncertainty, given the problems of proof in the event of damage suffered as a result of an accident not followed by a call. Therefore, CNIL considers that the introduction of instant deactivation in vehicles equipped with an emergency call system cannot be imposed if the system was freely and knowingly acquired by the owner of the vehicle, and that the owner agreed to inform the users of the vehicle of its emergency call equipment.

The use of CCTV systems in-vehicle: the silence of French law

The use of CCTV cameras in vehicles highlights privacy issues and the implications of privacy legislation and the GDPR, since CCTV recordings may include images of a public highway, the faces of users and pedestrians, or the license plates of other vehicles, as well as the recording of drivers and passengers in vehicle may be captured. CNIL clearly states that individuals do not have the right to record images of the public highway, including for their own safety and that of their vehicle. Private individuals can only use CCTV cameras inside their own property (i.e., within their own vehicles). However, the use of dashcams is not prohibited by any specific French legislation or regulation. Notably, CNIL has not made any determinations in connection with the use of dashcams.  

Article 2(2)(c) of the GDPR states that 'this Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity'. According to the Court of Justice of the European Union, the use of CCTV cameras in a vehicle falls outside the private realm and cannot be considered a purely personal or household activity if it extends into public space, even when only partially. Therefore, the use of CCTV cameras in vehicles does not fall under the exception of Article 2(2)(c) of the GDPR, which was confirmed by the EDPB via its Guidelines 3/2019 on processing of personal data through video devices⁹.

The use of CCTV cameras in cars by individuals is also not prohibited if the recordings do not identify anyone or make them identifiable, and if they are not continuous.

Due to the lack of the legislation and the absence of an established position from CNIL, European, and French authorities, it is rather complicated to determine the legal framework for CCTV cameras in cars in France. However, what is certain is that it is necessary to refer to the existing CNIL rules on the protection of personal data, and the law on the protection of privacy. Indeed, Article 226-1 of the French Penal Code prohibits the use and dissemination of images recorded by a dashcam without the authorisation of the individuals appearing in them. The author of the (illegal) video or photo is subject to a fine of €45,000 or one year imprisonment. 

This means that the use of CCTV cameras in vehicles is not prohibited, but the relevant stakeholders are advised to determine their role in the processing via CCTV or dashcam footage and adhere to their respective controller/processor obligations. Indeed, the user responsible for processing must clearly inform users of the vehicle that the vehicle contains CCTV systems and ensure the security and integrity of the data collected in accordance with the principles of data minimisation. The public must be informed that it is being monitored, in accordance with Article 13 of the GDPR. It is also recommended that users obtain authorisation from the prefecture¹⁰ in the area where the system is located, to ensure the authorities are aware a monitoring system/CCTV is in use in the event of a lawsuit. Furthermore, according to the French Highway Code, any camera must be installed in such a way as not to obstruct the driver's view. It must therefore be placed in the right place and it must not be too large. It is also advisable to position the cameras correctly so that they only record the data that is necessary to achieve their purpose, limit when recording occurs, and avoid recording audio, including conversations. To ensure greater data protection, the controller may audit subcontractors and equipment suppliers and undertake a Data Protection Impact Assessment ('DPIA') prior to camera installation, and should not hesitate to inform CNIL of risks to individual rights and freedoms remain present despite mitigating efforts. There are no specific CNIL rules concerning the use of CCTV cameras in vehicles. Public authorities are the only entity with the right to record on public highways, making the use of dashcams by non-public authorities illegal. Notwithstanding, CNIL indicates specific rules for the installation of CCTV cameras for businesses where video surveillance systems that record a place that is not open to the public, no declaration to CNIL is necessary. However, for businesses that use video surveillance systems that record public space, the business must apply for authorisation from the relevant prefecture. CNIL specifies that if the system leads to 'systematic large-scale surveillance of an area accessible to the public', an impact analysis must be carried out. 

Recordings made by connected cars/geolocation/CCTV and legal evidence

Regarding the civil courts in France, Article 9 of the French Code of Civil Procedure states that 'it is incumbent on each party to prove, in accordance with the law, the facts necessary for the success of its claim', and Article 6 § 1 of the European Convention on Human Rights enshrines the right to a fair trial. The use of video surveillance camera recordings made without the consent of the persons recorded constitutes an unfair act and will not be accepted as evidence. Furthermore, unauthorised processing renders the evidence illegitimate and inadmissible in civil courts.

In criminal matters, Article 427 of the French Code of Criminal Procedure establishes the principle of free evidence. As a result, even evidence obtained illegally may be admitted before the criminal court.

As a result, users of connected cars/geolocation or CCTV devices in their car are controllers within the meaning of the GDPR. However, French and European laws and regulations are not clear about the specific application of the GDPR to these types of controllers.

Charlotte Gerrish Founding Lawyer
[email protected]
Gerrish Legal, Paris

1. See: https://www.cnil.fr/sites/default/files/atoms/files/cnil_pack_vehicules_connectes_gb.pdf
2. See: https://www.cnil.fr/fr/cnil-direct/question/le-siv-systeme-dimmatriculation-des-vehicules-cest-quoi (only available in French)
3. See: https://www.cnil.fr/en/connected-vehicles-compliance-package-responsible-use-data
4. See: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000022205712/ (only available in French)
5. See: https://www.cnil.fr/fr/definition/reconnaissance-faciale (only available in French)
6. See: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012020-processing-personal-data-context_en
7. See deliberation No. 2005-213 of October 11, 2005: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000017651957/ (only available in French)
8. See: https://www.cnil.fr/fr/conformite-rgpd-information-des-personnes-et-transparence#:~:text=La%20CNIL%20fait%20le%20point%20sur%20les%20mesures,de%20leurs%20droits.%20Pour%20les%20responsables%20de%20 (only available in French)
9. See: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf
10. See: https://www.cnil.fr/fr/la-videosurveillance-videoprotection-sur-la-voie-publique (only available in French)