EU: EDPB issues guidelines on connected vehicles
On 28 January 2020, the European Data Protection Board ('EDPB') issued, for consultation, draft guidelines on the processing of personal data in the context of connected vehicles ('the Guidelines'). The long awaited Guidelines were issued on 9 March 2021, and despite the numerous sets of comments received to the draft, they are almost identical to the draft. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses the contents of the Guidelines, who they may apply to, and specific considerations to examine when collecting and processing connected vehicles data.
Vehicles are collecting and processing increasing quantities of information. Some even say that you are no longer driving a car, you are actually driving a computer. While a lot of the information is just about the performance of the vehicle, some of it can be used to identify the individuals using the vehicle and will thus constitute 'personal data' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The EDPB stated that, 'the challenge is for each stakeholder to incorporate the 'protection of personal data' dimension from the product design phase, and to ensure that car users enjoy transparency and control in relation to their data.'
But, how is this done in practice? Below is a breakdown of the key points discussed in the guidelines.
To whom does this apply?
The Guidelines deal with personal data processing in relation to the non-professional use of connected vehicles by drivers, passengers, vehicle owners and other road users. It deals with data:
- processed inside the vehicle;
- exchanged between the vehicle and personal devices connected to it (e.g. the user's smartphone); or
- collected within the vehicle and exported to external entities (e.g. vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.
However, many of the principles and recommendations in the Guidelines will also be applicable to those type of processing.
The Guidelines pertain to data collected through vehicle sensors, telematics boxes, or mobile applications. Collection by mobile applications is only in scope if it is related to the environment of driving, e.g. navigation apps. Apps that only suggest places of interest, for example, fall outside the scope.
The Guidelines (and the GDPR) do not apply to the use/processing performed by individuals within the vehicle fall within 'purely personal or household activity.' However, it does apply to the controllers or processors which provide the means for the processing for these activities.
It applies to the following, non-exhaustive, list of stakeholders: vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers, and public authorities, as well as drivers, owners, renters, and passengers.
Who are the data controllers?
In the context of connected vehicles data controllers may be service providers that process vehicle data to send the driver traffic-information, eco-driving messages, or alerts regarding the functioning of the vehicle; insurance companies offering 'Pay As You Drive' contracts; or vehicle manufacturers gathering data on the wear and tear affecting the vehicle's parts to improve its quality.
Who are the data processors?
Data processors in the data protection ecosystem may be: equipment manufacturers and automotive suppliers who may process data on behalf of vehicle manufacturers.
What is the scope of personal data involved?
As per the EDPB, even if the data collected by a connected car is not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car and may thus constitute personal data under the GDPR. This includes: (i) vehicle usage data: e.g. the driving style, speed, distance covered; (ii) vehicle technical data e.g. data relating to the wear and tear on vehicle parts, engine coolant temperature, engine RPM, tyre pressure, or data collected by cameras that may concern driver behaviour, as well as information about other people who could be inside; or (iii) metadata e.g. vehicle maintenance status. By cross-referencing these with other files, and especially the vehicle identification number (VIN), they can be related to a natural person.
The fact that there are potentially several users of the vehicle does not change the personal nature of the data. Per the EDPB, the vehicle can be considered at a terminal that can be used by different users.
What is the legal basis?
The EDPB posits that the connected vehicle and every device connected to it is, in fact 'terminal equipment' (just like a computer, a smartphone, or a smart TV). Therefore, the provisions of Article 5(3) of the ePrivacy Directive apply. This means that consent is required for the storing of all information, or the gaining of access to information already stored in the vehicle.
The only exceptions to this are when storing/accessing of the data is carried out:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- when it is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
For example, consent is not needed when data processing is necessary to provide GPS navigation services requested by the data subject when such services can be qualified as information society services.
Applying the ePrivacy Directive in this context also means that data can only be further processed either if the controller seeks additional consent for this additional purpose or if it can demonstrate that it is based on an EU or Member State law to safeguard the objectives referred to in Article 23(1) of the GDPR. For example, telemetry data, which is collected during the use of the vehicle for maintenance purposes, may not be disclosed to motor insurance companies without the users' consent for the purpose of creating driver profiles to offer driving behaviour-based insurance policies.
Even if ePrivacy does not require consent, the controller must find a legal basis under Article 6 of the GDPR for the processing.
How do you operationalise transparency?
As with respect to the processing of any personal data, the data controllers must adequately inform the vehicle drivers and passengers of the processing of the data taking place in or through the connected vehicle, including presenting to them all the elements required in Article 13 or Article 14 of the GDPR as applicable. When dealing with several data controllers, new data controllers should provide data subjects with the required information when data subjects cross borders and services that interact with connected vehicles are provided by new data controllers.
In the context of a connected vehicle, there is a risk that this will not be properly done as the notice may be provided to the wrong individual (i.e. just the vehicle owner who is not the driver) or that it would not be provided in a timely manner.
In order to be most effective, the information may be provided in layers. Layer 1 should include: the identity of the data controller, the purpose of the processing, and a description of the data subject's rights, as well as any additional information on the processing which has the most impact on the data subject and processing which could surprise them. This generally includes naming each recipient of the data or, if controllers cannot provide the names of the recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector, and the location of the recipients.
This can be done by concise and easily understandable clauses in the contract of sale of the vehicle, in the contract for the provision of services, and/or in any written medium, by using distinct documents (e.g., the vehicle’s maintenance record book or manual) or the on-board computer. Standardised icons visible in the vehicle can also be used.
How do you operationalise consent?
Consent must be free, specific, and informed, as well as constituting an unambiguous indication of the data subject's wishes as interpreted by the EDPB guidelines on consent. It needs to be provided separately, for specific purposes, and may not be bundled with the contract to buy or lease a new car. Consent must also be as easily withdrawn as it is given and individuals must be able to refuse specific processing purposes.
Classic mechanisms used to obtain individuals' consent may be difficult to apply in the context of connected vehicles because of the many locations in which consent is collected, as well as the multiple users of the car. In addition, consent might also be difficult to obtain for drivers and passengers who are not related to the vehicle's owner in the case of second-hand, leased, rented, or borrowed vehicles.
What about Data Protection by Design and by Default?
Can manufacturers and service providers, when acting as data controller or data processor, must develop secure in-car application and with due respect to the principle of Privacy by Design and by Default.
The EDPB recommends that data that leaves the vehicle, should, to the extent possible, be anonymised before being transmitted. Other techniques, such as pseudonymisation, can also help minimise the risks generated by the data processing.
The EDPB suggests the following considerations:
- Collect only the categories of data that are needed, relevant and necessary for the processing.
- Local processing: wherever possible, use processes that do not involve personal data or transferring personal data outside of the vehicle. Implement adequate security measures to ensure that local processing remains local.
- If local processing is not possible, use 'hybrid processing' – i.e. process raw information on the device and share with third parties (e.g. insurance companies) only in the form of numerical scores on a defined basis (e.g. monthly).
- Develop a secure in-car application platform which is physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary external cloud capabilities.
- Provide information regarding the processing in the driver's language (manual, settings, etc.).
- Process by default only data strictly necessary for the vehicle functioning.
- When sending data outside the vehicle, consider anonymisation (taking into account all processing involved that could potentially lead to re-identification of the data) and pseudonymisation.
- Provide data subjects the possibility to activate or deactivate the data processing for each other purpose and controller/processor, and have the possibility to delete the data concerned.
- Retain data only for as long as is necessary for the provision of the service or otherwise required by EU or Member State law.
- Allow data subjects to delete permanently any personal data before the vehicles are put up for sale.
- Allow data subjects, where feasible, to have a direct access to the data generated by these applications.
What about information security?
A connected vehicle is a type of Internet of Things ('IoT') device. As such, it is prone to the same information security concerns as IoT devices, but with potentially greater stakes. This is because, unlike most IoT devices, connected vehicles are critical systems where a security breach may endanger the life of its users and people around them. In addition, the plurality of functionalities, services, and interfaces (e.g. websites, USB, radiofrequency identification, WiFi) offered by connected vehicles increases the attack surface, and thus, the number of potential vulnerabilities through which personal data could be compromised.
The EDPB lists criteria for data protection methods which include: encrypting the communication channels by means of a state-of-the-art algorithm; putting in place an encryption-key management system that is unique to each vehicle, not to each model; encrypting data stored remotely by means of state-of-the-art algorithms; and hashing.
In connection with the risk of the processing, the EDPB says that, given the scale and sensitivity of the personal data that can be generated via connected vehicles, it is likely that processing, particularly in situations where personal data is processed outside of the vehicle, will often result in a high risk to the rights and freedoms of individuals and therefore, would likely require conducting a Data Protection Impact Assessment ('DPIA') in accordance with Articles 35 and 36 of the GDPR.
In addition, the EDPB recommends that the sale of a connected vehicle and the ensuing change of ownership should also trigger the deletion of any personal data which is no longer needed for the previous specified purposes.
What about data subject rights?
The issue of addressing data subject rights in the context of connected vehicles raises an added complication because of the multiple types of data subjects: owner, driver(s), and passengers.
The EDPB recommends to address this by implementing a profile management system inside the vehicle in order to store the preferences of known drivers and help them to easily change their privacy settings anytime. The profile management system in a vehicle should centralise every data setting for each data processing, especially to facilitate the access, deletion, and removal of personal data from vehicle systems at the request of the data subject.
Drivers should be able to stop the collection of certain types of data, temporarily or permanently, at any moment, unless there is a specific legal ground that the controller can rely on to continue the collection of specific data. These features should be implemented inside the vehicle, although it could also be provided to data subjects through additional means (e.g., dedicated application). Furthermore, in order to allow data subjects to quickly and easily remove personal data that can be stored on the car’s dashboard (for example, GPS navigation history, web browsing, etc.), the EDPB recommends that manufacturers provide a simple functionality (such as a delete button).
The sale of a connected vehicle and the ensuing change of ownership should also trigger the deletion of any personal data, which is no longer needed for the previous specified purposes and the data subject should be able to exercise his or her right to portability.
The EPDB discusses four use cases of particular sensitivity:
- Stakeholders must be aware that the use of location technologies requires the implementation of specific safeguards in order to prevent surveillance of individuals and misuse of the data.
- Collect location data only when necessary. If the gyroscope is sufficient for the purpose, do not collect location data. Activate geolocation tracking only when a user activates a functionality that requires it, not by default or continuously. Then inform the user that geolocation has been activated, in particular by using icons (e.g. an arrow that moves across the screen).
- Configure the frequency of access to, and of the level of detail of, geolocation data collected relative to the purpose of processing. For example, a weather application should not be able to access the vehicle's geolocation every second, even with the consent of the individual.
- Provide accurate information on the purpose of processing (e.g. is geolocation history stored? If so, what is its purpose?).
- Obtain valid consent separate from the general conditions of sale or use, for example on the onboard computer.
- Provide the option to deactivate geolocation at any time.
- Define a limited storage period.
- Use of biometrics should not be mandatory. You must provide an alternative (e.g. using a physical key or a code) without additional contraint.
- Store and process biometric data only locally and in an encrypted format.
- Ensure that the biometric authentication solution is sufficiently reliable.
- Process the raw data used to make up the biometric template and for user authentication in real time without ever being stored, even locally.
- If using a biometric authentication solution – ensure that it is sufficiently reliable.
Data revealing offences
- Process such data only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects as stated in Article 10 of the GDPR.
- Allow only local processing.
- Implement sufficient information security mechanisms.
Data collected by third parties
- To avoid misuse of data collected via a telematics box, raw data regarding driving behaviour should, to the extent possible, be either: (i) inside the vehicle in telematics boxes or in the user’s smartphone so the third party only accesses the results data; or (ii) by a telematics service provider on behalf of the controller, with transfers to the controller on a defined basis and with the telematics provider not privy to the identity of the driver or the policy holder (such as name, licence plate etc).
- Retain raw data only for as long as required to elaborate the aggregated data and to check the validity of that aggregation process.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia