Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Germany: Data Protection in the Automotive Sector
1. Governing Texts
1.1. Legislation
Autonomous driving and self-driving or connected vehicles allow the collection of large amounts of data. In addition to personal data, information on the condition of the relevant car is collected as well. Most of the data collected is primarily technical data. By linking it to other data, such as the vehicle identification number, the data may be assigned to the owner or the driver, and may become personal data. Furthermore, during automated and autonomous driving, data is collected from the outside world and third parties in the surrounding environment.
The processing of personal data of natural persons within Germany is in general regulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The GDPR is supplemented and specified by the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ('the Federal Data Protection Act') and different specific data protection laws. These data privacy laws are also applicable to the automotive sector and constitute the legal framework.
Levels of autonomous driving
In accordance with the report of the Federal Highway Research Institute developed in 2012, five different levels of automation in automated driving may be differentiated under German law. In levels one (assisted driving) and two (partly automated driving), the driver must constantly monitor the driving. The difference between the two levels is that, in level two, the steering and acceleration or deceleration is taken over by corresponding systems in the car. In the third level (highly automated driving), systems are capable of recognising their limits and the driver needs to be ready to resume control if the system requests it. Level four (fully automated driving) enables the driver to hand over the entire driving task to the system in (legally) defined cases. In level five (autonomous, i.e. driverless driving), the driver is no longer required at all. The system can take over the entire driving task in all cases. This classification deviates from the international classification of the Society of Automotive Engineers, which describes six levels.
Depending on the degree of automation, the human driver has to fulfil and observe different duties and requirements. The legal requirements for cars with autonomous driving functions (equivalent to level four) have been recently legally defined in Germany in the new Autonomous Driving Act (only available in German here). It adds new provisions to the German Road Traffic Act (only available in German here) ('StVG'). Even though the Autonomous Driving Act does not contain any restrictions on the scope of application, it mainly aims at commercial operational scenarios, such as shuttle transports, people movers, and Hub2Hub transport. It contains two regulatory areas, namely the regular operation of autonomous driving functions, and the trial operation for automated and autonomous driving functions on public roads.
Overview of applicable data protection laws
German data protection regulations become applicable if personal - and not only technical - data is processed.
At present, the following data protection rules are (potentially) applicable in relation to the automotive sector:
- the GDPR;
- the Federal Data Protection Act;
- the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (only available in German here) ('TTDSG'); and
- the StVG.
GDPR
Since 25 May 2018, the GDPR is applicable, and replaced the Data Protection Directive (Directive 95/46/EC) and its national implementations. The GDPR does not contain any standards or content specifically related to automated or autonomous vehicles or driving, and is considered technology-neutral. The general applicability of the GDPR depends on the type of data that is being processed, distinguishing between personal and non-personal data. According to the GDPR, personal data means any information relating to an identified or identifiable natural person (data subject), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR).
Specific standards of data protection
In addition to the GDPR, other specific data protection laws apply as well. The most important specific laws applicable to autonomous driving and data processing are the Federal Data Protection Act, the TTDSG, and the StVG.
TTDSG
The TTDSG came into force on 1 December 2021. The TTDSG brings together different provisions of the Telecommunications Act of 2021 (only available in German here) ('TKG') and the Telemedia Act of 2007 ('TMG') and implements the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'). The TTDSG regulates privacy and data protection in electronic communication in Germany, and provides new rules on cookies and similar technologies. One of the purposes is the protection of private remote communications (Section 3 of the TTDSG).
The TTDSG applies, inter alia, to providers of telecommunications and telemedia services, and to natural persons or legal entities, who are involved in the provision of such services. Telemedia services are all electronic information and communication services, unless they are telecommunication, telecommunication-based, or broadcasting services. With regard to the automotive sector, especially manufacturers of smart cars, which provide internet connectivity and offer telecommunications and telemedia services, as well as independent application providers, are covered by the TTDSG.
StVG
The StVG contains specific standards for automated and autonomous driving functions based on the levels of automation described in the Introduction. Since 21 June 2017, a previous version of the Autonomous Driving Act regulates the operation of highly automated vehicles (level three), by integrating relevant provisions into the StVG, and allows their use. On 28 July 2021, the new Autonomous Driving Act came into force, creating a new legal framework for cars with autonomous driving functions (level four) in Germany. New specific standards regulate the use of vehicles with autonomous or self-driving functions in public road traffic in the operating areas predefined by the responsible authorities in the different states of Germany. The main difference to the previous legal situation is that the presence of drivers, who needed to be ready to intervene, is no longer necessary. This enables, for example, cases of 'mobility as a service' or 'transport as a service'. Moreover, standards have been defined to regulate the decision-making by the self-driving systems and the responsibility of the car owner as the technical supervisor legally responsible for the car. In contrast to conventional motor vehicles and those with automated driving functions up to level three, there is basically no possibility for a human being to control the motor vehicle. Therefore, in order to establish compatibility with existing international regulations, the responsible natural person as the technical supervisor is considered to be responsible for deactivating the vehicle from the outside, if necessary, initiating driving manoeuvres and traffic safety measures. The obligation to ensure that the tasks of the technical supervisor are fulfilled lies with the owner. The owner may entrust another person with fulfilling such task; however, in this case the owner must accept the liability for the fault of the entrusted person.
The StVG includes data protection standards for automated vehicles and vehicles with autonomous driving functions (Sections 1(g) and 63(a) of the StVG). The owner of a motor vehicle with autonomous driving functions is obliged to store numerous data when operating the motor vehicle, including the vehicle identification number ('VIN'), position data, information on the activation and deactivation of the autonomous driving function, data on environmental and weather conditions, speed, longitudinal and lateral acceleration, networking parameters, such as transmission latency and available bandwidth, name of activated and deactivated passive and active security systems, as well as commands and information sent externally to the motor vehicle (Section 1(g)(1) of the StVG). This data is collected by means of various sensors, optically with cameras, with lidar and radar, sound waves, and GPS. This data can be categorised as identification and feature data, and contains a personal reference due to its connection to the VIN. The owner is obliged to provide the Federal Motor Transport Authority ('KBA'), upon request, with such data, if this is required by the KBA for the performance of its duties for monitoring the safe operation of vehicles with autonomous driving function. The same applies to the authority responsible under federal or state law or, on federal trunk roads where the Federal Government is responsible for administration, the private-law company within the meaning of the Infrastructure Company Establishment Act (only available in German here) ('InfrGG').
The StVG determines that the data listed in Section 1(g)(1) of the StVG have to be stored in the case of intervention by the technical supervisor (i.e. the owner) in conflict scenarios, in particular accidents and near-accident scenarios, unscheduled lane changes, or swerving and malfunctions in the operating sequence. Recordings in the case of a conflict scenario are intended to make the interaction of motor vehicles with autonomous driving functions with other road users in conflict situations comprehensible. In order to be able to assess the safety and behaviour in near-accidents of motor vehicles with autonomous driving functions, data from these situations are recorded and processed. The recording and storage of interventions by the technical supervisor is intended to ensure that the causes of an intervention in the operational process by the technical supervisor and the factors triggering the intervention can be assessed. In this regard, the rules for automated driving at level three and autonomous driving at level four have been aligned. For that purpose, the manufacturer of a motor vehicle with an autonomous driving function must equip the vehicle in such a way that the storage of data is actually possible for the owner.
The KBA is entitled to make the non-personal data, collected from the owner, available to the various bodies for traffic-related public benefit purposes, in particular for the purpose of scientific research in the field of digitalisation, automation, and networking, and for the purpose of road traffic accident research. These bodies include colleges and universities, non-university research institutions, federal, state, and local authorities with research, development, transport planning, or urban planning tasks.
Application ratio
As an EU-wide regulation, the GDPR takes precedence over any conflicting national law, and applies directly in the EU Member States, including Germany. The Federal Data Protection Act is a national legislation, which complements and specifies the provisions of the GDPR in certain areas. The StVG also is a national legislation, and applies in addition to the GDPR as a specific data protection law for vehicles with autonomous driving functions, providing a legal basis for the KBA for the processing of personal data. Finally, the TTDSG provides specific rules for the data processing in the context of telecommunications and telemedia.
Connected Vehicles: There is no specific law for connected vehicles. However, different data protection regulations, such as the GDPR, the Federal Data Protection Act, and the TTDSG apply to connected cars, insofar as personal data is processed. A clear, legal demarcation in the automotive sector is still difficult.
Autonomous vehicles: Automated vehicles and vehicles with autonomous driving functions are both regulated by the StVG . According to the new rules of the StVG (Sections 1(d) and 1(e)(1)(3) of the StVG), autonomous driving is recently permitted in Germany, but only in operating areas specified by the responsible authority under federal or state law. The registered owner is primarily responsible for recording, storing, and transmitting the data generated by the vehicle with automated driving function (Section 63(a) of the StVG) or with autonomous driving function (Section 1(g)(1) of the StVG ).
Telematics: In terms of telematics, the GDPR, the Federal Data Protection Act, and the TTDSG apply.
Vehicle geolocation: The GDPR, the Federal Data Protection Act, and the TTDSG are applicable for vehicle geolocation.
Manufacturers: The manufacturer's obligations are regulated in Section 1(f)(3) of the StVG. In order to ensure the road safety of their vehicle, the manufacturer must prove throughout the entire development and operating period of the vehicle that the electronic and electrical architecture of the motor vehicle, as well as that connected to the motor vehicle is protected against attacks. The manufacturer must also carry out a risk assessment and prove that the radio connection is sufficient. The manufacturer must declare the requirements for the technical equipment of autonomous vehicles in a binding manner in the system description to the KBA and in the operating manual of the respective motor vehicle. The system description of the motor vehicle must guarantee that the installed parts and systems comply with the legal requirements. In addition to the technical specifications to be defined in more detail by a legal ordinance, the fulfilment of which leads to the granting of the operating permit for an autonomous vehicle, the so-called manufacturer's declaration is necessary. This must guarantee the legality of the installed technical equipment and parts, which represent an effective solution to previous requirements, for example through further development, but are not yet standardised and standardised. This manufacturer's declaration to the KBA is made as part of the application for the operating permit for an autonomous vehicle. In addition, the manufacturer must offer training for the persons involved in the operation, conveying the technical functionalities, in particular with regard to the driving functions and the performance of the tasks of technical supervision. Furthermore, as part of their general product monitoring obligation, the manufacturer must immediately notify the KBA and the authority responsible under state law of any manipulations detected on its motor vehicle, and initiate any necessary measures, such as recalls.
Further to the above, the data of the vehicle can be requested to be disclosed by law enforcement authorities in accordance with the Code of Criminal Procedure. For the definition of usage data, the Code of Criminal Procedure refers to the TTDSG. According to this definition, usage data is the personal data of a telemedia user, whose processing is necessary to enable and bill the use of telemedia, which includes, in particular, features for identifying the user, information about the beginning and end, as well as the scope of the respective use, and information about the telemedia used by the user. The vehicle's GPS location data may be such usage data if, for example, it is required to use a service provided by the manufacturer.
The growth of new mobility services in the area of digital intermediation of rides and ridesharing services is also supported by the revision of the Passenger Transport Act (only available in German here), which entered into force on 1 August 2021. Two new categories of transport have been added: regular on-demand transportation services and bundled on demand-transportation services. The latter comprises ride pooling services which will thus finally get a specific legal basis for authorisation, and may become a central component of the future passenger transport in Germany. Upon execution of an order, bundled on-demand transportation services are obliged to return to their respective business location, unless the drivers have received new transport orders before or during the journey. Rental cars will still need to return and are not allowed to pick up passengers from the street, as they are not subject to the exception implemented for bundled on-demand transportation services. On the basis of the updated passenger transportation framework, static data (e.g. timetables and fares) and dynamic data (e.g. disruptions, delays, estimated departure, and arrival times) will have to be made available in 2022. Details of data collection will be regulated in an ordinance on mobility data, which is still to be finalised.
1.2. Regulatory authority guidance
- Guidelines 01/2020 on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications (9 March 2021) ('Guidelines 01/2021'), issued by the European Data Protection Board ('EDPB');
- Technical guidelines for cooperative intelligent transport systems (only available in German here), issued by the Federal Office for Information Security ('BSI');
- Automotive industry situation report (only available in German here), issued by the BSI; and
- the European Union Agency for Cybersecurity ('ENISA') Report on Data Protection Engineering (27 January 2022).
2. Key Defintions
- Vehicle Information Number: No legal definition for Vehicle Information Number (sole or in combination with further identifiers) exists under German law.
- Location data: Data processed in a telecommunications network or by a telecommunications service that indicates the location of the terminal equipment of a user of a publicly available telecommunications service (Section 3(56) of the TKG).
- Telematic data: No legal definition for telematic data exists under German law.
- Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR and Section 46(23) of the Federal Data Protection Act).
- Metadata: No legal definition for 'metadata' exists under German law.
- Voice data No legal definition for 'voice data' exists under German law.
- Video data: No legal definition for 'video data' (inside/outside the vehicle) exists under German law.
- Anonymisation: Anonymisation relates to Recital 26 of the GDPR, where anonymous data is defined as information, which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. A legal definition of the term anonymisation does no longer exist in German law. According to Section 3(6) of the Federal Data Protection Act (old version in effect until 24 May 2018), anonymisation is the alteration of personal data in such a way that the individual details of personal or factual circumstances can no longer be attributed to a specific or identifiable natural person or it can only be attributed to such a person with a disproportionate amount of time, cost, and effort. The Court of Justice of the European Union has ruled for the question whether a person can be identified, that not only the knowledge and resources of the data processing entity must be considered, but also any additional knowledge which the data processing entity may access without further effort.
- Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. The GDPR and other data protection laws apply to pseudonymised data, because it is still considered personal data (Article 4(5) of the GDPR).
- Data processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction (Article 4(2) of the GDPR; Section 46(2) of the Federal Data Protection Act).
- Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law, and where the controller or the specific criteria for its nomination are provided for by Union or Member State law (Article 4(7) of the GDPR).
- Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
- Manufacturer: Within the meaning of this Act, a manufacturer is the individual who has manufactured the final product, raw material, or partial product. A manufacturer is anyone who pretends to be a manufacturer by affixing their name, trademark, or other distinctive sign. A manufacturer can also mean any person who imports or transfers a product within the scope of the Agreement on the European Economic Area for the purpose of sale, rental, hire-purchase, or any other form of distribution with an economic purpose in the course of their business activities (Section 4(1) and (2) of the Product Liability Act ('ProdHaftG').
3. Supervisory Authority
At federal state level, the various State Commissioners for Data Protection and Freedom of information ('LfDI') (i.e. the supervisory authorities of the States) are the competent supervisory authorities for supervising data protection compliance with regard to personal data for non-public bodies, i.e. private companies (Article 51(1) of the GDPR and Section 40(1) of the Federal Data Protection Act).
The KBA is responsible for the testing and the procedure for issuing an operating permit for vehicles with autonomous driving functions. It is also responsible for type approval and type testing of vehicles and vehicle parts. Among other documents, the manufacturers of an autonomous vehicle must submit a system description and an operating manual to the KBA. The system description of the vehicle must guarantee that the installed parts and systems meet the legal requirements. For the purpose of monitoring the safe operation of the autonomous vehicle, the KBA may process identification and characteristic data collected from the owner, as well as the personal data of the person assigned as technical supervisor.
4. Connected Vehicles
Transparency
Next to self-determination and data security, one of the elementary data protection principles for connected vehicles is transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject pursuant to Article 5(1)(a) of the GDPR. The data subject, the driver or passenger of the connected vehicle, should have knowledge of the data processing. Furthermore, according to Recital 39 of the GDPR, it should be transparent to natural persons that personal data concerning them are collected, used, or otherwise processed. The persons concerned must be informed comprehensively and transparently about the collection and processing of data in the networked car. Therefore, any information and communication relating to the processing of personal data must be easily accessible and easy to understand (Recital 56 of the GDPR). The principle of transparency requires that clear, plain, and comprehensive language is used. Such information about the data collection and processing can be provided in electronic form through a website, car display, or media book inside the car with further references to websites. The data controller has to provide the data subject with different information at the time when personal data is obtained (including identity and contact details of the controller, the purpose of processing, the recipients, or categories of recipients of the personal data) (Articles 13 and 14 of the GDPR).
Practical implications
The manufacturers of connected cars must ensure that there is a possibility to provide information about data collection and processing inside the car. The driver, or in general the users, need to be informed upfront about the possible collection of data. This could happen, for example, when position data is added to the profiles of registered users. Therefore, manufacturers could integrate welcome screens with further data information and the option for consent. Additionally, special icons or symbols integrated in the car could indicate the networking status and the data collection. The EDPB in its Guidelines 01/2020 recommends standardising those icons, so that users find the same symbols regardless of the make or model of the vehicle.
Choice and Consent
Data processing is lawful if the data subject has given consent to the processing of their personal data for one or more specific purposes, or if a statutory law legal basis allows the processing (Article 6 of the GDPR). If consent is necessary, the controller should demonstrate that the data subject has given consent to the processing operation, whereby the declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and understandable language (Recital 42 of the GDPR). Besides the GDPR, consent may also be required under the provisions of the TTDSG. The storage of information in the end-user's terminal equipment, or access to information already stored in the terminal equipment, is only permitted if the end-user has consented on the basis of clear and comprehensive information (Section 25(1) of the TTDSG). The end-user's information and consent must be given in accordance with the GDPR. If vehicles are connected to a telecommunications network for the purpose of sending, processing, or receiving information, the TTDSG could apply. If manufacturers or third-party providers want to retrieve location data from a connected vehicle, they have to request consent.
Requirements of a valid consent and practical implications
To qualify as valid, consent must be based on:
- voluntariness;
- information;
- explicitness; and
- revocability (for the future).
Consent should be given by a clear affirmative act, for example in the form of an electronic statement. Therefore consent may not be bundled with the contract to buy or lease a new car. It must be given unambiguously by an active act without coercion, and must be revocable. These requirements have to be complied with also in relation to the driver, if the driver is different from the owner, and/or in relation to passengers if personal data related to them is to be processed. The main problem is that users may not be aware of the data processing carried out in his or her vehicle. This lack of information can constitute a significant barrier to demonstrating valid consent under the GDPR, as the consent must be given in an informed manner. In practice, it might also be difficult to obtain consent from drivers or passengers who are not related to the vehicle's owner, especially if the vehicles are second-hand, leased, rented or borrowed.
Data security
Networked cars are at risk of cyber attacks by manipulating vehicle data or hacking important car systems. Personal data must be processed in a manner that ensures appropriate security of them, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage, using technical or organisational measures. Article 32 of the GDPR regulates the security of processing, and lists four protections objectives that must be ensured while processing: confidentiality, integrity, availability, and resilience of the systems and services. The manufacturer or data collector should work out data security standards, audit procedures, and compliances. Exemplary means include encrypting the communication channels by means of a state-of-art-algorithm for end to end encryption, putting in place an encryption-key management system that is unique to each vehicle and regularly renewing encryption keys or access to personal data subject to reliable user authentication techniques (password or electronic certificate). Suitable means may include homomorphic encryption, secure multiparty computation, trusted execution environments or the use of synthetic data. Personal data should be processed internally within the vehicle, whereby the local processing shall remain local. Local data processing can mitigate the potential risks of cloud processing. Thereby the user can control the way in which the data is collected and processed in the vehicle.
Data minimisation
Another data protection principle of the GDPR is data minimisation. Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) of the GDPR). This means that personal data may only be collected when it is absolutely necessary for the purpose. The data protection principle relates to the scope of collection and the type and length of processing. In this context, measures for pseudonymisation and anonymisation must be taken.
Data retention
The GDPR provides no specific time limits for data retention. Personal data should be collected for a lawful purpose and kept for no longer than needed. Telecommunications services provider are subject to minimum retention obligations to provide data for criminal prosecution purposes.
Accountability and record of processing
Regarding accountability, the general GDPR rules apply. A data controller is obliged to record their processing activities in a record of processing activities. Furthermore, the data controller is obliged to implement a data management system with a clear set of responsibilities to ensure compliance with data processing requirements. In relation to the use of connected vehicles by data subjects data can be (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user's smartphone) or (iii) collected locally in the vehicle and exported to external entities such as manufacturers, infrastructure managers, insurance companies or car repairers for further processing. Data controllers may include service providers sending traffic-information, eco-driving messages or alerts regarding the functioning of the vehicle, insurance companies offering usage based contracts, or vehicle manufacturers gathering data on the wear and tear for vehicle parts' quality improvement purposes.
Data sharing and international transfers
Data sharing requires a legal basis according to Article 6 of the GDPR, except when the data is shared with a data processor acting upon the data controller's instructions (Article 28 of the GDPR). International transfers are subject to additional requirements if the data recipient is located in a country with no adequate standard of data protection (Article 46 of the GDPR).
Data sharing
Data sharing may take place between a data controller and a data processor, or between two or more controllers. A data processor processes the data according to the instructions of the data controller, and needs to be obliged to comply with its obligations in a written or electronic form agreement (Article 28 of the GDPR). For a transfer to, or sharing with another controller, a legal basis either by a statutory law explicit allowance or by way of the data subject's consent is required. If two or more controllers determine the purpose and means of processing, they act as joint controllers (Article 26 of the GDPR). A joint controller-relationship requires also a written or electronic agreement between the controllers to specify their tasks and responsibilities. In view of the sensitivity of vehicle usage data, the data subject's consent should systematically be obtained before their data is transferred to a commercial partner (acting as a data controller) who assumes responsibility for the received data and is subject to all the provisions of the GDPR.
International transfers of data
A controller or processor may transfer personal data to a third country or an international organisation with no adequate standard of protection, only if the controller or processor has provided appropriate safeguards, and subject to the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46(1) of the GDPR). For countries outside the EEA, the European Commission has recognised by a formal decision that a country disposes of an adequate standard of protection. If such adequate standard is not recognised, the international third country data transfer requires that the data exporter and the data importer agree on adequate standards of protections. In these cases, the parties would need to conclude the so called Standard Contractual Clauses ('SCCs'), based on the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. For data transfers to third countries within a group, the companies may, alternatively, have agreed on Binding Corporate Rules ('BCRs') to ensure an adequate standard of data protection.
Data governance
Data governance is subject to general rules, i.e. companies need to implement data management systems to ensure accountability for data processing activities.
With regard to a potential commercialisation in particular of non-personal data, data may be protected as intellectual property or know-how, or as business and trade secrets under the
Federal Trade Secrets Law of 18 April 2019 (only available in German here) ('the Trade Secrets Law'). Protection as intellectual property requires certain minimum creative efforts. A trade secret is information that is not generally known or readily available, and is therefore of economic value, which is the subject of secrecy measures appropriate under the circumstances by its rightful owner and for which a legitimate interest in secrecy exists. Apart therefrom, mainly contractual agreements rule who is entitled to analyse data and commercialise the results.
In practice, it needs to be seen to what extent there is room for additional data analytics services based on data obtained in this context.
Data portability
Data portability is enabled by Article 20 of the GDPR. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transmit that data to another controller without hindrance from the controller, to which the personal data has been provided. The right to data portability contains the right to receive a copy of their own data in a structured, commonly used, and machine-readable format, the right to transmit the data to another controller, and the right to direct transmission from the controller to a newly designated controller.
It needs to be awaited whether application service providers around connectivity services offer individualised services with a value for the data subject that the personal data involved is transferred to another provider.
Privacy/Security by Design and by Default
Privacy by Design
Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (Article 25(2) of the GDPR). Privacy by Design means data protection through technology design, whereby the principle of data protection must already be taken into account in the development phase of the vehicle.
Practical implications
A technical measure for the protection of personal data can be either anonymisation or pseudonymisation of data.
Privacy by Default
The data controller must implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (Article 25(2) of the GDPR). That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. This means that attention must be paid to default settings during the development of vehicle technology, which do not unreasonably interfere with the privacy of the vehicle users.
Practical implications
Privacy-friendly default settings can be programmed in such a way that the storage of vehicle data is, as far as possible, avoided. The user should retain the option of deactivating activated services at any time.
5. Autonomous Driving
The aforedescribed principles and their practical implications apply also in the context of autonomous driving. In addition to the provisions of the GDPR, the new regulations on data processing of the StVG apply. While operating the self-driving vehicle, the owner is obliged to store different data listed in Section 1(g)(1)(1-13) of the StVG on certain occasions. Besides the data processing, the manufacturer is obligated to equip the self-driving vehicle in such a way that the owner can fulfil their storage obligation (Section 1(g)(3) of the StVG). In addition, the principles of Privacy by Design and by Default apply directly.
Different responsible data controllers are to be differentiated within the scope of autonomous driving related to data processing. The data controller is the one who decides about the means and purposes of the processing, and can be the owner, the manufacturer, the seller, and/or the repairer. The repairer becomes the data controller, if they, for example, read data from the vehicle's storage systems. The owner, driver, and passengers of the vehicle may be responsible for the data processing as well. This is for example the case, when they enter telephone or destination data into the on-board system or record the outside world with a cam (dashcam). The responsibility depends primarily on the implementation of the processing form and accessibility of the data. Providers of new services around autonomous mobility must inform their employees engaged as technical supervisors (being the natural person who can deactivate the autonomous driving function at any time) about the transfer of their personal data to the authorities.
The KBA must delete the data obtained from the vehicles with autonomous driving functions without delay, as soon as they are no longer required for the purposes specified by the law, at the latest three years after the relevant motor vehicle ceases to be operated.
Manufacturers of motor vehicles with autonomous driving functions have to equip the vehicles in a way where it is actually possible for the owner to store the relevant data. When designing the vehicle memory, manufacturers are confronted with the difficulty of complying with the general principle of limiting storage, and, enabling the owner to fulfil the obligations to store data for an unlimited period of time under the StVG. In this respect, it is not yet clear whether automatic deletion routines may be provided by the manufacturer at all.
The manufacturer of a motor vehicle with an autonomous driving function must prove to the KBA and the responsible authority that the electronic and electrical architecture of the motor vehicle and the electronic and electrical architecture connected to the motor vehicle are protected against attacks throughout the entire development and operating period of the motor vehicle. The manufacturer must also conduct a risk assessment and demonstrate sufficient radio connectivity.
With regard to safety requirements the owner has to ensure maintenance of the systems with autonomous driving function, as set out in the Autonomous Vehicles Approval and Operation Ordinance (AFGBV). In particular, the owner must ensure during the operation of the motor vehicle that the vehicle systems for active and passive safety are regularly checked, an extended departure check is carried out before the start of the journey, an overall check of the vehicle is carried out every 90 days in accordance with the specifications of the operating manual, and the results of the overall checks are documented in a report. The manufacturer's declaration to the KBA guarantees the legality of the installed technical equipment and parts, and is made as part of the application for the operating permit for an autonomous vehicle. As these are extensive obligations for private persons, primarily commercial providers in the area of public transport or freight will be in a position to fulfil these requirements. The role of the technical supervisor may be assumed for various vehicles in parallel.
6. Telematics
Telematic technology, such as GPS and on-board vehicular data, is commonly implemented now in cars on German roads. Telematic systems and devices, which include a vehicle tracking device, and collect and transmit data on vehicle use, whereby telemetry data are sent, received, and stored. The devices and systems collect telemetry data, such as GPS data of the vehicle, its speed, acceleration, deceleration, fuel use and consumption, engine faults, and idling time. They transmit data on preventive diagnostics, debugging, and maintenance. The data collected by telematic devices is linked to the vehicle identification number of the vehicle and can allow conclusions concerning the driver and their driving behaviour, which can be helpful for automobile manufacturers and insurance companies. Most of the telematic data are personal data why the provisions of the GDPR, the Federal Personal Data Act, and potentially the TTDSG apply to all telematics data and information that are referrable to an individual person.
Data can also be transmitted to a server via a permanently installed SIM card. This enables a wide range of functions of a multi-media system, such as the transmission of current vehicle location, mileage, tire pressure, or fuel level to the server, but also to a cell phone designated by the user. In this way, the authorised person can locate their vehicle, an emergency call system automatically communicates with a rescue team after an accident and transmits location data, remote door locking and unlocking is made possible, auxiliary heating can be controlled via cell phone, live traffic information is transmitted to the driver, and, for this purpose, car-to-car communication is also operated via the server, in which the vehicles exchange data on traffic flow among themselves. In addition, such services allow mobile music streaming. Details, such as whether the passenger seat is occupied, can also be communicated to the server. In this context, location and navigation services, in particular, cannot be offered without the vehicle determining its GPS data and transmitting it to the server.
7. Vehicle Geolocation
If the vehicle is equipped with internet-connected devices, the TTDSG applies to vehicle geolocation data. The GDPR may apply as well (see sections above). Location data processed in relation to users of public telecommunications networks or telecommunications services may be processed only to the extent and within the time necessary for the provision of value-added services if they have been anonymised or if the user has been informed and consented by the provider of the value-added service in accordance with the GDPR. Every time the location of the mobile terminal is determined, the provider of the value-added service must inform the end user of the determination of the location by sending a text message to the terminal whose location data has been determined. This does not apply if the location is only displayed on the terminal whose location data was determined. If the location data is processed for a value-added service, which involves the transmission of location data of a mobile terminal to another user or third party, who is not the provider of the value-added service, the user must give their consent expressly, separately, and in writing to the provider of the value-added service. In this case, such obligation must apply mutatis mutandis to the provider of the value-added service. The subscriber must inform other users of their mobile telephone connection of any consent given. Location data are particularly intrusive and can reveal many life habits of the data subject. Industry participants should take particular care not to collect any location data unless it is strictly necessary for the purpose of the processing.
In this context, the EDPB in its Guidelines 01/2020 specifies that collecting location data is in particular subject to:
- activating location only when the user launches a functionality that requires the vehicle's location to be known, and not by default and continuously upon starting the car;
- informing the user that location has been activated;
- the option to deactivate location at any time; and
- defining a limited storage period.
Also the level of detail and the frequency of access to the location data with regard to the purpose of use need to be configurated adequately.
8. Manufacturing
Data protection principles, such as Privacy by Design and by Default, and their practical implications are described in the sections above. Besides the provisions of the GDPR and the Federal Data Protection Act, manufactures must observe especially the new Section 1(g)(3) of the StVG, which contains new rules for self-driving cars, their development, and manufacturing.
The introduction of eCall is mandatory in the EU in accordance with Decision n. 585/2014/EU of the European Parliament and of the Council on the deployment of the interoperable EU-wide eCall service. The 112-based eCall in-vehicle system and the TPS eCall service must comply with the data privacy provisions laid down in Regulation (EU) 2015/758 of the European Parliament and of the Council of 29 April 2015 concerning type-approval requirements for the deployment of the eCall in-vehicle system based on the 112 service and amending Directive 2007/46/EC. According to the Regulation, manufacturers must provide clear and complete information on data processing done using the eCall system. This information must be provided in the owner's manual separately for the 112-based eCall in vehicle system and any third-party service supported eCall systems prior to the use of the system. Furthermore, the manufacturer or the service provider must also provide the data subjects with information in a transparent and understandable way. This must include the purposes of the processing for which the personal data are intended and the fact that the processing of personal data is based on a legal obligation. Personal data may only be used for specific emergency situations and must not be retained longer than necessary for this purpose. The vehicle manufacturer is obliged to take the necessary steps to ensure that the 112-based eCall in-vehicle system is not subject to constant tracking in its normal operational status. The manufacturer must further ensure that the data in the internal memory of the system are automatically and continuously removed, and are not accessible to any other device than the in-vehicle system before the eCall is activated (Annex III to Commission Delegated Regulation (EU) 2017/79 of 12 September 2016 establishing detailed technical requirements and test procedures for the EC type-approval of motor vehicles with respect to their 112-based eCall in-vehicles systems, of 112-based eCall in-vehicle separate technical units and components and supplementing and amending Regulation (EU) 2015/758 of the European Parliament and of the Council with regard to the exemptions and applicable standards). Only the vehicle's last three positions can be stored, insofar as it is necessary to specify the current position of the car and the direction of travel at the time of the event. Tracking the vehicle's movements by means of the eCall system is therefore not permitted.
Beyond that, (i) the vehicle's vital functions should be separated from the telecommunications capacities, (ii) an alarm system with a downgrade mode in case of an attack and an update mechanism for the security environment during the entire lifespan of the vehicle should be implemented, (iii) dedicated means of transportation communications for vehicle vital functions should be used, and (iv) vehicle system access information to analyse and review attacks and anomalies for a period of up to six months should be logged.
9. Other
The BSI provides standards for methodological, procedural, process, and procedural recommendations for the security of information systems. The BSI has published various standards for information security management systems and for combating security-relevant vulnerabilities in ICT environments.
Germany is a party to the Convention on Road Traffic, which authorises the use of self-driving technology subject to certain conditions, but currently still requires the presence of a human driver who can take control of the vehicle at any time. In September 2020, the Global Forum for Road Traffic Safety, voted for an amendment to the Convention on Road Traffic, which shall facilitate the responsible use of automated driving systems provided that they comply with (i) domestic technical regulations, and any applicable international legal instrument concerning wheeled vehicles, equipment, and parts, which can be fitted and/or be used on wheeled vehicles, and (ii) domestic legislation on operation. Its entry into force is expected around March 2022, and signatory parties to the Convention on Road Traffic may incorporate the amendment into their domestic legal road traffic framework.
Three new UN Regulations in the field of connected and automated driving have entered into force in January 2021, and are applicable in the 54 contracting parties to the 1958 Agreement Concerning the Adoption of Harmonised Technical United Nations Regulations for Wheeled Vehicles, Equipment and Parts which can be Fitted and/or be Used on Wheeled Vehicles, such as the EU and Germany, which contains UN Regulation No. 155 on Cyber Security and Cyber Security Management System, UN Regulation No. 156 on Software Update and Software Update Management System, and UN Regulation No. 157 on Automated Lane Keeping Systems ('ALKS'), which is the first international regulation governing such level within cases of limited use cases).
Moreover, the EU Commission is developing a new EU Regulation for the type-approval of motor vehicles with regard to their automated driving systems, which would amend Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC.
Since 2020, Germany has been chairing the Working Party on Automated/Autonomous and Connected Vehicles ('GRVA') within the WP29 World Forum for Harmonization of Vehicle Regulations ('WP.29').
Internet connectivity and eSim management
Connected smart vehicles are now equipped with sim cards and/or infotainment systems, which allow drivers to connect their mobile devices (i.e. smartphones) to their vehicles and give them access to the internet. Insofar as cars are connected to the internet, the TTDSG is applicable in addition to the GDPR. For further information see section 1.1.3. The same applies if car-to-car and car-to-X communication services use these transmission standards.
Dr Stefanie Hellmich Partner
[email protected]
Luther Rechtsanwaltsgesellschaft mbH, Frankfurt