Connected Vehicles, Connected Data, Complex Compliance
Connected vehicles are an important part of contemporary life. In this webinar, our speakers discuss the complexity of connected vehicles and the key privacy concerns as vehicles record more information while advancing in capability. By looking at the existing legislation in the EU and the California Consumer Privacy Act ('CCPA'), our speakers offer their industry expertise in navigating the future of privacy requirements and concerns for manufactures and users of connected vehicles.
Defining a connected vehicle
There are varying definitions of connected vehicles across the EU and the US. While The French data protection authority ('CNIL') in France makes reference to 'vehicles that communicate with the outside world,' the CCPA defines a device as 'any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.' Our speakers highlight that ,while a connected vehicle may not be obviously linked to these definitions, often vehicles are collecting location data, tracking driving behaviors, and communication information and therefore compliance with applicable data protection laws is necessary.
Linking information to a data subject
As emphasised by our speakers, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') covers any data which identifies an individual. This discussion details the nuance highlighting that a vehicle could be operated by numerous individuals, and some information is defining to the vehicle, for example, Vehicle Identification Numbers ('VIN'), rather than an individual. The California Attorney General has addressed these concerns, and as explained by our speakers, specifying that VIN data can be exempt from the right to deletion.
Approaches to compliance and consent
The European Data Protection Board ('EDPB') has defined data collected by connected vehicles as personal information, a key consideration for manufacturers. While this has been challenged, if the information collected by connected vehicles is considered personal data, then compliance will be complex. Manufacturers would need to consider how to get clear and informed consent. Our speakers discuss the possibility of layered privacy notices or granular consent in order to manage how this can be achieved with multiple users of a vehicle.
Data subject rights
As identified by our speakers, subject access requests will also bring challenges. For instance, if a deletion request was made there is a risk of deleting information relevant to the vehicle for safety purposes or misidentification given the ambiguity of the information collected. Again, it will be important for organisations to understand the distinction between personal information and facts about connected vehicles which would be exempt from applicability to data protection laws.
How OneTrust DataGuidance helps
OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.
OneTrust DataGuidance provides daily updates and analysis of relevant global regulatory developments. By leveraging customised email alerts and newsletters, and creating dedicated spaces for projects, jurisdictions and topics, you can stay on top of developments as they happen.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.