News Update Technology, Media & Telecom
European Data Protection Board publishes final guidelines on connected vehicles
13 April 2021
13 April 2021
On 9 March 2021, the European Data Protection Board ("EDPB") published the final version of its guidelines on processing personal data in the context of connected vehicles.These guidelines give recommendations to a wide range of stakeholders in the automotive field and are intended to facilitate compliance with the General Data Protection Regulation ("GDPR") and the ePrivacy Directive (implemented in the Netherlands in the Telecommunications Act) when processing personal data through connected cars and mobility related applications.
The EDPB identifies several risks that may arise when processing personal data in the context of connected cars, such as:
- The sensitivity of certain data, which makes it necessary to limit access to them (for example location data; see below);
- Data subjects are not always adequately informed about the processing of their data;
- Data subjects cannot exercise the necessary control over the use of their data; and
- Not always having valid consent (to the extent required by law).
The processing of personal dataFirst of all, it is noteworthy that the EDPB has broadly interpreted the concept of 'personal data'. According to the EDPB, almost all information generated by connected vehicles will be considered personal data. This not only includes information directly relatable to someone, but also more technical data, such as data regarding speed and the distance travelled.
Location dataProcessing location data requires extra attention, according to the EDPB. Location data are particularly revealing of data subjects daily habits and may possibly reveal sensitive information, for example through the places visited. The EDPB advises controllers to keep processing location data to a minimum, except when it is strictly necessary to do so. In addition, the advice is to activate location data only when the user launches a functionality that requires the processing of location data. According to the EDPB, the collection of location data may not be activated by default and continuously when the car is started. The user must have the option to deactivate location at any time.
No transfer of data outside the vehicleThe EDPB recommends processing personal data internally in the vehicle where possible. In other words: do not transfer personal data outside the vehicle unless it is strictly necessary. This guarantees users the sole and full control of their personal data. It also presents fewer risks of third parties accessing the data, mitigates the risks associated with cloud processing, and presents fewer cybersecurity risks. More specifically, the EDPB recommends developing a secure in-car application that can be physically divided from safety-related car functions. When it is not possible to solely process the personal data locally in the vehicle, hybrid processing can be put in place. As an example, the EDPB mentions usage-based insurance ('pay-as-you-drive'). According to the EDPB, the insurance company does not need to gain access to the raw location and behavioural data but only to the aggregate score that is the result of the processing.
Private processing is not subject to GDPRThe EDPB also stresses that some processing activities that a driver performs for purely personal or household activities do not fall under the GDPR's scope. At the same time, however, the EDPB believes that this does not discharge manufacturers and developers of their GDPR obligations. The EDPB interprets the GDPR such that it contains an obligation for manufacturers and developers of products and services to design their products and services in accordance with the GDPR, with privacy-friendly settings (privacy by design).
Data subject rightsThe EDPB recommends that data controllers implement a 'profile management system', which drivers can use to easily switch between various profiles of other drivers, and set their personal privacy settings. Such a system should also accommodate data subjects who wish to exercise their rights, such as deleting their data.
Examples; pay-as-you-driveThe guidelines conclude with several case studies, including further guidance on pay-as-you-drive insurance (briefly mentioned above). This type of insurance, which is based on one's driving behaviour, offer drivers a discounted rate when driving 'safely'. This insurance is permitted if the insured party has given their prior consent. The insured party should also have an actual choice between a usage-based insurance policy and a non-usage-based insurance policy, according to the EDPB. As mentioned, the insurer should limit its processing of driving-related information to generated scores, rather than the raw data generated from the vehicle. In any case, the insurer cannot collect and process location data except to the extent necessary. For other examples, we kindly refer to the guidelines.
Please contact our Data Protection & Privacy team for any questions you may have.