Following completion of the consultation period on the European Data Protection Board’s draft connected vehicles guidance (which was issued in January 2020), the EDPB sent the guidance back to the shop for a tune-up and the final guidance has now been released.
The guidance looks at the processing of personal data in the context of connected vehicles and mobility related applications. So the advice isn’t just for car makers, it’s also for third parties providing connected services to vehicles. This includes insurers, infrastructure managers and tech companies. Notably, the guidance excludes use of connected vehicles in an employment context and for Mobility-as-a-Service projects.
The guidance identifies a variety of privacy risks that drivers, passengers and vehicle owners may encounter when using a connected vehicle. These include the risk of losing control over personal data generated by a connected vehicle (including subsequent re-use of data for unexpected purposes), the challenges involved in obtaining GDPR-grade consent where required, and the security risks presented when vehicles share data outside of the vehicle with third parties.
In this article I kick the tyres on the final guidance to find out what has changed following the EDPB’s consultation, outline some key takeaways and look to the horizon of connected vehicles and data protection.
The relevant laws
The GDPR – The EDPB wastes little time in confirming that most vehicle-generated data is personal data, since it usually relates to vehicle owners, drivers or passengers. This includes directly identifiable data, such as the owner’s name, and also indirectly identifiable data, such as the details of journeys made and how the vehicle is used. The latter is often indirectly identifiable because of the link with the vehicle’s unique Vehicle Identification Number, or ‘VIN’, but it may also be linked to other identifiers generated by the on-board computer or by the third parties providing services to the vehicle. Therefore, the GDPR applies to the collection and processing of this vehicle data.
The ePrivacy Directive – The provider of a connected vehicle service is often accessing information stored on the car’s on-board computer, for example, vehicle telemetry or GPS location data. Here, Article 5(3) of the EU’s ePrivacy Directive also applies to the collection of vehicle data. This means the service provider needs to provide notice and obtain consent before collecting the data, unless an exemption applies. This raises two issues for service providers: Does the service qualify for an exemption and what does this mean for the GDPR legal basis? The EDPB kindly addresses both these issues in the guidance.
Finally, the guidance appreciates that there may be various road-safety laws that mandate the processing of personal data in specific circumstances. Examples of such laws include the ‘eCall’ regulation, which enables emergency services to locate and respond to an accident involving that vehicle.
Notable changes from the consultation version
Overall, the final version of the guidance does not diverge significantly from the consultation version of the guidance in structure or message. However, there are a few notable updates and changes:
- ePrivacy application – The EDPB has refined the sections of the guidance that deal with the Article 5(3) ePrivacy Directive requirements, possibly a result of the increased attention that this Article has received of late in respect of online cookie usage. The EDPB generally expects service providers to rely on consent as their GDPR legal basis where they are already required to collect consent under Article 5(3) of the ePrivacy Directive. Helpfully, though, the EDPB now includes providing a GPS navigation service as a specific example of a service that would benefit from Article 5(3)’s ‘strictly necessary’ exemption from the need to get consent (the EDPB considers this to be an ‘information society service’).
- Special categories of personal data – There are some updates to the sections addressing the use of biometric data and data that could reveal a criminal offense. In keeping with the law, the EDPB has added wording to the biometric data section to make it clear that this data is provided the additional protections of Article 9 GDPR only where it is used to identify an individual. With respect to data that potentially reveals a criminal offense, the EDPB has re-worded this section to emphasise that such processing should take place locally (i.e, within the vehicle and therefore not under the control of the car maker). For instance, where the vehicle is capable of alerting a driver that they have crossed a white line (for safety purposes), this processing should be contained in the vehicle. The car maker would not usually be permitted to extract and process such data, although the guidance’s accidentology case study provides a notable exception.
- Rental scenarios – The EDPB has removed rental and car sharing scenarios from the scope of the guidance. Accordingly, the EDPB has completely deleted the example relevant to this in the Case Studies section. The EDPB provides no explanation for this, but thanks to city-based car sharing schemes and one-click rental services it may be that the rate of development in this area has made it impossible for the EDPB to provide meaningful guidance here at the moment.
Key takeaways from the final version
The changes in the final version of the guidance provide a useful indicator of where the EDPB received significant feedback on its consultation. They also represent areas where both technology and the law have developed in the intervening period since the EDPB published the draft version of the guidance. As such, these are areas which rightly deserve a lot of focus from practitioners. That being said, there are some other key takeaways not to be overlooked:
- ‘Vehicle data’ in the scope of the guidance does not solely come from the vehicle’s on-board computer. It may also be collected by mobile telephones present in the vehicle or by ‘plug-in devices’. This helps remind third party service providers that although they may be providing services independent of the involvement of the car marker, they still need to pay attention to this guidance.
- Information notices about any processing can be provided in contractual documentation or vehicle handbooks/information sheets, provided these are clear and understandable. This is helpful for car makers who may have concerns that giving notice in this way would not be seen as prominent enough.
- Usage-based insurance (aka pay-how-you-drive insurance) is one of the case studies the EDPB focuses on in Section 3. This is hardly surprising given the widespread availability of this service in vehicles. Insurers can use the vehicle’s on-board computer, or a separate plug-in device, to collect vehicle data for this purpose. However it is set up, usage-based insurance will necessarily involve access to information stored on a device and thus is subject to Article 5(3) of the ePrivacy Directive. In the EDPB’s view, neither exemption to the general requirement to get consent is appropriate, although the EDPB accepts that the insurer may rely on Article 6(1)(b) (performance of a contract) as its GDPR legal basis after obtaining the ePrivacy Directive consent. Importantly, the EDPB notes that for the ePrivacy Directive consent to be ‘freely given’ and ‘withdrawable’, the insurer must provide an option for the user to subscribe to a non-usage-based policy too.
- There is a renewed emphasis on having a secure ‘delete my data’ button in all vehicles. This has been a hot topic in connected vehicle news over the past few years. There are examples of where a car’s on-board computer has been analysed after a crash and it has transpired that the computer has not properly erased the data of past owners.
Looking to the future
It’s really exciting that the EDPB have produced specific guidance in this area. It shows that policymakers appreciate the volume and complexity of services offered by connected vehicles.
From a car maker’s perspective, the guidance also provides some solid ground to fall back on when dealing with eager third party service providers who want to use connected vehicle data in new and creative ways. After all, reputation is arguably the backbone of the automotive industry.
However, there are some notable omissions from the EDPB’s guidance, such as the use of in vehicle monitoring equipment like cameras and recording devices. The guidance also skips over a lot of the issues faced by fleet operators and rental businesses. This is partly down to the decision to de-scope rental cars and car sharing from the final version of the guidance, but also due to the exclusion of employee use of connected vehicles on the basis that the overlap with labour laws is too great. However, the emergence of ‘mobility-as-a-service’ in conjunction with EV sharing schemes presents a raft of fleet-related connected car issues and guidance in this area would be welcomed. Without this, the EDPB risks asking the industry to reverse engineer products that are already in the market, which is a much harder task.
Finally, from a UK perspective it will be interesting to see if the ICO produces its own guidance. In September 2016, the ICO responded to a report on the progress of connected vehicles developed by the Department for Transport’s Centre for Connected & Autonomous Vehicles. In its response, the ICO recognised the specific data protection challenges faced by car makers and service providers and stated its intent to work with the industry to ensure data protection was designed into services at the outset. Since then, though, there has been no further movement from the ICO in this area.
You can read the guidance in PDF format here.