Privacy in the context of connected vehicles
On the 28th of January, 2020, the European Data Protection Board (‘EDPB’) adopted its long-awaited guidelines on the processing of personal data in the context of connected vehicles and mobility related applications.
In its guidelines, the EDPB outlines the legal framework applicable to such data processing operations and the risks associated with them. The EDPB expands on this legislation through a number of general recommendations that should be followed to mitigate those risks, and provides useful examples showing how the legislation is properly applied in specific cases.
We are happy to see that the EDPB – in line with the legal memorandum on connected vehicles and data, which has been published by the Fédération Internationale de l’Automobile (FIA) in May, 2017 – has explicitly stated that the data generated by a connected car, must be considered personal data. Indeed, even if the data collected by a connected car are not directly linked to a name, but to technical aspects of the vehicle, it will qualify as personal data to any party that may reference that data with reasonable means to a specific individual – be it the driver itself or a passenger of the car.
This conclusion, trivial as it may sound, has a major impact on the rights of such drivers and passengers. After all, the understanding of what constitutes personal data is a key question in privacy law, as the European data privacy legislation applies only if and insofar personal data is being collected.
Thus, having determined that the privacy legislation also applies to data collected by a connected car, the EDPB goes on and reiterates that each stakeholder must ensure that car users enjoy transparency and control in relation to their data. Of course, this completely opposes the arguments that some of the European automotive industry associations (specifically, the Verband der Automobilindustrie (‘VDA’), the European Automobile Manufacturers Association (‘ACEA’) and the British Society of Motor Manufacturers and Traders (‘SMMT’)) made when they tried to establish a separation between data provided by the customer as personal data and vehicle generated data as non-personal data. Each stakeholder must incorporate the protection of personal data from the product design phase to ensure the rights of data subjects using their cars.
This also entails that, as a rule, prior consent is required for the gaining of access to information that is already stored in the vehicle. And that’s where we strive to make a difference. At Crossyn, we make every effort to be transparent and provide the driver with control over his data. We value his privacy and enable the driver to turn his data into value.
So now we know vehicle data qualifies as personal data, let’s see what privacy related concerns the EDPB raises. First of all, the EDPB fears that vehicle users may not always be adequately informed about the processing of data taking place through a connected vehicle. Of course, this is a legitimate concern, as it is shown that not many people are aware of the fact that modern cars store ample amounts of data, and transmit them too. It is common practice that the provision of consent for the access of in-vehicle data gets bundled with the contract to buy or lease a new car, which also brings us to the second concern, being that in such cases the consent is probably not freely given, for specific purposes and on an informed basis.
The other (most important) risks that the EDPB points out, are that the ever-increasing number of sensors being deployed in connected vehicles will lead to excessive data collection and that the personal data stored on vehicles or at external locations may not be adequately secured against unauthorised access.
Of course, the general recommendations made by the EDPB should be duly followed to minimise those risks. This strengthens user confidence and thus the long-term development of those technologies. However, in addition to that, and in order to provide the users with complete control over their data, we think it is important to provide a highly secured platform where they can manage their data in a more granular fashion.
In our view, the driver should be able to decide what data-driven services he wants to purchase and what data he wants to share using those services. With a simple click on the button, he should be able to activate a service and start sharing his data for it. This is how we help car users to turn their vehicle data into value. And conversely, it should be just as simple for the driver to log into his account and stop sharing the data that has been shared for the use of additional functionalities, but is not required for the use of the service in itself.
Auteur: Bas van der Heijden