Connected cars and mobility related applications are now under the radar of privacy authorities after the issue of the guidelines of the EDPB.
The size of the connected cars market and its potentials
Smart technologies not only allow drivers to use value-added services in relation for instance to the conditions of their vehicle but to also purchase third-party services (e.g., insurance coverage, contents or services relating to their trips) making cars a sort of hub for the sale of other services so unvailing new streams of revenues that could lead to a market whose value is estimated in $ 212.7 billion by 2027.
The data protection issues of connected cars have been historically a major issue for privacy authorities. Indeed, through smart vehicles, automakers and technology providers can obtain a substantial amount of data relating to consumers’ habits and behaviors.
After the Article 29 Working Party Guidelines on the development of Internet of Things technologies, the European data protection board guidelines on connected vehicles and mobility related applications are now a relevant move forward towards the achievement of more clarity in the sector to drive its further growth.
Connected cars between ePrivacy obligations and GDPR
The upcoming ePrivacy Regulation will heavily impact connected cars, with the extension of obligations also to M2M communications. But, according to the EDPB, the provisions of the ePrivacy Directive already set
a specific standard for all actors that wish to store or access information stored in the terminal equipment of a subscriber or user in the European Economic Area.
Indeed, the privacy obligations that were initially drafted for cookies can be extended by the guidelines to connected cars since a connected vehicle and every device connected to it shall be considered as a “terminal equipment”. The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user will be subject to the prior consent of the relevant individual, as far as it constitutes personal data.
Every data processing activity performed in relation to personal data collected from terminals in connected cars shall have a legal basis, and – according to the EDPB – such a legal basis needs to be consent (and, for instance, it could not be legitimate interest) in the view of the ePrivacy directive provisions.
Two exemptions apply to the processing of personal data in the terminal equipment that are processed either
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- when it is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
In such cases, the other legal basis of the data processing (e.g., the performance of the contracts between the carmaker and the user in relation to the service) could be applicable. But the scope of data protection obligations for connected vehicles is quite broad since it would cover any processing of data that even indirectly can be connected to an individual, including for instance metadata concerning the vehicle maintenance status if associated with a natural person.
The EDPB guidelines focus on a few privacy law issues for connected cars and mobility applications, and in particular on
- the lack of control and asymmetry of information since information is provided only to the owner of the vehicle that might not be the actual user, and there might be several owners of the same vehicle during its lifetime. Also, communication of data from the vehicle might be automatically or by default triggered without the actual understanding by the relevant user. This practice shall be avoided and a clear privacy information notice compliant with the requirements provided by the GDPR shall be provided before the processing of personal data, also through multi-layer privacy information notices and standardized icons. This principle applies unless they are data obtained from third party sources for which the terms of article 14 (3) of the GDPR apply. And, in any case, only data strictly necessary for the vehicle functioning are processed by default. Individuals should have the possibility to activate or deactivate the data processing for each other purpose and controller/processor and have the possibility to delete the data concerned, also for instance when they sell the vehicle. Also when information related to an individual’s usage of a vehicle is necessary to provide a service (e.g. for insurance coverage), such a data processing could occur in an aggregated manner;
- the quality of users’ consent that needs to be provided separately for specific purposes and not bundled when a connected car is purchased or leased, with further processing for different purposes not allowed without additional consent. Also, consent shall be easily withdrawn. And such a point is linked to the previous issue since if users do not have a full understanding of how their personal data is processed, they cannot grant a valid consent under the GDPR. With the same rationale, the exercise of privacy rights shall be eased through a profile management system in which settings can be simply changed;
- the excessive data collection through the increasing number of in-vehicle sensors and the usage of machine learning technologies that analyze them shall be avoided. The principle of data minimization shall be preserved and for instance, location data shall be processed only when strictly necessary for the provision of the service. Indeed, most of the services usually do not require continuous monitoring of the location of vehicles. Likewise, in relation to biometric data, non-biometric alternatives shall be always given, with the storage of the biometric data locally in an encrypted form and the reliability of authentication solutions based on biometric data shall be carefully preserved;
- the security of personal data processed through vehicles might put at risk individuals since, unlike other Internet of Things technologies, a cyberattack might endanger the life of users. For this purpose, the European data protection board recommends, among others, the usage of solution segregating the vehicle’s vital functions from other functionalities, implementing alert systems to detect cyberattacks and storing data locally in the vehicle in an encrypted format, without transferring data to other locations. If data need to leave the vehicle, they need to be anonymized or at least pseudonymized so that in case of illegal access, it is not possible to easily connect them to the affected individuals. And, given the scale and the sensitivity of data processed through connected cars, the EDPB recommends performing a DPIA, also with reference to data processing activities that do not need a data protection impact assessment under the GDPR in the design phase.
As a final point, the European Data Protection Board analyses some case studies with reference to, among others, pay-as-you-drive insurance coverage, online renting and booking of a parking space services, eCall and auto theft detection.
My personal view on the EDPB guidelines on connected cars
I believe that the European Data Protection Board tried to anticipate what will be provided by the ePrivacy Regulation. The extension of the provisions of the ePrivacy Directive to connected cars can lead to contradictory interpretations as to what is an “information society service” requested by the subscriber/user for which exceptions to consent apply.
An information society service includes “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” as per article 1(2) of Directive 98/34/EC. But for instance, the Italian implementation of the eCommerce Directive 2000/31/EU adds to the definition referred above any service that is provided online which would considerably extend the scope of the exception to the need to obtain consent. In any case, it is unclear how consent would be free in cases when a service cannot be provided without getting access to data contained in terminals.
The EDPB guidelines on connected vehicles and mobility related applications are now subject to consultation up to the 20th of March 2020 and hopefully, a more flexible interpretation will be followed in the final version.
On a similar topic, you may find interesting the article “The legal challenges of non-personal, IoT and M2M data“.