If you are a vehicle manufacturer or a tech provider in the mobility space, you have been anxiously awaiting the final guidelines on data protection and connected vehicles from the European Union regulator, the European Data Protection Board (EDPB).
What do the guidelines mean for you in practice?
- Are you in scope? The guidelines only apply to you if you are involved in the nonprofessional use of connected vehicles. If your focus is on delivery trucks, professional fleets, etc., you are out of the scope of this document.
- Do you process personal data? The guidelines confirm that, in the context of connected vehicles, the scope of the term “personal data” is very broad. If your service touches data collected by a connected vehicle, even if not directly linked to a name, but rather only to technical aspects and features of the car, you are still processing personal data and need to pay attention. This includes vehicle usage data, vehicle technical data and metadata (e.g., maintenance status).
- Build data protection into your design. Think about how to minimize and secure the use of personal data. Consider: Can you anonymize data that leaves the vehicle? What are the pieces of data which are necessary and relevant for what you need to do? Can you localize the processing and keep it in the car? Can you develop a secure in-car application platform? How long is it necessary for you to retain the data in identified form? Can you allow individuals to directly access the data or permanently delete it? Develop a profile management system for your vehicle.
- Develop your service securely. A connected vehicle is a type of Internet of Things (IoT). As such, it is prone to the same information security concerns as IoT devices, but with potentially greater stakes due to a security breach, potentially endangering lives. Develop your service with state-of-the-art encryption, industry-standard protections and conduct a data protection impact assessment.
- A connected vehicle is “terminal equipment” and you need consent. Per the EDPB, a connected vehicle and every device connected to it is, in fact, “terminal equipment” (just like a computer, a smartphone or a smart TV).
Therefore, storing or accessing information in the vehicle is governed by the e-Privacy Directive and requires consent, other than in narrow exceptions. You must determine how to acquire this consent before the information is stored or accessed.
- You need a legal basis for further processing. After acquiring the initial consent, you still need a “legal basis” (legal permission) under the EU General Data Protection Regulation (GDPR). This could be consent or another legal basis, such as compliance with law, if it applies. If you rely on consent, you need to be mindful that this requires a very high level of specificity, including disclosing the third parties with whom information is shared. Think about how to operationalize that in a way that provides both effective disclosure and an acceptable user experience.
- You need to be transparent about your data processing – but how? First, you need to know exactly how you will use and share the data and figure out an effective way to disclose this (in the contract of sale? In a stand-alone document? On the on-board computers? Using standardized icons?) EDPB recommends a layered approach with the first layer containing the important aspects of the processing with the rest of the details in the privacy notice itself. After that, you’ll need to address complexities such as interacting with multiple providers (Who provides the disclosure? How do you get the information from the other providers?); ensuring you are providing the notice to the right individual; and how to address this in the context of the sale of a used vehicle.
Odia Kagan (pictured above, left) is a partner at Fox Rothschild LLP and Chair of the GDPR Compliance & International Privacy practice group.