How much can your car know about you? – EU guidelines on data protection and connected vehicles

Cars today are able to keep us permanently plugged-in, while collecting and generating increasing amounts of information as a result of their interaction with the driver, passengers, pedestrians, other vehicles, road infrastructures, the environment, etc. Something that once served us just to move from point A to point B is now turning into a massive data hub, by integrating sensors and onboard equipment. This has a clear impact on individuals’ privacy and has caught the eye of the EU data protection authority (“EDPB”).

So… who wouldn't want an intelligent car? How much can a car know about you? Will you be able to clear up your mind and isolate yourself during a road trip? Will this even be possible in the future?
 

The Guidelines at a glance - Intro

Bearing in mind the rapid pace at which technology advances in the automotive world and their effects on the privacy and data protection rights of a wide variety of users – including not only drivers but also passengers, pedestrians, etc. –, the EDPB has issued the final version of its Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications (“Guidelines”) in which it has factored in the feedback received from several stakeholders during the public consultation period and addressed, from a data protection standpoint, the evolution of cars from an expression of freedom and autonomy to another “controlled” environment.

As pointed out, traditional players are now learning to coexist with emerging ones from the digital economy such as providers of streaming services, road and traffic information, driving assistance services, to name a few. These guidelines could not have arrived at a better time, with the aim of identifying several key questions triggered as the result of the application of the General Data Protection Regulation (GDPR). The Guidelines also take due note of the development of standalone mobile applications (i.e. relying on the sole use of the smartphone) meant to contribute to the vehicle´s connectivity capacities, including mobility management, vehicle management, road safety, entertainment, driver assistance, well-being etc.

The Guidelines are of particular interest as they deal with the jackpot combination (and overarching issue) of an abundant collection of information (e.g. engine performance, driving habits, locations & routes, driver´s eye movements, pulse, voice or other biometric data) taking place within the connected vehicle ecosystem / tech (e.g. hubs-in-process with sensors of different kinds, telematic boxes, cameras, storage and communication software, and Apps) affecting many individuals (e.g. drivers, passengers, vehicle owners) and concerning many stakeholders (e.g. insurance companies, manufacturers, app developers).

Moreover, the Guidelines also draw attention to the current e-Privacy Directive. While this is not the first time the EDPB addresses the interplay of the GDPR and the e-Privacy Directive, which sets the standard for storing and accessing information on a terminal equipment, in this context it, in fact, arrives naturally given the fact that connected vehicles and devices will most probably qualify as such.

In essence, the Guidelines are divided into three main sections: (1) introduction to the subject and scope of application, including an explanation of applicable regulations, definitions to be taken into account and basic data protection principles; (2) recommendations to be followed as a result of the collection and subsequent processing of personal data; and (3) illustrative case studies. As the Guidelines are quite long (36 pages), we will give a brief tour of the main takeaways:

Scope of application

The subject matter of the Guidelines focuses on the processing of personal data in relation to the non-professional use of connected vehicles* by users (including, but not only, drivers, passengers, vehicle owners, etc.) and mobility apps related to driving, regardless of whether or not they are integrated within the vehicle. The Guidelines deal with personal data (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user’s smartphone) or (iii) collected locally in the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.

It is important to note that the far-reaching impact of Guidelines is not only limited to car manufacturers, but also to other third parties such as automotive suppliers, car repairers, car sharing companies, motor insurance companies, entertainment providers, telecommunication operators, among many others.

Excluded from the scope of the Guidelines are, among others, the potential for workplace monitoring (e.g. in the case of ride-sharing services), processing activities under the household exception (a careful approach to this concept is always advisable), the use of recording devices that have the capacity to capture public areas (e.g. those used for parking assistance purposes), and processing activities related to Cooperative Intelligent Transport Systems.

Basic concepts

We would like to highlight that the relevant data subject whose personal data is expected to be collected and processed is not only the (occasional or regular) driver of the vehicle, but often enough also includes the owner, the passengers, the renter of the vehicle, etc. This opens up a whole new dimension of relevant questions on what requirements and obligations must be fulfilled vis-à-vis all these individuals, by whom, and under what conditions.

Additionally, throughout the Guidelines, emphasis is placed on what should be considered personal data in the context of connected vehicles. In this regard, the EDPB stresses the idea that, by definition, any information that can be linked to an individual will be considered personal data. For example, technical information related to vehicle movement (i.e. speed, distance traveled, etc.), vehicle conditions (i.e. engine temperature, tire pressure, etc.), WiFi connection, destination and even metadata generated while driving.

The EDPB takes the view that special attention should be paid to location data, biometric data and data related to fines and traffic-related offenses. These types of personal data present higher risks and specific recommendations are carried out for them:

Data Recommendations
Location
(this type of data can provide a wide variety of information about the data subject’s life habits such as, for instance, place of work, hobbies, place of residence, etc.)
  • Process data only when strictly necessary and reinforcing the application of the minimization principle.
  • Appropriately configure the frequency of access and level of detail of location data.
  • Provide detailed information on the purpose of the processing.
  • Where appropriate, obtain a valid consent separated from the general conditions of use of the vehicle.
  • Activate the geolocation functionality only when using an application that requires it (and not by default or on a continuous basis when starting the vehicle).
  • Inform the data subject that the geolocation functionality is enabled by means of icons.
  • Provide a simple option to deactivate the geolocation functionality at any time.
  • Define a limited retention period.
Biometric
(this type of data -processed to, for example, open / star the car - can be deemed sensitive or a special category of data under art. 9 GDPR depending on its use)
 
  • Rely on the due exception under art. 9 GDPR to process biometric data for the purpose of uniquely identifying a natural person.
  • Adapt and implement the necessary security measures based on the features of the solution / sensor.
  • Ensure that the solution / sensor used is resistant to third party attacks.
  • Limit the number of authentication attempts.
  • Store the biometric template / model in the vehicle in an encrypted form.
  • Only process the information used to make up the biometric template / model and for user authentication in real time (without even storing it) .
  • New guidelines issued by the EDPB on Virtual Voice Assistants are very interesting regarding the processing of voice.
Criminal offences or other infractions
(note that processing of data that relate to potential criminal offences within the meaning of art. 10 GDPR is generally forbidden)
  • Carry out the processing of this data locally, so that the user has direct control over the processing carried out.
  • Implement adequate security measures.

The Guidelines refer to the fact that some categories of personal data could reveal that a criminal offence or other infraction has been / is being committed (e.g. data indicating that the vehicle crossed a white line, the instantaneous speed of a vehicle combined with precise location data) and, therefore, subject to restriction. While not specifically analyzed in these Guidelines, the moment in which “normal data” could potentially be regarded as “offence related data” should be carefully assessed.

Main risks

The EDPB identifies and analyzes the main risks resulting from the increasing reach of in-vehicle connectivity and related applications. Specifically, those arising from: (i) the lack of control and information asymmetry between the different subjects concerned; (ii) the quality of user consent; (iii) the use of data for further processing; (iv) the excessive collection of personal data; (v) data security and confidentiality; and (vi) international data transfers to non-adequate third countries.

Lawful bases

The EDPB recalls that, in addition to the GDPR, the e-Privacy Directive (insofar as it is not repealed by the e-Privacy Regulation) must be taken into account. Specifically, its article 5.3 must be borne in mind as it requires the consent of the individual when the storage or access to the information stored in the individual’s terminal equipment is intended (which, as mentioned above, can potentially include both the vehicle itself and devices connected to it). Consent is not required when such storage or access is undertaken for the sole purpose of carrying out the transmission of a communication over an electronic communications network or for the provision of a service expressly requested by the individual.

Without prejudice to the consent explained above, any other data processing that takes place in this context (including further processing activities carried out after obtaining such initial consent) must be based on one of the lawful basis established in article 6 GDPR.

General data protection principles, security and data subject rights

The Guidelines emphasize the importance of complying with data protection principles, including, among others, the principles of minimization, transparency, purpose limitation, privacy by design and by default.

In relation to privacy by design and by default, the EDPB describes the following measures to mitigate data protection risks:

Data Recommendations
Local processing of personal data
  • To the extent possible, the transfer of data outside the vehicle should be avoided. For example, eco-driving applications that process data in the vehicle in order to display eco-driving advice in real time on the on-board screen. This also opens the door to the application of the household exemption for individuals.
  • Allow the users to have control over how their data is collected and processed (including language preferences, control on the activation of data processing functionalities, information deletion functionalities, etc.).
  • In the event that local processing of the data is not possible, another option would be implementing the so-called “hybrid” processing (e.g. carrying out the relevant processing within the vehicle and extracting only the results of the particular data processing).
     
Anonymization and pseudonymization
  • Truly anonymize any personal data subject to a transfer to third parties.
  • Another option would be to pseudonymize although, unlike anonymization, pseudonymized data will be protected by the GDPR.
     
Data Protection Impact Assessments
  • In any case, without prejudice to the risks associated with the data processing to be carried out, it is recommended that data protection impact assessments are carried out prior to the relevant processing.

 

The EDPB makes several recommendations on the security measures to be implemented by the different stakeholders that could be potentially involved in the processing described throughout the Guidelines, with special emphasis on those addressed to vehicle manufacturers. These measures include, among others: encrypting the communication channels; partitioning the vehicle’s vital functions and thus separate them from those always relying on telecommunication capacities; setting up an alarm system in case of attack on the vehicle’s systems; enabling a downgraded-operation mode; storing a log history of any access to the vehicle’s information system; etc.

With regard to data subjects’ rights, the EDPB indicates that mechanisms should be provided to allow the users to effectively exercise their data protection rights (in particular, the erasure of their personal data in case of a change in the vehicle ownership). In addition, a profile management system should be implemented in the vehicle to store the preferences of each driver of the vehicle and, thus, allow the users to change their profile (and consequently their privacy settings) depending on who is driving.

Case studies

The Guidelines end up including a number of scenarios detailing the categories of data processed and the lawful basis, the retention period, the data subjects’ rights, the security measures to be implemented, etc. These case studies deal with (a) Pay as you drive (PAYD) insurance; (b) emergency calls (eCall); (c) accident studies; and (d) anti-theft measures. As always, examples are the best way to understand and get to grips with the concepts and criteria analyzed in the EDPB’s guidelines.

All in all, apart from being a passionate world that will be subject to huge developments in the near future, the intersection between connected vehicles and privacy is becoming an unavoidable hot topic that will have to be borne in mind by many different stakeholders due to its far-reaching implications, the baseline it sets for future industries, and the products and services to be developed while mixing connectivity, new-tech, and huge amounts of data (does virtual voice assistance ring a bell?).

Authored by Santiago de Ampuero, Laur Badin and Victor Mella

* The concept of “connected vehicle” is interpreted broadly: a vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle.

 

This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2021 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.