The European Data Protection Board (“EDPB”) published draft guidelines including specific data protection and privacy concerns in relation to connected vehicles and mobility-related applications. The guidelines are open for public consultation until 20 March 2020.
The EDPB emphasizes that most data collected via connected vehicles is personal data, even if the data collected is not directly linked to an individual (for example, information relating to driving style, distance travelled and technical information about the vehicle), as it may identify an individual via cross-referencing.
In this context, the EDPD identifies three categories of personal data warranting particular attention:
- The collection of geolocation data can be particularly invasive, as it may reveal intimate aspects of a data subject’s life and daily habits. The EDPD, therefore, warns industry participants to be “particularly vigilant” not to collect location data except where “doing so is absolutely necessary for the purpose of processing”.
- Biometric data may include use of fingerprints, eye movements, or facial recognition. As this data is especially sensitive, the EDPB recommends that it should be stored locally in vehicles only and that the drivers should be given full control over their data choices, for example by not making the collection of biometric data mandatory.
- Certain data can reveal the commitment of a criminal offence, for example when speed data is combined with precise geolocation disclosing a speeding violation. In these cases, the processing requires to be carried out under the control of official authority or to be authorized by EU or Member State law in accordance with Art. 10 GDPR.
Lawful Basis for Processing
A connected vehicle and every device connected to it is considered as “terminal equipment” (just like a computer, a smartphone or a smart TV). Therefore, storage of information or gaining access to information stored on a connected vehicle requires the individual’s prior consent in accordance with Art. 5(3) of the e-Privacy Directive. Such consent will not be necessary when data is collected “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or “when it is strictly necessary” to provide a functionality or service that is “explicitly requested by the user”.
The draft guidelines contain several measures that may reduce the risks for data protection and privacy that are associated with connected vehicles:
- Controllers need to be transparent about what personal data is collected and inform the data subjects about this, for example in the car’s maintenance book or manual or the infotainment system.
- The individuals should be given the greatest possible control over the data, for example by implementing a system that enables data subjects to easily change the privacy settings or to directly access, delete or remove their personal data from the vehicle’s systems. Where possible, the data should not be transferred outside of the vehicle but rather processed internally only.
- Given that a security breach related to data collected and processed by a connected vehicle could potentially endanger the life of its users, the EDPB recommends that industry participants should put in place a range of security measures to protect the security and confidentiality of personal data, such as encryption methods or specific authentication techniques.
Industry participants have until 20 March 2020 to make submissions to the draft guidelines, which will be taken into consideration by the EDPB when it finalizes the guidelines.