The European Data Protection Board Guidelines on connected vehicles

On 9 March 2021 the European Data Protection Board (EDPB) finally adopted the Guidelines 1/2020¹ on processing personal data in the context of connected vehicles and mobility related applications (Guidelines) which focus on the processing of personal data in connection with the use of connected vehicles in non-professional contexts.

Scope of the Guidelines

The Guidelines are set in a context where connected vehicles are generating an increasing amount of data, much of which - being traceable to drivers or passengers - constitutes personal data within the meaning of EU Regulation 679/2016 ("GDPR"). Indeed, we are increasingly witnessing the proliferation of features for connected vehicles, including those that allow drivers to reach a destination quickly and efficiently (eg providing timely GPS navigation information), those that help drivers reduce the cost of use (eg vehicle condition notification and personalised "Pay As/How You Drive" insurance), as well as those that warn the driver of external dangers (eg driver drowsiness detection or black boxes for accident investigation).

In this context, the objective of the Guidelines is to facilitate compliance of the processing of personal data and, in particular, that carried out in the context of the non-professional use of connected vehicles by data subjects (eg drivers, passengers, vehicle owners² and in relation to the following personal data:

• processed inside the vehicle;

• exchanged between the vehicle and personal devices (eg the user's smartphone); or

• collected locally in the vehicle and exported to external entities (eg vehicle manufacturers and insurance companies).

The legal basis for data processing

As connected vehicles can be defined as vehicles equipped with many electronic control units, connected to each other through an on-board network and connectivity facilities that allow information to be shared with other devices inside and outside the vehicle, they are, therefore, to be considered as terminal equipment within the meaning of Article 1 of Directive 2008/63/EC (dated 20 June 2008 on competition in the markets in telecommunications terminal equipment).

Therefore, additionally to the GDPR, Directive 2002/58/EC³, (the so-called "e-Privacy Directive"), which lays down specific rules designed to guarantee the confidentiality of communications and the protection of users' personal data in the electronic communications sector and protects the integrity of every user's terminal equipment, sets a specific standard⁴ for operators that wish to store or access information stored in the terminal equipment of a subscriber or user in the EU.

In light of the above, the EDPB considers that the lawful basis for the processing is set out in Article 5(3) of the e-Privacy Directive, according to which data controllers⁵ should obtain the consent of the user and, specifically, process data where: (i) the subscriber or user concerned has been informed clearly and concisely about the purposes of the processing; and (ii) the user is offered the possibility to object to such processing. This is without prejudice, in any event, to the possibility of technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication and, in general, to the processing of data in anonymous form.  

Nonetheless, it should be noted that consent, according to the EDPB, should only be required for the storage of information or access to information already stored, with data controllers being able to base subsequent and/or further processing operations on the other lawful basis set out in Article 6, of GDPR (eg in the case of usage-based insurance, such as "Pay-as-you-drive", the insurance company can rely on article 6(1)(b) GDPR provided it can establish both that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order for the particular contract with the data subject to be performed).

The risks underlying the use of connected vehicles

The EDPB underlines the concerns that the use of connected vehicles could raise, emphasising above all, the risks of constant surveillance of individuals linked to the use of location technologies. In particular:

• lack of control over one's personal data: in most cases, information can only be provided to the owner of the vehicle, who is not necessarily the driver (and is in any case different from the passengers of the vehicle, even occasional ones).

• low quality of the user's consent: users may not be properly informed about the data processing carried out in the vehicle. It is very difficult to obtain and track the consent of any drivers and passengers other than the owner, as well as - in the case of resale, leasing or lending - of the person who takes second possession of the vehicle.

• processing of personal data other than that for which consent has been given: for instance, telemetry data collected during vehicle use for maintenance purposes cannot be disclosed to insurance companies without the user's consent for the purpose of creating driver profiles to offer insurance policies based on driving behaviour.

• excessive data collection linked to the development of new functionalities: such as those based on machine learning algorithms.

• security of personal data: personal data could be compromised by the multitude of functionalities, services and interfaces used in conjunction with connected vehicles

EDPB recommendations

The EDPB provides operators with useful suggestions for the lawful processing of users' data, identifying three categories of personal data generated by a connected vehicle that deserve special attention in view of their potential impact on the rights and freedoms of the data subjects (ie location data, biometric data and data revealing criminal offenses or other infractions).

In this regard, including but not limited to, the EDPB advises:

• location data is collected only when necessary and not by default, allowing the data subject to disable the location option at any time.

• ensuring that biometric authentication solutions are particularly "resistant" to possible attacks, eg by providing a limited number of access attempts and encryption of the biometric template.

• considering adequate security measures to ensure that the processing of personal data in vehicles remains "local", and, where the processing is carried out by data processors⁶ under Article 28 of GDPR, attention should be focused on the security of the so-called "in-car applications" (eg eco-drive apps that allow real-time notifications to be sent to the screen on-board the vehicle).

• where the transmission of personal data outside the vehicle is envisaged, consider making such data anonymous.

• providing the information to users pursuant to  Articles 13-14 of GDPR by means of concise and easily understandable clauses in the agreement for the sale of the vehicle or for the provision of services, by using documents such as the vehicle user manual or by projecting them on the on-board computer.

• making it easier for users to control their personal data by implementing systems to manage their preferences and privacy settings (eg through a delete button or a dedicated app).

Conclusions

In light of the above, operators in the automotive sector, prior to the processing of personal data, should consider the following aspects:

• privacy by design and by default: data protection issues should be considered from the design process and connected vehicles should be designed accordingly with privacy user-friendly settings. Furthermore, data should be processed internally, avoiding data transfer to third parties outside of the vehicle, except where necessary (in the latter case, data should be anonymised or at least pseudonymised).

• DPIA: provided the sensitivity of personal data that can be generated via connected vehicles, it is likely that the processing - especially in cases where personal data is processed outside of the vehicle - will often result in high risks to the rights and freedoms of individuals and, therefore, a DPIA, will be required pursuant to Article 35 of GDPR. Nonetheless, even where it is not mandatory, it is advisable to perform a DPA from the onset to be able to define the legitimacy of the processing and adequate security measures.

• data minimization: operators should only collect personal data that is relevant and necessary for processing. For instance, location data is particularly intrusive and can reveal many life habits of the data subjects. Accordingly, when the processing consists of detecting the vehicle's movement, the gyroscope is sufficient to fulfil that function, without there being a need to collect location data.

• limitation of data storage: operators should identify and define the duration of the processing (generally no longer than is necessary for the purposes for which the personal data is processed) and legal obligations according to which it could be necessary to store personal data for longer periods.

• data subjects' rights: data subjects should have complete control over their data during the entire processing period through the implementation of specific tools that provide an effective way to exercise their rights. In particular, their right of access, rectification, erasure, their right to restrict the processing, to data portability and their right to object. For instance, in the case of sale of a connected vehicle and the ensuing change of ownership, right of erasure and right to data portability shall be guaranteed to data subjects.

• security measures for operators: operators should consider adopting, among others, the following measures:

  • encrypting the communication channels by means of a state-of-the-art algorithm and developing an encryption-key management system that is unique to each vehicle, not to each model.

  • regularly renewing and protecting encryption keys from any disclosure.

  • authenticating data-receiving devices.

  • ensuring data integrity (eg by hashing).

• security measures for vehicle manufacturers: vehicle manufacturers should specifically consider:

  • partitioning the vehicle's vital functions from those always relying on telecommunication capacities (eg "infotainment").

  • implementing technical measures that enable vehicle manufacturers to rapidly patch security vulnerabilities during the entire lifespan of the vehicle.

  • storing a log history of any access to the vehicle's information system (eg going back six months as a maximum period, in order to enable the origin of any potential attack to be understood).

Furthermore, as advised by the EDPB, operators, in particular vehicles manufacturers, shall adopt a code of conduct which, by implementing the indications contained in the Guidelines, may improve the application in every process of the principles of privacy by design and by default, ensuring adequate protection for the rights and freedoms of data subjects from the design phase of processing/vehicle construction. In this regard, national DPAs⁷ could play a pivotal role in providing further orientations updated to the Guidelines.

¹ EDPB Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications adopted on 9 March 2021, available at https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012020-processing-personal-data-context_it

² In particular, the Guidelines apply to this full non-exhaustive list of stakeholders: vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers, and public authorities, as well as drivers, owners, renters, and passengers.

³ Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector available at https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=IT. Please note that the E-privacy directive will be replaced by E-privacy Regulation whose consolidated text by the Council of the European Union was adopted on February 2021. The latter text will be negotiated among European Parliament and EU Commission before final adoption.

⁴ In the Guidelines, the EDPB noted that connected vehicle and every device connected to it is, indeed "terminal equipment". As a consequence, Article 5(3) of the e-Privacy Directive applies.

⁵ In this context, according to the EDPB, data controllers may include service providers that process vehicle data to send the driver traffic-information, eco-driving messages, or alerts regarding the functioning of the vehicle; insurance companies offering "Pay As You Drive" contracts; or vehicle manufacturers gathering data on the wear and tear affecting the vehicle's parts to improve its quality.

⁶ In this context, according to the EDPB, data processors may include equipment manufacturers and automotive suppliers who may process data on behalf of vehicle manufacturers.

⁷ For instance, French DPA (CNIL) has already announced it will adapt its "Compliance package -- connected vehicles and personal data-" of February 2018 to the EDPB guidelines.