The market of the so-called “connected vehicles” has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.

To operate properly, connected vehicles collect much personal data, notably by connecting to drivers’ phones. Aware of the potential data protection issues that might arise, the French Data Protection Authority (“CNIL”) in March 2016 initiated work on a compliance package (“pack de conformité”) for connected vehicles, which is to be achieved next spring.

This compliance package, which is currently elaborated in consultation with the automobile industry, and innovative companies from the insurance and telecommunications sectors, as well as public authorities, will contain guidelines on the responsible use of personal data in connected vehicles.

On 3 October 2016, at the International Motor Show in Paris (“Mondial de l’Automobile”), the CNIL provided an update on the progress of the compliance package for connected vehicles.

The CNIL, which stressed that personal data issues should be taken into account right from the design phase of the vehicles, contemplated three different scenarios:

  • In-In scenario: Personal data collected within the vehicle remains in that vehicle without external transmission to a service provider
  • In-Out scenario: Personal data collected within the vehicle is transmitted outside the vehicle to a service provider in order to provide a service to the driver
  • In-Out-In scenario: Personal data collected within the vehicle is transmitted outside the vehicle in order to trigger an automatic action in the vehicle

The CNIL expressly encouraged market participants to favor the In-In scenario, under which personal data is processed within the vehicle without any external transmission to a service provider. According to the CNIL, this scenario appropriately protects the drivers’ personal data, and will trigger softer obligations for data controllers.

The CNIL also reminded the following:

  • First, all data that may be attributed to an identified or identifiable individual, notably number plates or vehicle serial numbers, is to be regarded as personal data subject to the French Data Protection Act (“Loi Informatique et Libertés”) and the General Data Protection Regulation (“GDPR”)
  • Second, the compliance package aims to raise market participants’ awareness on the transparency and fair data collection principles. According to the CNIL, those principles command that personal data shall not be collected without at least informing the data subjects, and even possibly seeking their consent.
  • Third, the CNIL favors a “privacy by design” approach, which will notably result in the implementation of easily customizable dashboards, allowing the driver to keep control over his personal data

The principles set out by the CNIL should ensure adequate protection for personal data collected in connected vehicles, while not inhibiting innovation in the automobile industry.