Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).
Why are these guidelines needed?
In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).
Some of the risks of processing personal data in the context of connected vehicles include:
- Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
- Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
- Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
- Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
- The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).
The EDPB makes a number of general recommendations in relation to the processing personal data in the context of connected vehicles, including in relation to personal data that it considers warrants “special attention”, such as location data, biometric data (and any other special categories of data) and criminal offences including traffic violations;
- Only collect location data where this is absolutely necessary. For example, the EDPB suggests that the gyroscope may be sufficient to detect a vehicle’s movement, without the need to collect location data;
- Forbidding external processing of personal data revealing criminal offences or other infractions, except in a very narrow set of circumstances;
- Providing a non-biometric alternative to the function that would otherwise process biometric data;
- Try, wherever possible, to use processes that do not involve the processing of personal data outside of the vehicle (i.e. internal personal data processing);
- Give due consideration to the possibility of achieving the same result by processing anonymized or pseudonymized personal data instead of the raw data; and
- Put in place security measures that guarantee the security and confidentiality of personal data processed, including encryption, encryption-key management unique to each vehicle and enabling measures that allow for the rapid patching of security vulnerabilities.
Gone are the days where vehicles are just a means of transportation, they now represent huge “data hubs”. Manufacturers and other controllers alike should therefore take note of these guidelines not least because many people may view a vehicle as a private area where they can expect a reasonable expectation of privacy.