connected vehicles

Subscribe to connected vehicles

Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).

Why are these guidelines needed?

In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).

Some of the risks of processing personal data in the context of connected vehicles include:

  1. Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
  2. Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
  3. Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
  4. Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
  5. The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).

Continue Reading Processing personal data in the context of connected vehicles

The 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong published a Resolution on Data Protection in Automated and Connected Vehicles, which sets out fundamental data protection requirements for the mobility of the future (“Resolution”). The Resolution proposes common international standards.

The Resolution addresses not only vehicle and equipment manufacturers, but also providers of personal transportation services, car rental providers, and providers of data driven services (e.g., speech recognition, navigation, remote maintenance or motor insurance telematics services), as well as standardization bodies and public authorities (“Addressees”). The Resolution expressly calls upon Addresses to “fully respect the users’ right to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services”.

Following the German Federal Data Protection Commissioner’s earlier proposals for automated and connected vehicles of June 2017, the Resolution describes how the rights of users should be protected. In particular, the Addresses are seriously urged to comply with the following 16 items:
Continue Reading 39th International Conference of Data Protection and Privacy Commissioners publishes Resolution on Data Protection in Automated and Connected Vehicles

The market of the so-called “connected vehicles” has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.

To operate properly, connected vehicles collect much personal data, notably by connecting to drivers’ phones. Aware of the potential data