Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).
Why are these guidelines needed?
In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).
Some of the risks of processing personal data in the context of connected vehicles include:
- Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
- Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
- Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
- Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
- The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).
Continue Reading Processing personal data in the context of connected vehicles