On 28 January 2020 the European Data Protection Board approved and submitted for public debate the Guidelines no. 1/2020 on processing the personal data in the context of connected vehicles and mobility related applications.
During this time of the IoT (Internet of Things), when the objects used in everyday life get more and more personal data storage and transmission functions, related to the individual behaviour in various circumstances, either at home, at the office or in the car, the legal separation and clarification of the data concerning the personal life of each person and the “life” of the objects around us have become a necessity.
There are countless examples, starting from the truly useful examples, such as the GPS systems of the vehicles we drive up to less pleasant situations, such as the storage of the traffic offences or of the accidents in which we are involved, with an impact on the insurance premiums paid and not only this.
This, the publication of the Guidelines on processing the personal data in the context of connected vehicles and mobility related applications by the European Data Protection Board (EDPB) is more than welcome.
The scope of this document is mainly the processing of personal data related to the unprofessional use of connected vehicles by the data subject: for example, drivers, passengers, vehicle owners, lessees, etc. It particularly deals with personal data:
(i) processed within the vehicle,
(ii) exchanged between the vehicle and the personal devices connected thereto (for example, the smartphone of the user) or
(iii) collected in the vehicles and exported to external entities (such as car manufacturers, infrastructure managers, insurance companies, car repairing companies) for subsequent processing.
As concerns the data processed within the vehicle or exchanged between it and the user’s smartphone, either for the purpose of driving assistance or entertainment, pose no particular problem, the consent related to their processing being most of the times expressly given by the data subject. As for the data exported to external entities, then the practical and legal issues become more complex, as explained below.
According to the Guidelines, most of the data generated by a connected vehicle refer to an identified or identifiable individual, being thus personal data. For example, these include directly identifiable data (for example, the full identity of the driver), as well as indirectly identifiable data, such as the travels made, vehicle use data (such as driving style or mileage) or technical data of the vehicle (e.g. data concerning the wear and tear of vehicle parts), which, through cross-connection with other files and particularly with the vehicle identification number (VIN), can lead to an individual. The personal data in the connected vehicles may include as well metadata, such as the vehicle maintenance condition. In other words, any data that may be associated to an individual fall under the scope of this document.
Therefore, the personal data controllers, processors, the data subject and the receivers of personal data processed in this environment have to be identified according to the GDPR Regulation.
Thus, personal data controllers may include suppliers of services processing vehicle data, sending the driver information about traffic, messages related to “green” driving or alerts concerning the roadworthiness of the vehicle, insurance companies providing “Pay As You Drive” contracts or manufacturers associations collecting data concerning the wear and tear of the vehicle parts as to improve their quality, suppliers of software services for history of damages, car repair shops, etc.
As a rule, only the data controller and the data subject have access to the data generated by a vehicle, be it connected or not. However, the data controller may process the personal data only in compliance with the GDPR Regulation and may send the personal data to a commercial partner (receiver) only if such transfer is based on one of the legal grounds stipulated under art. 6 in the GDPR Regulation:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Therefore, the car manufacturer, the supplier of services, the insurer or another personal data controller may transfer personal data to a processor selected to play a role in the supply of the service to the data subject, provided that the processor does not use these date for its own purposes. The data controllers and processor shall sign a contract or another legal document stipulating the obligations of each party, according to the provisions of art. 28 in the GDPR Regulation.
Considering the potential sensitivity of the data concerning the use of the vehicle (for example, travels made, driving style), EDPB recommends for the consent of the data subject to be obtained systematically before their data is sent to a trade partner acting as data processor (for example, ticking a box which is not pre-ticked or, if technically possible, by using a physical or logical device which the person can access from the vehicle).
In its turn, the trade partner becomes responsible for the data received and becomes object of all the provisions of the GDPR.
In the context of the ePrivacy Directive, EDPB considers that part of the data processed originating from vehicles fall under the scope of this Directive. When data is collected based on consent, as stipulated under art. 5 (3) in the “ePrivacy” Directive, these can still be processed for other purposes than the initial one, only if an additional consent for this purpose has been asked or if the controller can demonstrate that this is based on a Union or member states law protecting the interests stipulated under art. 23 (1) GDPR. EDPB considers that further processing based on a compatibility test according to art. 6 (4) GDPR is not possible in these cases, as it would undermine the data protection standard in the “ePrivacy” Directive.
For example, the telemetry data, collected during the use of the vehicle for maintenance purposes cannot be disclosed to the vehicle insurance companies without the consent of the users, for the purpose of creating drivers profiles, as to offer insurance policies based on driving behaviour. This also refers to the data abusively collected by computer systems of vehicle repair, either upon the repair of the vehicle or upon notifying and/or establishing the damage reserve or closing of the damage file.
The same regime also applies to the driving behaviour of the data subject processes and/or obtained by software systems and/or digital devices, waze, google maps, smartphones, etc., without consent or outside the scope of the provisions of art.6 in GDPR or the exception stipulated therein.
The issue of automated profiling performed in most cases must also be taken into consideration, the insurers, at least from my experience, avoiding to mention this in the documents by which they obtain the consent from the data subject/insured.
Therefore, the Guideline published by EDPB and submitted for public debate, if not significantly amended, will compel a series of controllers in the chain of actors in the automotive industry – manufacturers, dealers, service shops, insurers, suppliers of services, etc. to rethink their data collection processes and to insist on collecting data which are now processed for other purposes than those for which the consent has been obtain.
This is the link to the original document in English, containing much more technical details.