In February, the European Data Protection Board (EDPB) published its draft guidelines on the processing of personal data in the context of connected vehicles and mobility-related applications (the Guidelines). These are draft guidelines published for public consultation.
Individual European regulators have previously issued guidance relevant to connected cars. In France, the CNIL published its “compliance package” in 2017 and previous guidance has been issued in Germany. The Article 29 Working Party had previously issued guidance on the Internet of Things – but never ventured into the connected car space. The Guidelines are the first European-wide guidelines issued on connected car technology by privacy regulators. However, despite the Guidelines coming 2 years after GDPR came into force this is not the full picture as we are still waiting for the ePrivacy Regulation to be finalised. Some submissions in response to the Guidelines have suggested that the adoption of the Guidelines should be delayed on the basis that the ePrivacy Regulation is not yet in force.
So, while perhaps overdue, it is helpful to have the views of the EDPB and – through them – the collective views of the European supervisory authorities on important issues this technology raises.
Some of the views adopted in the Guidelines will not be surprising – an expansive view on the concept of personal data and the applicability of the ePrivacy Directive, to take two examples. These may still, however, cause operational challenges for many actors in the connected car space currently wrestling with using this innovative technology in a privacy compliant way.
Equally, there some areas of the Guidelines that are arguably more controversial. Particularly on the interface between GDPR and the ePrivacy Directive. The Guidelines also focus heavily on an owner-use scenario which, for some data privacy issues, lends itself to more practical solutions – particularly where consent-lead solutions are appropriate. However, as mobility service models have become more sophisticated, the Guidelines would benefit from being expanded to consider other scenarios where the issues they raise are not so easily handled – e.g. company fleets, vehicle leasing arrangements, car sharing clubs and various forms of long-term and short-term vehicle rental services. The Guidelines specifically exclude employee use of vehicles, due to employee monitoring issues. But they could address the other privacy issues that are raised in this context.
Over 30 responses to the public consultation have been published – many raising challenges with legal interpretations adopted in the Guidelines as well practical difficulties in some of the solutions and restrictions proposed. Some of these represent important points of substance that if not addressed by the EDPB in the final Guidelines could lead to the ‘flashing of hazard lights’ in developments in this area in the years to come.
We have set out below a selection of the key themes from the Guidelines and our thoughts.
What constitutes personal data?
The Guidelines widely construe the concept of personal data in the context of connected vehicle data. Under the Guidelines ‘personal data’ could include directly identifiable personal data such as the driver’s name as well as indirectly identifiable data including data relating to driving style, mileage, vehicle wear and tear and metadata such as maintenance status of the vehicle. This is not surprising and is consistent with the approaches of regulators (and European case law) to date.
However, the Guidelines would benefit from acknowledging some flexibility here. Context and intention of processing are important considerations in determining when information constitutes personal data under GDPR in any scenario. This is the case both in law and under case law. This is particularly relevant for connected car technologies in scenarios other than user-owner arrangements. Should corporates have to treat ‘wear and tear’ data of their assets as ‘personal data’?
The Guidelines also flag specific categories of personal data warranting special consideration due to the sensitive/high risk nature of the information.
- Geolocation data – Journeys can allow inferences about life habits of an individual to be drawn, such as religion through places of worship visited, and inevitably location information collected over an extended period provides an overview of the activities and life of the vehicle user.
- Biometric data – This might include biometric data to enable the driver to unlock the vehicle or to authenticate the driver.
- Data revealing criminal offences – The Guidelines note that geolocation data combined with vehicle speed can reveal a driving offence. It is noted that speed alone is not necessarily offence data (given speed limits vary by location). This is a helpful and pragmatic clarification. But, as should correctly be the case, this will depend on the purpose for which speed is collected.
The Guidelines provide recommendations when processing such high risk data including ensuring consents obtained are valid and unbundled from other terms, defining a limited retention period, encouraging local processing within the vehicle where possible, providing alternatives (e.g. non-biometric access) and allowing for drivers to turn off certain tracking such as location. Many are sensible privacy-enhancing measures. But, in certain scenarios, these requirements will present some controllers with challenges.
Interplay between GDPR and ePrivacy Directive
This is perhaps the most controversial topic that the Guidelines touch on. There is also, arguably, a degree of internal inconsistency with how the Guidelines address this issue.
The Guidelines are clear that, in addition to GDPR, the ePrivacy Directive will apply. Specifically, that connected vehicles and all devices connected to them are “terminal equipment” for the purposes of the ePrivacy Directive – in the same way as a mobile device or laptop is “terminal equipment”. This activates the requirement for consent to the storage of information, or gaining access to information stored, on the connected vehicle and other connected devices.
Strictly, this seems a fair interpretation of the applicability of the ePrivacy Directive (although a technical assessment of whether information is “accessed” from the vehicle for some technologies may permit some flexibility).
However, the Guidelines arguably fail to accommodate all potential solutions for obtaining consent resulting in a potentially unduly restrictive application, particularly in scenarios where the user (or, in this case, driver) is not the owner of the vehicle. The ePrivacy Directive allows for consent to be given by the “user or subscriber” of the relevant service. So consent by actors other than the driver may be appropriate in some circumstances. The Guidelines could acknowledge this flexibility so as to allow the law to accommodate other connected car scenarios without fundamentally undermining the protection the ePrivacy Directive seeks to provide.
The challenges of obtaining a consent under e-Privacy Directive in certain circumstances also arguably demonstrate a need for updates to the ePrivacy Directive. Consent is not required for access to data required as part of a requested ‘information society service’ (i.e. a digitally delivered service; think Spotify or Netflix). This exemption makes sense. But it is too inflexible to accommodate technology-enabled services that also involve a “real world” element that may, therefore, not constitute “information society services”. For example, the Guidelines suggest that this issue in the context of ‘pay-as-you-drive’ insurance can be managed by obtaining the consent of the driver. But is that truly an ‘unbundled’ and ‘freely given’ consent (as required under GDPR)? Would it not be neater – and maintain consistent logic – if a similar exemption applied where connectivity was an inherent part of service delivery? Or should there be some recognition of the potential to rely on legitimate interests, subject to certain safeguards, as has recently been included in the most recent proposal on the new ePrivacy Regulation issued by the Croatian Presidency?
In addition, and potentially most importantly, the Guidelines also appear to adopt an unduly restrictive interpretation of the ability to rely on legal basis other than consent under GDPR in scenarios where ePrivacy Directive is also engaged.
The Guidelines state that any consent requirement under Article 5(3) ePrivacy Directive takes precedence over GDPR in relation to the storage of information/collection of information from the connected vehicle and other linked devices. In addition, further processing of personal data collected from the connected vehicle or device will require an Article 6 GDPR lawful basis of processing. This is in line with the EDPB’s Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.
However, the Guidelines go further and suggest that where consent is required under Article 5(3) ePrivacy Directive then consent will generally be the most appropriate lawful basis under Article 6 GDPR for further processing activities. This is a direction of travel we have seen in the ICO’s recent guidance on adtech. So it is not entirely surprising. The stated intention is to ensure that the protection under the ePrivacy Directive is not undermined. And it is potentially understandable in certain circumstances. But it is debateable whether this is what GDPR says. There is no hierarchy to the lawful bases under GDPR.
There is clearly a concern that saying otherwise would, in the regulator’s eyes, open the ‘floodgates’ to allow controllers to rely on legitimate interests as a legal basis under GDPR. However, setting aside legalistic arguments for a moment, this is also potentially unfair on responsible controllers. Even if legitimate interests is properly available as a legal basis, this does not mean a “free for all”. Responsible controllers understand the balancing test that need to be made out and the requirements to deal with issues such as proportionality, transparency and accountability this involves.
Indeed, the case studies included in the Guidelines acknowledge that appropriate reliance on basis other than consent under GDPR do not necessarily undermine the protection under the ePrivacy Directive. For example, in the ‘pay-as-you-drive’ insurance scenario, the EDPB acknowledges that performance of contract would also be appropriate legal basis.
As it stands the Guidelines leave significant scope for confusion here and clarification would be welcomed.
Other key concerns
The EDPB also helpfully highlights specific concerns and recommendations in relation to connected vehicles and mobility and focuses on the need for:
- Data minimisation – to avoid excessive data collection.
- Data protection by design and default – with an emphasis on local processing where possible, anonymisation and pseudonymisation and the need for data protection impact assessments.
- Transparency – and the need to provide clear, simple and accessible information to users.
- Effective mechanisms for data subject rights – including the ability to easily modify privacy settings in the connected vehicle, prevent certain data being collected (such as location) and for the sale of a connected vehicle to trigger deletion.
- Security and confidentiality – security is raised as a particularly important risk given the nature of connected cars and potential risk to life in the event of a security breach or hack. The risk of a security breach is increased by the various ways in which a connected car could be hacked (e.g. mobile device connected to vehicle, telematics boxes, GPS navigation systems). In addition, information is shared with third parties such as vehicle manufacturers, stored outside the connected car (e.g. in cloud servers) and may also potentially be accessed by technicians accessing other functions of the vehicle.
These are all existing obligations under GDPR that would need to be considered when processing personal data in any event – although some issues are more relevant and high risk in a connected vehicle context. This should all effectively be considered in an associated data protection impact assessment.
However, it is clear from these recommendations that there is need for reliance on multiple actors across the connected car space – from OEMs to mobility service providers. Each will have a different ability to implement the measures needed to ensure privacy-compliant deployment of this technology. Again, it would be beneficial for the Guidelines to recognise this.
The Guidelines include a number of case studies applying the recommendations to specific scenarios including:
- Pay as you drive insurance – where driving habits and mileage are tracked in order to determine premiums for car insurance. The Guidelines note that there are no exemptions under the ePrivacy Directive and therefore consent is required to collection of data from the vehicle regarding driving habits. Performance of contract can then be relied upon for further processing under Article 6 GDPR. Recommendations include retaining raw data on the telematics box and only transferring a numeric score and to delete the raw data once validity of the relevant score has been confirmed.
- Theft prevention – The Guidelines take a strict approach to theft prevention using geolocation information noting that location data can only be transmitted once the vehicle has been stolen. However, this does not consider the practicalities of vehicle theft and sophisticated criminals who would likely remove or deactivate any tracking device prior to (or shortly after) stealing the vehicle. Therefore there are clear practical difficulties if this approach is followed.
- Car rental/sharing –The scenario relates to the storage of information on a rental cars dashboard when using an in car entertainment system with device connectivity. The Guidelines provide that the rental company acts as data controller and should be responsible for ensuring internal procedures for deleting personal data from the dashboard after each rental using privacy functionality provided by the vehicle manufacturers. This presents operational issues as the procedure for deleting information from vehicle dashboards is often lengthy and differs between vehicle make and model.
However, these are some of the most useful sections of the Guidelines. It would be helpful for the Guidelines to consider use cases in other scenarios. In particular, the inclusion of a use case relating specifically to the collection of vehicle maintenance and diagnostics data in a corporate or fleet scenario would be of value, being one of the most prominent use cases for this type of technology.
The consultation period for public submissions closed on 4 May 2020.