The European Data Protection Board (EDPB), the body in which EU privacy regulators work together, published draft guidelines earlier this month on the processing of personal data related to connected vehicles.
The guidelines contain explanations of rules particularly related to smart cars, connected cars. Notable is the principle that explicit consent must be given for certain data processing and transfers. Data subjects should further be clearly informed about data processing, data processing options should not always be on by default, and it should be as simple as possible to manage personal data. The guidelines also provide some specific recommendations regarding location data, biometric data and criminal data.
Draft guidelines can still be commented on until March 20, 2020.
Connected cars collect large amounts of data. In many cases, that data includes personal data on the owner, driver and occupants. This includes not only personal data such as a name, the set driver profile or a unique vehicle ID, but also data about, for example, settings, preferences, location and driving behavior, including violation of traffic rules. In recent years, industry associations and privacy regulators in Germany, France and the United Kingdom have already established frameworks for processing this personal data.
The General Data Protection Regulation (AVG) contains general rules on the processing of personal data. The ePrivacy Directive contains more specific rules on handling personal data within electronic communications. The ePrivacy Directive will eventually be replaced by the ePrivacy Regulation, which is currently still on the drawing board.
In the guidelines, the regulators first state that the ePrivacy Directive applies to the processing of personal data in the context of connected vehicles. In doing so, they equate an Internet-connected car with a computer, smart TV or smartphone. The ePrivacy Directive mandates that consent is required to store or read data from users' peripheral devices. This is also the consent required for the use of cookies. Because consent is required for storing and reading data from the vehicle, regulators believe that for further processing of that data, which is covered by the AVG, consent will also be the most obvious basis. Many services and functionalities related to smart cars use data stored and read from the vehicle, which will require consent.
The ePrivacy Directive also contains exceptions to the consent requirement. Consent need not be sought when processing the information is necessary to carry out communications. Also, consent is not required if storing data or accessing data is strictly necessary for a service requested by a user.
Consent from the ePrivacy Directive must meet the consent requirements of the AVG. This means that consent must be free, specific, informed and explicit. Starting the car and driving away does not mean that the driver is consenting to certain functionalities in the car.
That regulators equate smart cars with computers and peripherals is remarkable but also understandable. The ePrivacy Regulation has a broader scope of application than the ePrivacy Directive. The ePrivacy Regulation will also cover so-called over-the-top services, machine-to-machine communications and (semi-)public wireless networks. Internet of things (IoT) applications are included. However, the ePrivacy Regulation is not yet final and is likely to take effect in 2021. The regulators seem to have wanted to get a head start on this.
The regulators identify a number of privacy risks in the guideline guidelines, prompted in part by the large amounts of data being processed and its sensitive nature. In practice, data subjects are not always well informed about the processing of personal data by the car, which means they cannot exercise sufficient control over the processing of their personal data. Moreover, without adequate information, no legally valid consent can be established.
The supervisors note that providing information and requesting consent can be difficult in practice and point out that the driver whose personal data are being processed may always differ and may also be a different person than the owner. However, the regulators leave solving this problem to the market.
Another problem in providing information is that different parties process personal data as controllers. All of these parties must provide information about this. The regulators mention that new information must be provided when a new data controller processes personal data, for example, when you drive across the border.
To make the information clearer for those involved, a layered structure can be used, where the most important general information is provided first and more specific information can be obtained at another stage. Information can also be provided by using standardized icons so that it can be easily understood.
The techniques used to process personal data should be designed to process as little personal data as possible and to have the most privacy-friendly settings by default.
To protect the rights and freedoms of data subjects, personal data should be stored in the car itself as much as possible. The data subject should be able to exercise control over personal data leaving the car. This applies in particular to biometric data and location data.
Among other things, the regulators recommend that only the data strictly necessary for the functioning of the car be processed by default. For other processing, data subjects should have the opportunity to activate (and deactivate again) this themselves. In addition, personal data should in principle only be accessible to the data subject himself and the data subject should be able to permanently delete his personal data before the car is sold.
Data subjects must be able to maintain control over their personal data. Smart car suppliers and other service providers should facilitate this by, for example, implementing a profile management system in the car in which preferences of different drivers can be recorded and privacy settings adjusted at any time.
The guidelines are still in draft form. The current draft has implications for all parties involved in providing connected vehicles and related services. Strict privacy requirements must be taken into account as early as the design phase. Comments on the guidelines can be made until March 20, 2020.
See more: SOLV.
