EDPB Draft Guidelines on Connected Cars Focus on Data Protection by Design and Push for Consent
By Gabriela Zanfir-Fortuna and Chelsey Colbert
The European Data Protection Board recently published its draft Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications, which are open for feedback until March 20. The EDPB writes that the main challenge for complying with European data protection and privacy laws in this field is for ‘each stakeholder to incorporate the protection of personal data dimension from the product design phase, and to ensure the car users enjoy transparency and control in relation to their data’. One of the key points clarified by the Guidelines is that the general provision of the ePrivacy Directive, Article 5(3), which requires consent for any access to information on a telecommunications device – ‘terminal equipment’ (with few exceptions), is applicable to connected vehicles. Thus, obtaining valid ‘consent’ becomes one of the key compliance issues in this environment, even if consent will not be necessary for all subsequent uses of personal data.
The challenges are heightened by the complexity of actors in the connected vehicle ecosystem, the different types of ‘data subjects’, the sensitivity of some data, such as geolocation data, and the different tiers of the legal obligations that may apply: Article 5(3) of the ePrivacy Directive, the General Data Protection Regulation (GDPR), the specific EU law on eCall and the framework for deployment of Cooperative Intelligent Transport Systems (C-ITS). In fact, the C-ITS is specifically left outside the scope of these Guidelines since it is an ongoing complex discussion at EU level, with the EDPB pointing to its older Opinion on this topic adopted by the Article 29 Working Party.
In this post, we will look closer at: (1) the scope of the Guidelines, including defining personal data in connected vehicles; (2) the complex ecosystem of actors and their roles as controllers, joint controllers and processors; (3) key recommendations for implementing Data Protection by Design and by Default; (4) high risk personal data processing (geo-location data, data related to criminal offences, biometric data) and (5) the role of consent.
1. Scope and Definitions: What is a ‘Connected Vehicle’, what are ‘Personal Data’
The EDPB’s definition of a “connected vehicle” is “a vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle.”
The EDPB’s draft Guidance document is focused on non-professional use of connected vehicles by data subjects, such as drivers, passengers, vehicle owners, renters, etc. The scope of the document is quite broad, as it applies to personal data a) processed inside of the vehicle, b) exchanged between the vehicle and personal devices connected to it, which includes standalone mobile apps used to assist drivers since they contribute to the vehicle’s connectivity capabilities, and c) collected within the vehicle and exported to other parties for processing, such as the vehicle manufacturer, insurance companies, or car repairers.
Mobile apps are an interesting category and the EDPB provides a non-exhaustive list of examples. To fall within the scope of the Guidelines, apps need to be related to “the environment of driving”. The EDPB provides an example to illustrate the distinction: GPS navigation apps are within scope, while an app that suggests places of interest are not.
Employers providing company cars to staff who monitor employee’s actions within the context of employment are outside of this document’s scope. Also out of scope of this document is the issue of filming in public spaces, which is important to note, given the plethora of cameras and sensors that outfit connected and autonomous vehicles, for example, dashcams, parking assistance, or driver monitoring.
(Almost) All Data From Connected Vehicles is Likely to be Personal Data
The EDPB considers most data associated with connected vehicles to be personal data to the extent that it is possible to link it to one or more identifiable individuals. This includes technical data about the vehicle’s movements, such as speed, and data about the vehicle’s condition, such as tire pressure. Even when data is not directly linked to a name and is about the technical aspects and features of the vehicle, such as the driving style, distance driven, or the vehicle’s wear and tear, it concerns the driver or passenger of the vehicle. This is because when this data is cross-referenced with other data, such as the vehicle identification number (VIN), it can be linked to an individual. Similarly, vehicle metadata, such as vehicle maintenance status, may also be personal data.
Data collected by cameras and other sensors may also concern driver and passenger behavior, as well as the behavior of those outside of the vehicle.
2. Complex Ecosystem of Actors: Who are the Controllers, Processors and Joint Controllers
The Guidelines note at the beginning that connected vehicles are becoming mainstream and that the data processing is taking place within a complex ecosystem, as is shown by FPF’s infographic “Data and the connected car”. In addition to the traditional players in the automotive industry, the EDPB mentions new players including infotainment service providers, driving assistance systems and services, road infrastructure managers, fleet managers, insurance companies, ride-sharing companies, and telecommunications operators. The Guidance document is directed to this non-exhaustive list.
Things get more complicated when all these actors need to clarify their legal responsibility related to collecting and using personal data: Are they controllers – the entities that are liable for complying with most data protection obligations, and that establish the ‘means and purposes’ of a processing operation? Are they joint controllers – the entities that define jointly the means and purposes of a processing operation and that share liability? Or are they processors – the entities that merely process data on behalf of controllers and that need to follow a strictly defined mandate from the controller, having thus primarily contractual liability?
It is important to note that car manufacturers are not the only controllers. According to the EDPB, data controllers can also include ‘service providers that process vehicle data to send the driver traffic information, eco-driving messages or alerts regarding the functioning of the vehicle’ and ‘insurance companies offering Pay-as-You-Drive contracts’. The Guidelines do not give examples of joint controllers, but specify that in a joint controllership situation a contract establishing how responsibility is shared is necessary, particularly regarding complying with data subjects’ rights requests.
As for processors, they can be the ‘equipment manufacturers and automotive suppliers’ that may process data on behalf of car manufacturers. The EDPB also recalls that the equipment providers may as well become controllers if they process personal data collected from vehicles for their own purposes.
3. Key Recommendations for Implementing Data Protection by Design and by Default
The EDPB highlights how important it is to consider data protection from the product design phase and the importance of transparency and data control to vehicle users. According to the Guidelines, ‘technologies should be designed to minimize the collection of personal data, provide privacy-protective default settings and ensure that data subjects are well informed and have the option to easily modify configurations associated with their personal data’.
The EDPB provides some general recommendations to implement Data Protection by Design and by Default (DPbD). In what looks like an invitation for cross-industry bodies or individual DPAs, it also recognizes that ‘specific guidance on how manufacturers and service providers can comply with Data Protection by Design and by Default could be beneficial for the industry’.
The EDPB recommends local (on-vehicle) processing of personal data rather than processing that occurs outside of the vehicle to mitigate the potential risks of cloud processing, which can be found in the Opinion on Cloud Computing released by the Article 29 Working Party. Such local processing guarantees to the user ‘the sole and full control of his/her personal data and, as such, it presents by design less privacy risks’ and ‘fewer cybersecurity risks’. One example of applications involving local processing are applications for unlocking, starting or activating vehicle commands using biometric data that is stored within the vehicle (face, voice, fingerprints).
The EDPB highlights that such local processing will likely fall outside the scope of the GDPR in what concerns natural persons (who could be drivers, car owners, passengers), due to the “household exception” in Article 2(2). The GDPR does, however, apply to ‘controllers or processors, which provide the means for processing personal data for such personal or household activities’. Conversely, this would mean that applications which involve transferring of personal data to the cloud could put natural persons in the situation of being a controller or processor, a fact which is not immediately obvious and which would benefit from further clarification in the final version of the Guidelines.
When local processing is not possible, ‘hybrid processing’ may be used. The EDPB gives usage-based insurance as an example, in that an insurance company could not gain access to the raw behavioral data, but rather to the aggregate score that is the result of the processing conducted either locally within the vehicle or by a telematics service provider.
With regard to ensuring users have control over their data, the EDPB recommends that ‘only data strictly necessary for the vehicle functioning are processed by default’. This means that individuals should have the possibility to ‘activate or deactivate the data processing for each other purpose and controller/processor and have the possibility to delete the data concerned’.
The EDPB recommends that when data must leave the vehicle, data should be anonymized or, in any case, pseudonymized. One last recommendation is to deploy Data Protection Impact Assessments even in the cases where they are not required by law.
4. High Risk Personal Data Processing: Geolocation Data, Data Related to Criminal Offences and Biometric Data
Some data may warrant special attention if the data is sensitive or could impact the rights and interests of data subjects. The EDPB has identified three categories of personal data warranting special attention: geolocation data, biometric data, and data that could reveal offenses of traffic violations.
Geolocation data is particularly revealing of someone’s life habits and allows the inference of the driver’s residence, place of work, interests, and other sensitive details such as religion or sexual orientation. The EDPB cautions that all parties in the connected car ecosystem should not collect location data except when absolutely necessary for the purpose of processing. For example, when the vehicle’s movement is required, the vehicle’s gyroscope is sufficient and there is no need to collect location data. The EDPB provides several principles for collecting geolocation. Even when the data subject has given consent, accessing location data more often than necessary is not recommended. Geolocation should not be activated by default and on continuously when the car has been started. It should only activate when the user launches a functionality that requires the vehicle’s location. Users should have the option to deactivate geolocation at any time and data controllers should define a limited storage period.
If biometric data are used either to enable access to the vehicle or its settings, or to authenticate the owner or driver, the EDPB recommends that the use of biometrics always has an alternative and that storing and comparing the biometric template is done locally.
Finally, data revealing criminal offences or other infractions are also identified as particularly relevant for high risk processing and are broadly defined. For example, ‘the instantaneous speed of a vehicle combined with precise geolocation data or data indicating that the vehicle crossed a white line could be considered offence related data’. The EDPB considers that processing of such data ‘can only be carried out under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects stated in art. 10 GDPR’ and must be carried out locally (on vehicle).
According to the EDPB, except for a few exceptions, such as accidentology studies consented to by the owner/driver, external processing of data revealing criminal offences or other infractions is forbidden.
5. The Role of Consent
One of the most significant clarifications brought by the draft Guidelines is that Article 5(3) of the ePrivacy Directive is applicable in the context of connected vehicles, even if the rest of the Directive is not (since the Directive generally applies to providers of publicly available electronic communications networks). However, Article 5(3) is a general provision and it applies to ‘every entity that places on or reads information from a terminal equipment without regard to the nature of the data being stored or accessed’.
The EDPB considers that a connected vehicle and any device connected to it meet the definition of a ‘terminal equipment’ under the ePrivacy Directive, and thus Article 5(3) is applicable to the data that are either stored on or go through them. Since Article 5(3) requires prior consent of the user for accessing or storing data on a ‘terminal equipment’ (any data, not just personal data), user consent becomes a cornerstone of the data governance environment in connected cars.
Even when the data being accessed or stored on the ‘terminal equipment’ is also ‘personal’ data under GDPR’s definition, Article 5(3) of the ePrivacy Directive takes precedence, as lex specialis, over the GDPR. This means that the lawful grounds for processing under Article 6 GDPR are not available to justify accessing personal data from or storing personal data to connected vehicles.
However, any processing operation of personal data following the mere access of data on the device or storing data on the device, must additionally have a legal basis under Article 6 GDPR (for more on the complicated relationship between the ePrivacy Directive and the GDPR, see this Opinion of the EDPB on their interplay) – which theoretically could be consent again, or legitimate interest, or any of the six possible lawful grounds.
In any case, the EDPB estimates that since the controller will have to provide notice to users for all purposes for which consent to access data on their device is sought, ‘consent will likely constitute the legal basis both for the storing and gaining of access to information already stored and the processing of personal data following the aforementioned processing operations’. The same conclusion is strengthened elsewhere in the Guidelines when the EDPB mentions that further processing of data collected on the basis of consent under Article 5(3) of the Privacy Directive, or on the basis of one of its exceptions, is only possible ‘either if the controller seeks additional consent for this other purpose or if the data controller can demonstrate that it is based on a Union or Member State law to safeguard the objectives referred to in Article 23(1) GDPR’. Technically, the EDPB considers that further processing on the basis of a ‘compatibility of purposes’ test is not possible.
Speaking of exceptions, there are two situations which do not require consent to gain access to a terminal equipment either to store or retrieve data, under Article 5(3) of the ePrivacy Directive: (1) if this happens for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (2) when it is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide that service. For example, the service of renting or booking a parking space through an application offered by a third party provider will not need user’s consent under Article 5(3) ePrivacy Directive to access information that is already stored in the vehicle, such as ‘navigation data’, in order to provide this service explicitly requested by the user. For the processing of personal data stored in the vehicle, as well as for the processing of other personal data through the app, such as contact details, license plate number, payment information, the lawful ground for processing under the GDPR will be necessity to enter a contract, under Article 6(1)(b) (see Scenario 3.1.2 from the Guidelines).
The EDPB further cautions that when data processing is based on consent, data controllers must pay attention to the possible complexities of obtaining consent from different participants, which could vary from car owners, users, or passengers. Consent cannot be bundled into the contract to purchase or lease a new car; consent must be provided separately for specific purposes. Consent may be especially difficult to obtain for drivers or passengers who are not related to the vehicle’s owner.
The EDPB’s Guidance document concludes with five case studies of processing in the context of connected vehicles for various players in the connected car ecosystem, including provision of a service by a third party, such as pay as you drive insurance; users who wish to use geolocation to find their vehicle in the event of theft; and personal data stored on a rental car’s dashboard.
The Guidelines map out a complex compliance environment stemming from the ePrivacy Directive and the GDPR to match the incredibly complex connected cars ecosystem. They are open for consultation until March 20. If you want to contribute, follow this link.