On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations of the General Data Protection Regulation (GDPR) and related laws. Notably, the draft guidelines apply the EU cookie rules to connected vehicles, requiring granular consent to collect both personal and non-personal data from connected vehicles.
The draft guidelines are open for public consultation until March 20. Once adopted, the guidelines will be the official position of all privacy regulators in the 27 EU member states. Companies affected by the draft guidelines should consider submitting comments.
Below are our key takeaways:
Granular consent is required to store or access any information on a connected vehicle.
The EDPB finds that by virtue of its internet connectivity, a connected vehicle qualifies as "terminal equipment" within the meaning of the EU ePrivacy Directive, and is thus subject to its rules requiring consent to store or access information on an end-user's terminal equipment, better known as the "cookie rules."
The impact of this finding is hard to overstate. Connected vehicles generate various types of personal and non-personal data which can be remotely collected and processed for a variety of purposes, including diagnosing issues, improving features, and enhancing safety and preventing accidents. The EDPB's interpretation would require granular consent for any remote collection, although collecting information directly from the vehicle, for example during maintenance at a garage, would not be subject to these rules. Furthermore, the cookie rules apply to any information, not just personal data, meaning that under the EDPB's interpretation manufacturers and service providers may also not collect anonymous technical data without obtaining consent.
The exceptions in the cookie rules will only apply in very limited circumstances. Consent is not required for storage or access strictly necessary to 1) transmit a communication over the internet, or 2) provide an information society service explicitly requested by the user. The first exception would apply, for example, when the user downloads content, or sends a message using the infotainment console. The second exception would apply to the use of information society services (ISS), but apart from basic online services, this concept from EU consumer protection law is all but clear. (for example, according to the European Court of Justice, Airbnb is an ISS, but Uber is not.) The EDPB mentions booking parking online or remotely locating a vehicle as examples of ISS, but the EDPB has no authority to interpret EU consumer protection laws. Regardless, in each case the exceptions would only apply to what is strictly necessary for the provision of the ISS; any related or further use would not be covered.
The cookie consent rules apply only to storing and accessing information on the connected vehicle. Once retrieved, the subsequent processing of personal data from a connected vehicle is still subject to GDPR and requires, among other things, a GDPR legal basis.
Re-use of personal data remotely retrieved from a connected vehicle always requires consent.
The GDPR allows processing of personal data for a new purpose only if that new purpose is compatible with the original purpose, if the individual has consented to it, or if authorized by national law. According to the EDPB, further processing of information that is initially obtained with cookie consent can never be deemed compatible with the initial collection because this would "undermine the data protection standard of the [ePrivacy Directive]." Therefore, according to the EDPB, any further use of personal data collected remotely from a connected vehicle would require GDPR consent, unless the use is explicitly authorized by national law.
Location data should only be collected if required by a functionality launched by the user.
The EDPB emphasizes the sensitive nature of location data. According to the EDPB, collection of location should be off by default, and only be activated to the extent and for the duration required by a functionality launched by the user. EDPB further recommends that users should be informed when location data is being collected, in particular by using icons, and that they should have the option to deactivate location collection at any time.
Are manufacturers responsible under GDPR for processing that takes place in a connected vehicle?
The EDPB lists a variety of requirements and recommendations on how manufacturers should configure their vehicles, including a general recommendation to use local processing where possible. This means that the data is processed in the vehicle, and is not transmitted outside the vehicle. As the EDPB points out, in such cases the data is not transferred to a data controller or a data processor. Therefore, this should mean that the manufacturer is not a data controller or data processor for processing in the vehicle, and thus should not be responsible for that processing under GDPR. After all, the GDPR only applies to data controllers and data processors. The EDPB seems reluctant to state this explicitly, but it does cite Recital 78 GDPR, which states that manufacturers "should be encouraged to take into account the right to data protection when developing and designing [products]."
Manufacturers should enable users to delete their data from the vehicle.
One of the EDPB guidelines on in-vehicle processing relates to data deletion. According to EDPB, users should be able to access and have control over the personal data processed in the vehicle, and to delete their data permanently before the vehicle is put up for sale. The EDPB proceeds to provide detailed recommendations, including a profile management system to be implemented in the vehicle to store the preferences of known drivers, and to allow them to easily change their privacy settings and delete their data.
Conclusions
The draft guidelines contain many more findings and recommendations on a variety of mobility related topics, and are of critical importance to privacy professionals in the mobility market. The draft guidelines are open for public consultation until March 20, 2020. Companies operating in this sector should consider reviewing the guidelines in detail, assessing their impact on their business, and consider submitting comments before the deadline.
Bastiaan Suurmond and Alexandre Lépine contributed to the preparation of this Wilson Sonsini Alert.
