EDPB publishes draft guidelines on connected vehicles

The scope of the guidelines covers personal data (1) processed in the connected car, (2) exchanged between the car and personal devices connected to it (such as smartphones) or (3) collected in the car and shared with third parties (such as sharing with insurers for usage based insurance products).

Headline points to note from the guidelines are summarised below:

Personal Data

Unsurprisingly, and in line with existing guidance from many regulators across Europe, the EDPB view that most data collected via connected vehicles will be personal data. This is clearly the case with directly identifiable data such as the driver’s identity. However, telematics data such as information relating to driving style, distance travelled and technical information about the vehicle may also readily become identifiable by cross-referencing with other files such as the vehicle identification number.

The EDPB also flag three categories of data as raising particular concerns in this context: 

• Geolocation Data: According to the guidelines, the processing of geolocation data makes it increasingly difficult for people to remain anonymous. The collection of precise geolocation data can also quickly paint an intimate picture of a person’s life and daily habits enabling controllers to ‘infer the place of work…residence, …. centres of interest… and …possibly reveal sensitive information such as religion through the place of worship, or sexual orientation through the places visited’. The EDPB therefore cautiously warn controllers not to collect location data ‘except if doing so is absolutely necessary for the purpose of the processing’.
  
  According to the guidelines, where geolocation data is collected it should be subject to a set of strict conditions notably: (1) the adequacy, frequency and granularity of the geolocation data collected should be relative and proportionate to the processing (for example, a weather app should not be able to access geolocation data every second); (2) individuals should be given accurate information about the geolocation collection and when the collection is based on consent (as it frequently will be) the consent must be in line with GDPR  consent standards; (3) geolocation data should only be activated when the user launches functionality that requires the vehicle’s location to be known; (4) it must be clear to the individual when geolocation tracking is on, for example by using icons; (5) the individual should have the ability to deactivate geolocation data at any time; and (6) a limited retention period for the location data should be set and adhered to by the controller. 

• Biometric Data: According to the EDPB, when considering the use of biometric data, it is important that the driver is given full control over their data choices, for example biometric functionality should not be mandatory and drivers should have the option of non-biometric alternatives without additional constraints (such as the use of a physical key or pass codes). It is also important that the biometric authentication is as reliable as possible by: (1) ensuring the solution used is adapted to the level of security of the required access control; (2) the solution is based on attack resistant sensors; (3) the biometric template is stored in the vehicle in encrypted form using cryptographic algorithms and state of the art key management; and (4) the raw data making up the biometric template should be processed in real time without ever being stored, including locally.

• Criminal Offence Data: Certain data collected from connected vehicles can constitute criminal offence data - for example when speed data is combined with precise geolocation data disclosing a speeding infraction. In these cases, the processing of this data can only be carried out under the control of official authority or when the processing is authorised by EU or Member State law in accordance with Article 10 GDPR. Pragmatically,  the EDPB do not consider vehicle speed data, of itself, offence related data but rather data that could become offence related data if it is being used for the purpose of identifying such infractions (for example when processed for investigating and prosecuting crimes.). In such cases, the EDPB recommend local processing of the data only, subject to robust security measures, so as to ensure that the driver remains in control of their information and to protect against illegitimate access, modification and deletion.

On lawful basis e-privacy leads

The EDPB remind us that in the connected car context, as with IoT generally, consideration of lawful basis must start with Article 5(3) of the e-Privacy Directive which mandates consent for the storage of information or gaining access to information stored on an internet connected device (unless exemptions apply). This is because the connected vehicle and every device connected to it shall, according to the EDPB, be considered as ‘terminal equipment’ for the purposes of Article 5(3).

In line with the EDPB’s Opinion 5/2019 on the interplay between the e-Privacy Directive and GDPR, the EDPB note that the consent requirement in Article 5(3) of the e-Privacy Directive takes precedent over Article 6 GDPR in relation to the storing or accessing of information in the device. Additionally the consent must meet GDPR consent standards.

Importantly, in the view of the EDPB, consent is likely to constitute the legal basis not only for the storing and gaining of access to information stored in the car but also the subsequent processing of that personal data. Indeed, the ‘bottom line’, according to the EDPB, is that the general lawful bases in Article 6 GDPR (such as legitimate interest, necessity of contract etc.) cannot be relied on to lower the additional protection afforded by Article 5(3) of the e-Privacy Directive (which mandates consent for data collected from internet connected devices). This is a conservative view which may have implications for other e-privacy centred industries such as adtech and IoT more generally.

It follows that  when the controller seeks consent for the storing or gaining access to the connected car pursuant to Article 5(3) of the e-Privacy Directive, the consent will normally also have to list and cover the subsequent processing operations (such as product improvement, analytics, profiling for insurance purposes etc.). The EDPB also recommend, in light of the sensitivity of vehicle usage data, that the driver’s consent be obtained before data sharing with commercial partner’s acting as controllers.

This section of the guidelines would benefit from more nuance, given the EDPB recognizes laterin the guidelines that consent for e-Privacy Directive can be coupled with general lawful bases in Article 6 GDPR other than consent. For instance, where insurers need to process the connected data because it is necessary for entering into a contract with the driver, the EDPB recognize in section 3.1.1.1 that the lawful basis of Article 6(1)(b) GDPR may apply provided ‘the processing is objectively necessary for the performance of the contract with the data subject’. In these circumstances, the EDPB, helpfully, does not consider reliance on Article 6(1)(b) GDPR as having the effect of lowering the additional protection provided by Article 5(3) of the e-Privacy Directive.

Elsewhere, the EDPB clarify that none of the exemptions provided in Article 5(3) of the e-Privacy Directive apply to usage based insurance: the processing is not for the sole purpose of carrying out the transmission of a communication over an electronic communications network nor does it relate to an information society service requested by the user.  However, these exemptions could apply to other use cases in the connected mobility space, with the guidelines giving the example of data collected via an app for renting and booking car spaces or certain auto-theft programs not requiring consent where the data collection is necessary for the specific information society service requested by the driver (comments that will be welcomes by car rental companies for example). 

Transparency

Controllers need to ensure that adequate transparency information is provided to drivers in accordance with Articles 13 or 14 GDPR (as applicable). This will involve the driver being among other matters informed of the identity of the data controller, the purposes of the data collection, the recipients of the data, the retention period and the driver’s rights under GDPR.

Drivers can be informed through a number of channels including by way of concise and easily understandable clauses in the car’s contract of sale, in the contract for the provision of services or by using distinct documents e.g. the vehicle’s maintenance book or manual or the infotainment screen.

The EDPB notes that providing information on automated decision-making which produces legal or similarly significant effects may be relevant in this context, particularly where usage based insurance products are provided.

Where new controllers access connected car data for example where a roadside assistance provider changes on the crossing of international borders, then any new controller must provide drivers with updated transparency information.

In line with the Article 29 Working Party’s previous Guidelines on Transparency, the EDPB confirm that the transparency information can be provided by layered privacy notices i.e. by separating out the levels of transparency information with the most important information listed first (such as the identity of the controller, purposes of processing, the driver’s GDPR rights etc.), with the other secondary information accessible in further layers. The EDPB recommend that in the context of connected vehicles, the first layer of information must cover all recipients of the data, this will generally be the named recipients but if the controller cannot name recipients the identification can be by way of category but this needs to be specific and cover, the industry, sector, subsector and location of the recipient entity.

Privacy by Design & Local Storage

Privacy by design needs to be central to the development and operation of connected cars. According to the EDPB, technologies should be designed to keep personal data collection to a minimum, provide high privacy-protective settings by default and ensure drivers are well informed and have the ability to modify their privacy settings at all times.

In particular, controllers should, wherever possible, use systems that do not involve the transfer of personal data outside the vehicle. According to the EDPB, this localised processing of personal data keeps the driver in control of their data, helps facilitate the processing of otherwise problematic classes of data such as geolocation, special category and criminal offence data, and poses fewer cybersecurity concerns. Examples of use cases for local storage given by the EDPB include linking of smartphones with the vehicle for the purposes of multimedia systems, taking calls or authentication via biometrics, provided that the personal data remains stored in the vehicle.

According to the EDPB, in general drivers should be able to control how data is collected and processed in-vehicle, this includes: (1) privacy information being given in the driver’s local language; (2) it is recommended that only data strictly necessary for the vehicle functioning is collected by default; (3) the data should not be transmitted to any third parties; (4) data should only be retained for so long as necessary for the provision of the service or as mandated by EU or Member State law; and (5) drivers should, where possible, have direct access to their data including the ability to permanently delete their data before the car is sold.

The EDPB also recommends developing secure in-car platforms, physically segregated from safety car functions so that access to the connected car data is not dependent on ‘unnecessary external cloud capabilities’.

Where localised storage is not possible hybrid models might apply, an example given by the EDPB is an insurer having a service provider analyse the raw usage data on its behalf for the purposes of generating a score for informing insurance quotes. Taking this approach, the insurance company does not gain access to the raw behavioural data but only to the aggregate score that is the result of the processing thus ensuring that ‘the principles of data minimization are satisfied by design’.

Security of processing

Unlike many other areas of IoT, connected vehicles are critical systems where a cyber attack could endanger life.  The EDPB point, by way of example, to the potential vulnerabilities posed by the plurality of functionalities in connected cars (web, USB, RFID, Wi-Fi), the hosting of data on insecure cloud computing infrastructures, and the risks posed by third parties during car updates and maintenance services (for example. there is a possibility that atechnician needing access to the technical data, could attempt to maliciously access all the data stored in the vehicle). Accordingly, ensuring that connected vehicles have robust technical and organisational security measures in place that is appropriate to the risk posed must be a key priority for all controllers in this industry so as to protect against the illegitimate access, modification and deletion of the connected car data. 

Industry participants are advised to consider adopting a range of security measures including: (1) encrypting communication channels and local storage by means of state-of-the art algorithms (2) putting in place encryption key management systems unique to each vehicle (not model); (3) utilising data hashing; (4) making access to personal data subject to reliable user authentication techniques (password, electronic certificate, etc.); (5) authenticating data-receiving devices; and (6) protecting and regularly renewing encryption keys.

The guidance also contains more specific security measures for vehicle manufacturers such as (1) partitioning the vehicle’s vital functions from those relying on telecommunication capacities; (2) implementing technical measures that enable manufacturers to rapidly patch security vulnerabilities; (3) for the vehicle’s vital functions, giving priority as much as possible to using secure frequencies that are specifically dedicated to transportation; (4) setting up alarm systems in case of attack that also allow for the operation of a downgraded model; and (5) storing a log of access to the vehicle’s information systems e.g. going back six months as a maximum period, in order to enable the origin of any potential attacks to be understood and periodically carry out a review of the logged information to detect possible anomalies.

Individual rights

Controllers of connected car data need to facilitate the exercise of the driver’s GDPR rights. To achieve this an in-vehicle profile management system should be provided to store the preferences of known drivers and allow them to easily change their privacy settings at anytime. The profile management system should, according to the EDPB, centralize data settings to facilitate the access, deletion and removal of personal data from the vehicle systems at the election of the driver. Controllers should note that the significant preference expressed by the EDPB for consent to be the lawful basis for GDPR purposes, will amplify the application of data portability rights.

In addition, drivers need to be provided with functionality  to stop, either permanently or temporarily, the processing of certain types of data (such as automated geolocation tracking) unless the collection of such data is required by law or is otherwise essential to the critical functioning of the car. To take an example from the guidance, a variety of data can be processed via the dashboard of a rental car (such as data derived from smartphone pairing), therefore car rental companies must provide clear and explicit information to customers in relation to what data is likely to be processed locally, the use to which this data is put, and outline how the driver can deactivate the data collection and erase the data concerned. 

Data Protection Impact Assessments ('DPIA')

The GDPR requires that a DPIA be carried out when data processing is likely to result in a ‘high risk’ to the individual. Given the ‘scale and sensitivity’ of personal data collected via connected cars the risk rating for individuals, particularly when data is transferred outside the vehicle, is likely to be high. Therefore in many cases a DPIA will be mandated and should be carried out ‘as early as possible in the design process’. In cases, where a DPIA is not legally required, the EDPB still consider conducting one as best practice. 

Topics not tackled

The EDPB give examples of  controllers in the connected car context such as service providers processing telemetry data to send real time traffic information, eco-driving messages or alerts regarding the functioning of the vehicle, insurers providing ‘pay as you drive’ insurance and vehicle manufactures gathering data for product improvement.  While brief reference is made to the possibility of joint controllership, no firm guidance is given around the extent to which joint controllership might apply to common use cases in the connected car context such as data sharing between vehicle manufacturers, data aggregators and insurers for the purposes of usage based insurance - however on this front, the EDPB is separately due to publish its general guidance on controller/processor roles later in 2020.

Another key challenge in this area is change of ownership: specifically avoiding a second owner purchasing a connected vehicle that has not been disconnected from its prior owner.  The EDPB does not examine the topic in detail, although the guidelines do note that biometric technology may have a role to play in authenticating and distinguishing drivers. The EDPB also recommends that the sale of a connected vehicle should trigger the erasure of any personal data which is no longer needed.