Connected vehicles – Finalised guidelines from the EDPB

Rentals

A significant change in the guidelines relates to rental vehicles. The finalised guidelines have removed almost all references to connected vehicles used for rental purposes. The draft guidelines provided specific guidance for rental companies providing connected vehicles, with practical advice on privacy and security settings, data retention and data subjects rights, which has been deleted in its entirety from the finalised guidelines.

Vehicle data as personal data

The draft guidelines already explained that, unsurprisingly, most data collected via connected vehicles will be personal data as any data not directly identifiable could readily become so by cross-referencing with other files such as the vehicle identification number. The EDPB have clarified this further, by affirming that a connected vehicle is to be seen in the same light as any other terminal or device such as a computer. The fact that the vehicle could have many users should not indicate that the data collected on the device is not personal data -  “[the] potential plurality of users does not affect the personal nature of the data”.

Consent

As we  highlighted in last year’s article, the EDPB draft guidelines stated that consent could be the most appropriate legal basis for the processing of connected vehicle data, as the vehicle itself should  be considered to be “terminal equipment” for the purposes of Article 5(3) of the ePrivacy Directive.

The EDPB has not changed tack on this and has in fact gone even further in this approach. New text in the finalised guidelines states that it would not be possible to argue that further processing of the data is possible under Article 6(4) GDPR as considering further processing as “compatible” with the original purpose of processing would “circumvent the very principle of the consent requirements” of the ePrivacy Directive. 

The EDPB guidelines is clear that if controllers wish to further process data from connected vehicles, they must obtain separate consent from the individual unless they can rely on Article 23(1) GDPR i.e. if there is national law that allows the further processing for combatting crime, ensuring public security or other important public interests.

This view is conservative and diverges from the approach that many in the industry will have taken. It may also have implications for industries such as Adtech and IoT more generally.

Speed data and criminal offences

Another significant change in the finalised guidelines is a reversal in the EDPB’s original comments on vehicle speed data. Originally, the EDPB had stated that vehicle speed data was not, of itself, offence related data but rather data that could become offence related data if it is being used for the purpose of identifying road infractions. 

The finalised guidelines have removed this analysis and instead state that vehicle speed data combined with geolocation data could amount to offence-related data, leaving the guidelines less definite on this topic.

Privacy settings and personalisation

The EDPB have also added more clarity on how personalised services affect the provision of privacy settings. In the original draft guidelines, the EDPB had made clear that vehicles must provide clear and easy privacy settings to allow the user to control the data collected and transmitted from the vehicle. 

The final guidelines clarify this further by giving an example of a contract offered to a customer on the basis of specific driving behaviour (e.g. lower insurance premiums for drivers who don’t exceed speed limits). The EDPB explains that “drivers should be enabled to stop the collection of certain types of data, temporarily or permanently, at any moment” even where such contracts are in place, but that the services (e.g. the insurance, in our example) can be reverted back to the default offer rather than the more advantageous personalised one. 

The impact of this comment is that it defeats any possible argument that collection of personal data is based on contractual necessity under GDPR  - the EDPB’s view is that it should always be based on consent and can therefore be revoked, even if this impacts on the contract. 

Impact of the final EDPB guidelines on national DPA guidance 

Certain national data protection authorities had issued domestic guidelines on connected vehicles pre-dating the EDPB document. The French Data Protection Authority (CNIL) had for instance issued a series of recommendations back in 2018 (accessible in English here). The CNIL has indicated it will update its national guidance so as to reflect the position elaborated in the context of the EDPB discussions.