Connected vehicles and the privacy of the occupants

With the advent of new technologies in the automotive industry, connected vehicles are generating and collecting increasing amounts of data and, therefore, becoming massive data hubs. Taking into account that the data generated by the vehicles are mostly considered personal data as they are linked to the driver, the passengers or its owner, with the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications (the "Guidelines"), the European Data Protection Board (the "EDPB") aims to provide legal certainty, as these technologies are likely to interfere with the privacy of individuals.

In this article we analyse what it is understood by a connected vehicle, the risks related to the processing of personal data generated by connected vehicles when they are used for non-professional purposes and a number of real cases that illustrate these risks, in all cases offering recommendations to the interested parties.

The Guidelines establish that the term "connected vehicle" has to be understood as a broad concept. It can be defined as a vehicle equipped with many electronic control units that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices inside and outside the vehicle (for example, by allowing entertainment applications on the personal mobile phone to be displayed on the vehicle's control panel). However, the Guidelines also cover those mobile applications related to the environment of driving (i.e. mobility management, vehicle management and driver assistance applications, etc.) which are connected to, but not integrated in, the vehicle.

In a first block, the Guidelines include the following data protection risks in relation to connected vehicles and makes a number of recommendations, which we summarize below:

• Since connected vehicles are to be considered a terminal equipment as they are connected to the interface of a public telecommunications network, prior consent is required for the storing of information, or the gaining of access to information as provided by the ePrivacy Directive 2002/58/EC. In this regard, the EDPB places particular emphasis on the fact that this consent must be specific for each purpose in order to comply with the validity requirements of the General Data Protection Regulation (the "GDPR"). The EDPB recalls that the initial consent would never legitimise further processing, as it would require an additional consent or that such processing was based on the fulfilment of legal obligations.
• The Guidelines also point out that the plurality of functionalities offered by connected vehicles can lead to an excessive collection of personal data and compromise their safety. The greater the functionalities in the connected vehicle and the access to personal data, the higher the likelihood of these data to be compromised.
• The Guidelines warn data controllers (usually vehicle manufacturers, Pay As You Drive insurance companies, or other service providers that process vehicle information) that the obligation of information and transparency must be complied with in respect to all users of the vehicle during its lifetime (i.e. drivers, passengers, different owners and renters), and that the breach of this duty of information may result in vehicle users losing control over their personal data. Likewise, the EDPB recommends that, in the context of connected vehicles, the first layer of information should include the categories of recipients of personal data.
• The Guidelines emphasise that biometric and geolocation data, which may be obtained through the use of connected vehicles, should be processed only when strictly necessary (as they may reveal specially protected or sensitive data) and stored in secure conditions, but in any case the subjects concerned should be allowed to control the processing of their data and, therefore, tools for the configuration of functionalities must be provided. Moreover, the EDPB is also aware that personal data from connected vehicles could reveal the commitment of a criminal offence or other infraction by drivers. The Guidelines provide that in such a case the processing of data can only be carried out under the control of official authority or when the processing is authorised by Union or Member State law.
• The EDPB recommends that personal data generated by a vehicle is stored locally so that the user has the sole and full control of his/her personal data, thus avoiding the processing of such data on cloud servers or preventing third parties from gaining access to these data without the individual concerned being aware of it. Furthermore, in the event that personal data is transferred to a third party, the Guidelines recommend the anonymization or seudonymisation of such data.
• Lastly, the EDPB also recommends conducting a data protection impact assessment ("DPIA") for processing activities in connected vehicles, even if these do not result in a high risk to the rights of data subjects. The EDPB understands that this will allow industry participants to factor the results of this analysis into the design of the vehicle prior to the roll-out of new technologies.

In a second block, the Guidelines illustrate several cases of processing in the context of connected vehicles which may pose a risk for data protection, for example, when renting a vehicle. In this particular case, the EDPB considers that the driver's or the passengers' personal data may have been stored on the vehicle and be accessible to third parties and, among other things, the EDPB recommends.

During this public consultation period, more than 60 comments have been submitted. Most of the comments were provided by well-known companies in the automotive sector, such as Tesla and Volvo, or in the telecommunications sector, which is the case of the Spanish company, Telefónica. Comments have also been submitted by transport associations and even by the USA public authorities themselves. The EDPB is now working on the revision of the comments and the final version of the Guidelines is expected to be approved by the end of this year. We can only wait and see how this European body responds to the concerns raised by the industry and whether those will be reflected in the Guidelines.