EDPB Guidelines on Connected Vehicles as of March 2021 – 5 Major Take Aways for OEMs and Mobility Service Providers
What has happened so far …
With the advancing networking and automation of mobility sector and the growing complexity of the associated data processing procedures, car manufacturers, suppliers and service providers are looking for assistance on how the strict requirements of the EU General Data Protection Regulation (GDPR) and supplementary laws in the area of connected and autonomous or automated vehicles should and can be implemented in the future.
In the past, European supervisory authorities have only sporadically published guidance on how to deal with this complex topic (cf. e.g. the CNIL guidelines on data protection in the connected vehicle from 2018 or the declaration of the VDA and the German data protection supervisory authorities from 2016). On 9 March 2021, the European Data Protection Board (EDPB) published its Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications in the (for the time being final) version 2.0 after prior consultation of the relevant expert groups (consultation version from 2020 can be found here).
The guidelines are primarily aimed at car manufacturers and providers of services in the ecosystem of connected vehicles, i.e. also suppliers of corresponding technologies, providers of corresponding telemedia services or motor vehicle insurers. In addition to basic principles of processing vehicle data, the guidelines also describe individual concrete use cases such as the data protection-compliant implementation of the eCall requirements or questions in connection with pay-as-you-drive insurance rates.
Can the guidelines be considered the “big hit” that will finally shed comprehensive light on the many unresolved data protection issues in connection with this complex matter and provide practicable solutions for car manufacturers and service providers? From the point of view of the industry, which has been dealing with these issues for a long time, the answer is probably “no”.
A discussion of particularly urgent current issues such as the relationship between data protection regulations and current regulations on the provision of certain driver assistance systems from 2022 (cf. on EU Regulation No. 2019/2144 here) or the cyber security requirements for (connected) vehicles of UN.ECE WP. 29 (cf. on Regulation No. 155) is not challenged. In addition, the evaluation of the EDPB is largely based on the currently still applicable provisions of the ePrivacy Directive, although these may be replaced in the (near) future by other and partially differentiating regulations and would thus allow a simplified evaluation of individual use cases.
Is the paper worth reading? The answer is an unqualified “yes”! For companies that have only rudimentarily dealt with the matter so far, the paper offers valuable tips and comprehensive explanations on the basics of data protection in dealing with vehicle data. But also for all other “players” the paper should remain a “must read”, even if at first glance it seems to lag somewhat behind the current discussion in vehicle data protection in terms of content.
Firstly, the EDPB seems to have significantly softened some of the core statements of last year’s draft version, which is not least due to the broad and constructive participation of the industry in the development process of the guideline. On the other hand, the EDPB retains its strict view on individual points and even seems to expand it in part. Valuable insight for stakeholders to receive!
Secondly, the Guideline is fundamentally binding for national supervisory authorities in the interpretation and application of the GDPR and for this reason alone should be required reading for all data protection organisations of car manufacturers, suppliers and service providers who wish to familiarise themselves with the EDPB’s views.
Thirdly, in the Guideline, the EDPB sets out its view on various issues of fundamental importance also for other industries that are dealing with networked infrastructures today (i.e. almost all of them). The principles can thus be applied to other cases in the field of IoT and provide valuable guidance in this respect.
In the following we have summarised the five (5) major takeaways of the Guidelines, which will certainly need to be elaborated on in further reading of the Guidelines and supplementary sources, but which provide companies with an initial overview of the main statements of the paper.
Five Major Takeaways for OEMs, Suppliers and Service Providers
Processing of vehicle data still only under strict conditions – little scope for processing personal data on the basis of “legitimate interests”
From the EDPB’s perspective, consent is likely to remain the essential legal basis for the processing of vehicle data in the ecosystem of connected vehicles. As in the draft version of the Guidelines from 2020, the EDPB follows a broad interpretation of the scope of Art. 5 (3) of the ePrivacy Directive. It sees this opening up in many cases of processing of vehicle data in the connected car environment. As a result, many processing operations will generally require the consent of the data subjects and only in exceptional cases will such consent be dispensable. The EDPB seems to see no or only limited scope for processing vehicle data for other “legitimate interests” and at the same time completely rejects the possibility of processing for a different purpose in accordance with the principles of Art. 6 (4) GDPR in addition to the requirements of Art. 5 (3) ePrivacy Directive. If this strict view has already provoked considerable criticism from industry in the consultation process, the EDPB’s approach is likely to make a meaningful balance between the various obligations in the area of IT security, product monitoring or quality management and the strict requirements postulated by the EDPB, although not impossible, considerably more difficult.
Particularly strict requirements for the handling of position data, biometric data and data that provide information about committed offences
The processing of specific categories of personal data, namely position data, biometric data and data that provide information about possible violations of the law, should only be possible in compliance with very restrictive requirements. For example, the use of biometric procedures for access management to services and data in the vehicle is only to take place on the basis of consent. At first glance, this is hardly surprising, but it is likely to continue to present manufacturers with a variety of challenges in implementing the strict formal requirements of the GDPR for effective consent in the vehicle environment.
The EDPB seems to have revised its recent very broad interpretation of Article 10 of the GDPR, which, according to the previous version of the guidelines, it also wanted to extend to the processing of mere information on for example speed or other data indicating a possible violation of road traffic regulation where processed by a stakeholder in the connected car ecosystem. Good news for the industry which will likely ease the legal complexity in dealing with vehicle data further.
Far-reaching obligations of manufacturers already in the development phase of vehicles and services (privacy-by-design)
Up to now, it has been disputed to what extent the requirements on privacy-by-design apply to manufacturers of data processing technologies, regardless of whether and if so to what extent they actually process personal data of data subjects at a later point in time. With reference to recitals 18 and 78 of the GDPR, the EDPB follows a broad interpretation in the Guidelines and considers manufacturers to be under an obligation to take into account the requirements under Article 25 of the GDPR already at the stage of development of the corresponding technologies, irrespective of actual data access. Although the EDPB’s argumentation is not convincing, it is in line with certain standards that are already implemented in the industry today to some extent. The EDPB’s statement once again makes it clear that manufacturers of technologies for the connected vehicle must take the requirements of the GDPR into account as core requirements in the design of their products and services if they do not want to run the risk of being prosecuted by the data protection supervisory authorities for failures in this area in the future.
GDPR requires comprehensive ability of data subjects to influence the processing of data in the vehicle and implementation of comprehensive data minimisation measures
In the final version of the guidelines, the EDPB once again emphasises that the comprehensive control of the data subject over the data processing activities taking place in and outside the vehicle should be a basic prerequisite for the implementation of the requirements of the GDPR. The EPDB places particular emphasis on data-minimising technologies, the early deletion and anonymisation or pseudonymisation of vehicle data (among other things under the heading of so-called “hybrid processing”) and the implementation of a profile management system with which the user can control the collection, storage and processing of data in the vehicle in a targeted manner and with simple means. In addition, the implementation or enabling of the exercise of the right to data portability is again emphasised in various places.
If the EDPB’s approach sounds conclusive at first glance, in order to give full effect to the data subject rights of Art. 12 et seq. of the GDPR in the connected car environment, many questions remain unanswered that are currently driving the industry. For example, the question arises as to how far configuration options for the user must actually extend in the case of complex services and functions in order to comply with the requirements of the GDPR without counteracting the purpose of individual functions (e.g. increasing road safety). It also remains unclear, among other things, which data the user must be able to view or delete, especially if this is system-relevant data that is required for the safety of the vehicle or individual functions. Practice will (have to) continue to deal with these and other questions in the coming weeks and months.
High standards of IT security in the connected vehicle
Finally, the EDPB requires manufacturers, service providers and other suppliers to implement high IT security standards in the connected car environment in order to effectively prevent unauthorised data access. At first glance, the catalogue of proposed measures contains many standard measures that manufacturers and providers should already be implementing today. However, individual points stand out: Among other things, key management should be designed individually per vehicle and not per vehicle line. The vehicle should be equipped with an alarm system for cyber attacks and allow the storage of a log history of (a maximum of) six (6) months in order to be able to trace attacks on the vehicle system. In addition, the vehicle shall be equipped with a patch management system that shall enable the immediate patching of vulnerabilities during the entire service life of the vehicle.
Although at first glance the requirements seem to be very similar to the requirements on cyber security for (connected) vehicles of UN.ECE WP.29 (cf. on Regulation No. 155), the question arises at first glance as to when manufacturers or providers of corresponding services should implement the respective requirements. If the requirements of Regulation No. 155 of the UN.ECE WP.29 only take effect from next year and then only gradually, the requirements of the EDPB should be taken into account immediately. It is obvious that certain restrictions on the scope of the requirements (e.g. for certain new vehicles or vehicle types from a specific point in time) seem necessary here, but this should add to the already long list of open questions in view of the impending implementation of the requirements of the UN.ECE and EU regulations.
The paper provides a good overview of the principles of data protection law in dealing with vehicle data and should give the industry a good sense of the direction in which the EDPB will move in the future when assessing corresponding data protection law issues – in the direction of a continued strict interpretation of the legal requirements, which will continue to make it difficult for manufacturers and providers of services in the connected car environment to find clear answers to urgent questions about the compatibility of data protection law requirements and the increasing demands on for example IT security in the connected car, among other things, and to resolve existing conflicts appropriately. In this context, the legal requirements should certainly offer a certain amount of leeway for the implementation of practicable solutions, which will, however, continue to require a comprehensive examination of the various legal regimes and – as is so often the case in data protection – a certain amount of creativity in order to safely reach the goal!
If we can support you on this path or should you have further questions on the topics addressed in this article, please do not hesitate to contact us!