„Who is in the driver’s seat? Data protection challenges in the connected car landscape“
If data is the new oil, the Connected Car is not dry source!
A glance at the bare figures shows how correct one is with these or similar comparisons: a modern car produces approximately 25 gigabyte of data per driving hour. If these data are transmitted to bodies outside the vehicle, the corresponding data – at least in theory – often allows the formation of comprehensive and very granular profiles which reveal a ton of information on the movement, habits and driving behaviour of the respective user.
The Connected Car is the focus of the data protection supervisory authorities
The European data protection supervisory authorities recognised this fact at an early stage: Since 2014 the authorities have been engaged in lively discussions with manufacturers and associations on the requirements for lawful data processing inside and outside the Connected Car. In 2017, the CNIL (French data protection supervisory authority) published a widely acclaimed paper in which, for the first time, a European supervisory authority systematically examined the key issues relating to data protection in the Connected Car. Even the German Federal Data Protection Commissioner joined the discussion with its 13 rules for the control of personal data for the networked vehicle.
The fact that the automotive sector and the rapidly advancing technology in the area of networked vehicles and autonomous driving will continue to remain the focus of the European supervisory authorities is shown by current campaigns of the German supervisory authorities: As early as 2016, the state data protection supervisory authorities surveyed the after-sales sector of the automotive industry on the use of personal data that are obtained from vehicles during the after-sales procedures. Most recently, the European Board confirmed its intention to keep Connected Cars high on the data protection agenda (see the Board’s „2-year plan“).
Manufacturers face major challenges
This development presents manufacturers with major challenges, including among others the following four issues:
Firstly, the specific requirements for the lawful processing of personal data inside and outside the networked vehicle are still often unclear, even after many years of intensive discussion. The guidelines provided so far by the respective supervisory authorities offer first meaningful clues for the design of corresponding technologies and processes. However, there are still many white spots on the data protection map that need to be closed in practice with creative solutions.
Secondly, the use of personal data in the networked vehicle is regulated by a variety of different laws and regulations. The often very complex and overlapping areas of regulation – especially between the GDPR, the Federal Data Protection Act (BDSG), the Telemedia Act (TMG), the Telecommunications Act (TKG), legislation in the field of IT security (in Germany e.g. the BSI Act), regulations on the civil law right to dispose of data (e.g. from §§ 87a ff. Copyright Law or § 17 of the Law against Unfair Competition) as well as other special laws – lead to a mixture which is often difficult to resolve, even for trained professionals.
Thirdly, manufacturers are often confronted with considerable practical challenges when implementing data protection regulations. The fact that in reality a car can be used not only by one but by several people – both privately and professionally – requires creative solutions in order to comply with the data protection requirements in relation to each person concerned. In addition, developers often have only limited possibilities to provide sufficient and appropriate information about the handling of personal data in the networked vehicle. This is mostly due to the fact that small displays (such as the head unit in the vehicle) or mobile apps often offer only limited possibilities to transparently provide the user with all relevant information.
Fourthly, those responsible face draconian penalties for violations of the applicable data protection requirements, which individual supervisory authorities are already making public use of.
Data protection responsibility in the networked vehicle – Who am I and if so how many?
In order to determine who is responsible for data processing in the networked vehicle, a distinction must regularly be made between applications in which personal data are processed only inside the vehicle („onboard“) or also by entities outside the networked vehicle („offboard“).
Since in the first case the manufacturer often has no direct access to the corresponding data in the vehicle, it is often questioned to what extent the manufacturer can slip into the role of a „controller“ in the sense of Art. 4 no. 7 GDPR. Particularly strict views see the manufacturer in the data protection-legal responsibility merely due to his process knowledge and developer role. Other, less strict approaches see a data protection responsibility of the manufacturer only where it retains factual control due to a lack of sufficient information and a lack of control and influence possibilities on the side of the user, each with regard to the actual data processing processes (e.g. in the event that the deletion of no longer required data is not possible); an approach which seems to be acknowledged by the French data protection authority CNIL and which, thus, may at least for a reasonable basis for further discussions, while, of course, other points of view tie in with the lack of access to data on the part of the manufacturer and therefore deny a data protection responsibility in general.
The „truth“ might – as so often – lie somewhere in between. Due to the unclear requirements, however, manufacturers which prefer a rather low risk approach should be advised to design pure In-Car applications and processes as compliant as possible with the principles of privacy-by-design (cf. Art. 25 Para. 2 GDPR), i.e. taking into account the principles of data minimisation, transparency and storage limitation, in order to avoid the risk of individual processes being objected to later.
Aide these rather general aspects the following considerations also play an important role here:
Following the CNIL’s recommendations data processing should take place in the vehicle as far as possible as the transfer of personal data to places outside of the car imposes further data protection law related risks on the data subject. However, this approach may have to be closely evaluated as it may for a variety of services and processing activities no longer be technically feasible.
Less data-invasive applications, such as those in which data is only processed in real time and not stored in the vehicle, are usually to be classified as more preferable under data protection law. In any case, data must be stored securely in the vehicle, whereby the principles developed for Art. 32 GDPR provide the key requirements for this exercise. Last but not least, caution and restraint are required when using special categories of personal data within the meaning of Art. 9 GDPR (e.g. when collecting data on the physical condition of a user).
Networked services – What can manufacturers do with the data?
As soon as the data leave the vehicle, the principles of Art. 5 GDPR apply at full. At the development stage, the manufacturer must take appropriate precautions in accordance with Art. 25 (2) DS-GVO (Privacy-by-Design) to enable the legally compliant use of personal data in subsequent live operations. Services must be designed less data invasive (Art. 25 (1) GDPR, Privacy-by-Default), e.g. by designing pre-settings in a more data protection friendly manner (e.g. data collection per default „off“ where technically and practically feasible). The respective processing actions – collection, transmission, storage, processing, further transmission to third parties, deletion – must be individually checked for their permissibility under data protection law.
At the beginning there is always the exercise of defining a corresponding purpose for a concrete data processing. It must then be examined whether the processing for the purpose identified beforehand can be based on a legal basis in accordance with Article 6 of the GDPR. For data from the Connected Vehicle, in particular
- the fulfilment of the contract in accordance with Art. 6 (1) b GDPR (e.g. in the case of use of data after commissioning a specific telematic service such as a maintenance alert),
- the processing of data for the purpose of fulfilling legal requirements (cf. Art. 6 (1) c GDPR, e.g. for the purpose of product monitoring, eCall),
- separate consent (cf. Article 6 (1) a GDPR, e.g. for certain advertising measures), or
- processing on the basis of legitimate interests of the manufacturer or third parties (cf. Article 6 (1) f GDPR, e.g. in the case of use for product development purposes)
play an important role. In particular, data processing on the basis of justified interests creates difficulties in practice when it comes to delimiting data, e.g. for product development purposes. Here, supervisory authorities appear to be open to pragmatic solutions and, under certain conditions, seem to permit the processing of corresponding data for such purposes even without separate consent.
This exercise is, however, often followed by a further examination of the principle of data minimisation, according to which collected data may be processed strictly on the basis of the forthcoming purpose and only to the extent necessary. Excessive data collections as well as data collection and storage should only be possible under very difficult conditions under the GDPR. Another way to do implement these requirements, especially in the context of data analytics, product development and related proceedings could be to properly anonymise or at least pseudonymise collected data. In order to decide on the most effective and feasible means a thorough assessment will have to be made whether data collected from the Connected Car shall be held in identifiable or anonymous form which is usually a business decision and materially determined through the technical and commercial circumstances.
Transparency – Data subjects need to know what happens to their data
According to Art. 13 and 14 GDPR, the data subjects must be sufficiently informed about the respective data processing operations and the rights existing in this context. As already indicated above, provision in a Connected Car is often practically difficult. Experience has shown that appropriate measures must therefore be implemented early in the development process in order to avoid later and often costly adjustments at the end of the development process or even during live operation.
In order to be able to inform the user comprehensively about all relevant data and processing procedures, the creation of corresponding notes typically requires a comprehensive process analysis, which has to differentiate regularly between networked services (remote services with data transmission „over-the-air“) and data transmission processes in the aftersales area (e.g. via the so-called OBD interface („On Board Diagnostics“) in the repair shop.
Data sufficiently secure flows in the dealer network and to other participants
Depending on the processing purpose and legal basis, the disclosure of personal data to third parties – e.g. cooperation partners, insurers and after sales participants (workshops, distributors, technical contract processors) – requires further contractual safeguards such as agreements on contract processing, controller-to-controller contracts, (where appropriate) EU standard contract clauses in an international context and (where actually relevant) joint controller contracts pursuant to Art. 26 GDPR. This exercise will typically be preceded by a comprehensive mapping of the respective processes in order to be able to map the respective procedures contractually correct and (data protection) legally compliant – an often lengthy and complex procedure that should be started in good time.
In spite of the liberalisation of the use of personal data for legitimate interests, which is partly to be expected as a result of the GDPR, the transfer of personal data from the Connected Car to third parties (in particular insurers and other cooperation partners) will continue to require the separate consent of the user in some cases in the future. Here, too, this exercise presents manufacturers with greater challenges and therefore requires early consideration in the development process.
There’s a lot to do – let’s do it!
The high degree of complexity of the relevant legal regulations, the multitude of practical points to be observed and the existing practical imponderables in the networked vehicle will increasingly force manufacturers in the future to integrate Privacy-by-Design as a core component in their business processes. Developers will need to be provided with comprehensive and practical assistance at an early stage in dealing with the respective data protection requirements. At the same time, affected companies will have to set up and implement processes with which the further, often very strict requirements of the GDPR can be tackled at an early stage. In particular, adequate documentation of the relevant processes within the meaning of Art. 30 GDPR as well as the obligation to carry out data protection impact assessments (PIA) for sensitive data processing procedures in accordance with Art. 35 GDPR should be considered here. The latter should be of great relevance due to the high sensitivity of the data processing processes for networked vehicles.
A lot to do for manufacturers and providers of vehicles and services in the Connected Car environment … let’s get on it to stay in the Drivers Seat – also with data protection!