On March 9, 2021, the European Data Protection Board (EDPB) adopted version 2.0 of its guidelines – On processing personal data in the context of connected vehicles and mobility related applications following a period of public consultation that ended in May 2020.
The EDPB specifies that “in order to mitigate the risks for data subjects identified above, the following general recommendations should be followed by vehicle and equipment manufacturers, service providers or any other stakeholder who may act as data controller or data processor in relation to connected vehicles”. These general recommendations focus on ten main points:
1/ Categories of data
The EDPB highlights that “most data associated with connected vehicles will be considered personal data to the extent that it is possible to link it to one or more identifiable individuals”. In this section, the EDPB addresses three categories of personal data which it considers deserve the particular attention of “vehicle and equipment manufacturers, service providers and other data controllers”. These are “location data, biometric data (and any special category of data as defined in art. 9 GDPR) and data that could reveal offenses or traffic violations”. For each of the categories of personal data, the EDPB highlights the impact that the collection of such data can have on individuals. This is the case with location data, since these “are particularly revealing of the life habits of data subjects”. The EDPB therefore recommends “not to collect location data except if doing so is absolutely necessary for the purpose of processing”.
In this section, the EDPB highlights that data processing must comply with the GDPR. Indeed, data controllers must ensure that their purposes are “specified, explicit and legitimate”, the data should not be ” further processed in a way incompatible with those purposes” and that there must exist “a valid legal basis for the processing as required in art. 5 GDPR “.
3/ Relevance and data minimization
In this section, the EDPB indicates that industry participants must comply with the principle of data minimization (article 5(1)(c) GDPR). They should only collect “personal data that are relevant and necessary for processing”. Indeed, it makes reference to the aforementioned case of location data, the collection of which is possible only if it is absolutely necessary for the purposes of processing.
4/ Data protection by design and by default
In this section, the EDPB draws attention to two important points:
- “data controllers are required to ensure that technologies deployed in the context of connected vehicles are configured to respect the privacy of individuals by applying the obligations of data protection by design and by default as required by art. 25 GDPR”;
- “technologies should be designed to minimize the collection of personal data, provide privacy-protective default settings and ensure that data subjects are well informed and have the option to easily modify configurations associated with their personal data”.
The EDPB then addresses the issues of local processing of personal data, anonymization and pseudonymization and data protection impact assessments.
In this section, the EDPB highlights that before processing of personal data can take place, “the data subject shall be informed of the identity of the data controller (eg, the vehicle and equipment manufacturer or service provider), the purpose of processing, the data recipients, the period for which data will be stored, and the data subject’s rights under the GDPR “. The EDPB also puts forward a list of information that industry participants must provide to the person concerned, “in clear, simple, and easily-accessible terms”. This should for example include “the contact details of the data protection officer”; “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”. It also provides a list of new information that must be given to the data subject when there is a change in data controller. The report also makes a distinction between two levels of information given to the data subject: “on the one hand, first-level information, which is the most important for the data subjects, and, on the other hand, information that presumably is of interest at a later stage “.
6/ Rights of the data subject
The EDPB cautions that industry participants should put in place specific tools that allow data subjects to control their data during the entire processing period and thus effectively exercise their rights (such as the right to access, rectification, erasure, the right to restrict the processing of their data and, depending on the legal basis of the data processing, the right to data portability and the right to object). For instance, if a connected vehicle is sold, and this results in a change of ownership, all personal data should be deleted “which is no longer needed for the previous specified purposes and the data subject should be able to exercise his or her right to portability “.
In this section, the EDPB puts forward a list of measures that would allow industry participants to guarantee “the security and confidentiality of processed data and take all useful precautions to prevent control being taken by an unauthorized person”. It also puts forward another list of recommendations which are more specifically tailored to vehicle manufacturers. The concluding part of this section includes a statement that “these general recommendations should be completed by specific requirements taking into account the characteristics and purpose of each data processing”.
8/ Transmitting personal data to third parties
The EDPB highlights the principle that “the data controller may transmit personal data to a commercial partner (recipient), to the extent that such transmission lawfully relies on one of the legal bases stated in art. 6 GDPR”. It also highlights the importance of obtaining consent when conducting a lawful transfer of personal data; it recommends “that the data subject’s consent be systematically obtained before their data are transmitted to a commercial partner acting as a data controller”.
9/ Transfer of personal data outside the EU/EEA
With regard to data transfers outside the European Union (EU) or the European Economic Area, (EEA), the EDPB reminds us that there are “special safeguards” that must be respected in order to ensure that “protection travels with the data”. The transfer of personal data by a controller to a recipient must be carried out in accordance with Chapter V of the GDPR.
10/ Use of in-vehicle Wi-Fi technologies
In the final section, the EDPB highlights that “advances in cellular technology have made it possible to easily use the Internet on the road”. Therefore, it gives different recommendations explaining that “the Wi-Fi connectivity is offered as a service by a road professional” or that “the Wi-Fi connectivity is put in place for the sole use of the driver”. However, it fears that, through their vehicles, users will become continuous broadcasters, and it will therefore be possible for them to be identified and tracked. Therefore, the EDPB recommends that users be given the ability to prevent this tracking by including the capacity to opt out of it in the system.