On 28 January 2020, the European Data Protection Board released guidelines on connected vehicles. This document focuses on “the personal data processing in relation to the non-professional use of connected vehicles by data subjects”.
The guidelines points out some risks carried by connected vehicules, including:
- “Lack of control and information asymmetry”;
- “Quality of the user’s consent”;
- “Further processing of personal data”;
- “Excessive data collection”; and
- “Security of personal data”.
It also gives some general recommendations, including:
- To “warrant special attention” to certain categories of data “given their sensitivity and/or potential impact on the rights and interests of data subjects” (geolocation data, biometric data, and data revealing criminal offenses or other infractions);
- To ensure that the variety of purposes for which personal data is processed are “specified, explicit and legitimate”;
- “To comply with the data minimization principles”;
- To apply the obligations of data protection by design and by default. The EPBD insisted in particular on favoring local processing of personal data “wherever possible” and on using anonymization and pseudonymisation “if data must leave the vehicle”.
Moreover, the EPDB focuses on security and confidentiality and recommends the implementation of several security measures. It also tackles other issues like the obligation of information or transmission of personal data to third-parties inside and outside the European Union.
Finally, the EPDB provides some case studies to “give specific examples in the context of connected vehicles”.