EU Data Protection Regulator Issues New Guidelines for Personal Data Processing in Connected Vehicles

In a development that is likely to be monitored by U.S. legislators and regulators in considering new controls on personal data being collected in connected automotive vehicles, the European Data Protection Board (EDPB) issued new guidelines addressing the processing of personal data within the context of such vehicles on February 7, 2020, and will remain open for public comment until March 20, 2020. The guidelines focus on data flows involving data that is processed in the connected automobile, exchanged among vehicles and personal devices that interface with them, and shared with third parties, such as insurance carriers that monitor driving habits and patterns. The EDPB considers most, if not all, such data to be personal data, as it includes the driver’s identity and other data relating to driving style, travel distances and geolocation, which may be cross-referenced with a vehicle identification number, and therefore may be linked to the driver’s identity.

As such data can reveal personal details of the driver’s life, such as home address, work location, daily habits, and even religious beliefs or sexual orientation, data processors are cautioned to strictly limit collection of such data unless absolutely necessary for the purpose of the data processing. The guidelines also require that individuals be provided accurate information regarding the type of personal data that is being processed, the reason for the processing, disclosure of any third parties with whom the data may be shared, data retention periods, and in accordance with applicable GDPR consent standards; such information may be conveyed via privacy notices to the driver. Geolocation controls must also be user-friendly, in that the driver should be able to know when the vehicle is being tracked and should be able to deactivate such tracking. Any personal data that is collected should also be retained for a limited period of time by the data processor.

Similarly, the guidelines require that the driver be given full control of biometric authentication tools (such as fingerprint scanners) and that such functionality should not be mandatory in order to operate the vehicle. If biometric authentication is selected by the driver, appropriate data security measures must be in place, and any associate raw data should be processed in real time, without it ever being stored, even locally.

In the event that any collected data constitutes criminal offense data, such as speed and geolocation data that discloses a speeding infraction, such data may only be processed by the appropriate government authority or as otherwise authorized by EU or Member State law in accordance with Article 10 of the GDPR.

As to any disclosure of such data to third parties, driver consent is mandatory and standards must adhere to those previously set forth in the EDPB’s Opinion 5/2019 in regard to storage of or access to data on the device, and must also comply with GDPR standards. Due to the sensitive nature of driver personal data, as described above, the EDPB also recommends that the driver’s consent be obtained before data sharing with any commercial partners.

In general, the guidelines are consistent with privacy by design principles, which require keeping personal data collection to a minimum, while providing privacy-protective settings by default, with ample ability of drivers to control and modify their privacy settings at all times. Such principles also favor localized processing of personal data within the vehicle, further ensuring heightened control of personal data processing by the driver, such as when linking smartphones with the vehicle, taking calls, or authentication via biometrics, provided that the personal data remains stored in the vehicle. The guidelines also recommend development of secure in-car platforms, including features such as physical segregation from external cloud platforms. In situations where localized storage is not possible, alternate models may be considered, such as allowing insurance companies to access only aggregate driver scores, rather than raw behavioral data.

Because of the heightened risk of a cyberattack risking loss of life within the connected vehicle setting, the EDPB also recommends adoption of such security measures as encryption of communication channels, data hashing, user authentication, implementing security patches, audit logs, and regularly revising encryption keys. As the GDPR also requires that Data Protection Impact Assessments be performed when data processing is likely to result in high risk to individuals, and given the sensitive data that can be collected by connected car environments, such assessments may be legally required and, even if not required, the EDPB recommends they be conducted within the connected car setting as a best practice.

Among the issues that may be addressed in the future by the EDPB are joint data processing operations, such as data sharing between vehicle manufacturers and insurers for purposes of usage based insurance, as well as addressing situations where a new owner purchases a connected vehicle that has not been disconnected from a prior owner.

Al Leiva is a member of Baker Donelson’s Autonomous Vehicle task force. Al advises clients on compliance with rapidly evolving federal, state, and international data security and privacy laws. Mr. Leiva also handles complex business litigation matters.