EDPB Publishes Draft Guidelines on Connected VehiclesFebruary 11, 2020 – Alerts
The European Data Protection Board has published draft guidelines for public comment on the data protection aspects of connected vehicles.
The Relevant Players
- Non exhaustive list of stakeholders: vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities as well as drivers, owners, renters and passengers.
- Examples of data controllers in the connected vehicle space: service providers that process vehicle data to send the driver traffic information, eco-driving messages or alerts regarding the functioning of the vehicle; insurance companies offering “pay as you drive” contracts; or vehicle manufacturers gathering data on the wear and tear affecting the vehicle’s parts to improve its quality.
- Examples of data processors in the connected vehicle space: equipment manufacturers and automotive suppliers may process data on behalf of vehicle manufacturers.
Personal Data Includes Indirectly Identifiable Data
- Even if the data collected by a connected car is not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car and constitute personal data. For example, data relating to the driving style or the distance covered, data relating to the wear and tear on vehicle parts or data collected by cameras may concern driver behavior as well as information about other people who could be inside or outside the vehicle.
- Data includes directly identifiable data (e.g., the driver’s complete identity), as well as indirectly identifiable data such as the details of journeys made, the vehicle usage data (e.g., data relating to driving style or the distance covered), or the vehicle’s technical data (e.g., data relating to the wear and tear on vehicle parts), which, by cross-referencing with other files and especially the vehicle identification number (VIN), can be related to a natural person.
Incorporate Data Protection at All Stages
- The challenge is for each stakeholder to incorporate the “protection of personal data” dimension from the product design phase, and to ensure that car users enjoy transparency and control in relation to their data
Connected Vehicles Are 'Terminal Equipment' and the ePrivacy Legislative Regime Applies (Consent for Installation)
- The connected vehicle and every device connected to it shall be considered as “terminal equipment” (just like a computer, a smartphone or a smart TV) and provisions of Article 5(3) ePrivacy directive applies, requiring consent for the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.
- Such consent will not be necessary when it is:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network
- when it is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service
- Consent will likely constitute the legal basis for the connected vehicle data processing operations.
Particular Issues with Connected Vehicles
- Location is very sensitive data: The EDPB wants to place particular emphasis and raise stakeholders awareness to the fact that the use of location technologies requires the implementation of specific safeguards in order to prevent surveillance of individuals and misuse of the data.
- Vehicle drivers and passengers may not always be adequately informed about the processing of data taking place in or through a connected vehicle. The information may be given only to the vehicle owner, who may not be the driver, and may also not be provided in a timely fashion. Thus, there is a risk that there are insufficient functionalities or options offered to exercise the control necessary for affected individuals to avail themselves of their data protection and privacy rights.
- Communication in the vehicle can be triggered automatically as well as by default, without the individual being aware of it. In the absence of the possibility to effectively control how the vehicle and its connected equipment interact, it is bound to become extraordinarily difficult for the user to control the flow of data. It will be even more difficult to control its subsequent use, and thereby prevent potential function creep.
- When the data processing is based on consent, all elements of valid consent have to be met which means that consent shall be free, specific and informed and constitutes an unambiguous indication of the data subject's wishes as interpreted in EDPB guidelines on consent.
- Such consent must be provided separately, for specific purposes and may not be bundled with the contract to buy or lease a new car. Consent must be as easily withdrawn as it is given. The same has to be applied when consent is required to comply with the “ePrivacy” directive.
- Classic mechanisms used to obtain individuals’ consent may be difficult to apply in the context of connected vehicles. In practice, consent might also be difficult to obtain for drivers and passengers who are not related to the vehicle’s owner in the case of second-hand, leased, rented or borrowed vehicles.
- When data are collected on the basis of consent as required by Article 5(3) of the “ePrivacy” directive or on one of the exemptions of Article 5(3), it can only be further processed either if the controller seeks additional consent for this other purpose or if the data controller can demonstrate that it is based on a Union or Member State law to safeguard the objectives referred to in Article 23 (1) GDPR.
- For instance, telemetry data, which is collected during use of the vehicle for maintenance purposes may not be disclosed to motor insurance companies without the user’s consent for the purpose of creating driver profiles to offer driving behavior-based insurance policies.
Excessive Data Collection
With the ever-increasing number of sensors being deployed in connected vehicles there is a very high risk of excessive data collection compared to what is necessary to achieve the purpose. The development of new functionalities and more, specifically those based on machine learning algorithms, may require a large amount of data collected over a long period of time.
- The plurality of functionalities, services and interfaces (e.g., web, USB, RFID, Wi-Fi) offered by connected vehicles increases the attack surface and thus the number of potential vulnerabilities through which personal data could be compromised.
- A connected vehicle is a type of IoT device and prone to the same information security concerns as such devices. However, unlike most Internet of Things devices, connected vehicles are critical systems in which a security breach may endanger the lives of its users. The importance of addressing the risk of hackers attempting to exploit connected vehicles’ vulnerabilities is thus heightened. In addition, personal data stored on vehicles and/or at external locations (e.g., in cloud computing infrastructures) may not be adequately secured against unauthorized access.
The EDPB has identified three categories of personal data warranting special attention by vehicle and equipment manufacturers, service providers and other data controllers: location data, biometric data (and any special category of data as defined in Article 9 GDPR) and data that could reveal offenses or traffic violations.
Requirements for Location Data
- Be particularly vigilant not to collect location data except if doing so is absolutely necessary for the purpose of processing. As an example, when the processing consists of detecting the vehicle’s movement, the gyroscope is sufficient to fulfil that function, without there being a need to collect location data.
- Implement adequate configuration of the frequency of access to, and of the level of detail of, geolocation data collected relative to the purpose of processing. For example, a weather application should not be able to access the vehicle’s geolocation every second, even with the consent of the data subject;
- Provide accurate information on the purpose of processing (e.g., is geolocation history stored? If so, what is its purpose?);
- When the processing is based on consent, obtain valid (free, specific and informed) consent that is distinct from the general conditions of sale or use, for example on the on-board computer ;
- Activate geolocation only when the user launches a functionality that requires the vehicle’s location to be known, and not by default and continuously when the car is started;
- Inform the user that geolocation has been activated, in particular by using icons (e.g., an arrow that moves across the screen);
- Provide the option to deactivate geolocation at any time;
- Define a limited storage period.
Requirements for Biometric Data
- Provide for the existence of a non-biometric alternative (e.g., using a physical key or a code) without additional constraint (that is, the use of biometrics should not be mandatory)
- Store and compare the biometric template in encrypted form using a cryptographic algorithm and key management that comply with the state of the art; only on a local basis, with biometric data not being processed by an external reading/comparison terminal.
- Adapt the adjustment of the biometric solution used (e.g., the rate of false positives and false negatives) to the security level of the required access control.
- Base the biometric solution used on a sensor that is resistant to attacks (such as the use of a flat-printed print for fingerprint recognition).
- Limit the number of authentication attempts.
- Process the raw data used to make up the biometric template and for user authentication in real time without ever being stored, even locally.
Requirements for Data Revealing Criminal Offenses
- Processing of such data can be only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects as stated in Article 10 GDPR.
- Allow only local processing; prohibit external processing.
- Implement sufficient information security mechanisms.
Stakeholders must ensure that their purposes are “specified, explicit and legitimate,” not further processed in a way incompatible with those purposes and that there is a valid legal basis for the processing as required in Article 5 GDPR.
Only collect personal data that is relevant and necessary for the processing
Data Protection by Design and by Default
Ensure that technologies deployed in the context of connected vehicles are configured to respect the privacy of individuals by applying the obligations of data protection by design and by default. For example:
- Local processing: wherever possible, use processes that do not involve personal data or transferring personal data outside of the vehicle
- Develop a secure in-car application platform, physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary external cloud capabilities.
- Provide information regarding the processing in the driver’s language (manual, settings, etc.).
- Process by default only data strictly necessary for the vehicle functioning. Provide data subjects only the possibility to activate or deactivate the data processing for each other purpose and controller/processor and have the possibility to delete the data concerned.
- Retain data only for as long as is necessary for the provision of the service or otherwise required by Union or member state law.
- Allow data subjects to delete permanently any personal data before the vehicles are put up for sale.
- Allow data subjects, where feasible, to have a direct access to the data generated by these applications.
Anonymization and Pseudonymization
- If data must leave the vehicle, consideration should be given to anonymize it before it is transmitted.
- Other techniques such as pseudonymization can help minimize the risks generated by the data processing.
Data Protection Impact Assessment (DPIA)
- Given the scale and sensitivity of the personal data that can be generated via connected vehicles; it is likely that processing — particularly in situations where personal data are processed outside of the vehicle — will often result in a high risk to the rights and freedoms of individuals. Where this is the case, industry participants will be required to perform a data protection impact assessment (DPIA) to identify and mitigate the risks as detailed in Articles 35 and 36 GDPR.
- Even in the cases where a DPIA is not required, it is a best practice to conduct one as early as possible in the design process. This will allow industry participants to factor the results of this analysis into their design choices prior to the roll-out of new technologies.
- Prior to the processing of personal data, the data subject shall be informed of all elements required in Article 13 GDPR.
- When data have not been collected directly, also indicate the categories of personal data concerned, the source from which the personal data originate, and, if applicable, whether those data came from publicly accessible sources. That information must be provided by the controller within a reasonable period after obtaining the data, and no later than the first of:
- (i) one month after the data are obtained, having regard to the specific circumstances in which the personal data are processed
- (ii) upon first communication with the data subject
- (iii) if those data are transmitted to a third party, before the transmission of the data.
- The information may be provided in layers. Layer 1 should include: identity of the data controller, the purpose of the processing and a description of the data subject’s rights, as well as any additional information on the processing which has the most impact on the data subject and processing which could surprise them. This includes naming each recipient of the data or, if controllers cannot provide the names of the recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and subsector and the location of the recipients.
- Use standardized icons visible in the vehicle.
Data Subject Rights
- Implement a profile management system inside the vehicle in order to store the preferences of known drivers and help them to easily change their privacy settings anytime.The profile management system in a vehicle should centralize every data setting for each data processing, especially to facilitate the access, deletion and removal of personal data from vehicle systems at the request of the data subject. Drivers should be able to stop the collection of certain types of data, temporarily or permanently, at any moment, except if a specific legislation provides otherwise or if the data are essential to the critical functions of the vehicle.
- The sale of a connected vehicle and the ensuing change of ownership should also trigger the deletion of any personal data, which is no longer needed for the previous specified purposes.
EDPB lists criteria for data protection methods including: encrypting the communication channels by means of a state-of-the-art algorithm; putting in place an encryption key management system that is unique to each vehicle, not to each model; encrypting data stored remotely by means of state-of-the-art algorithms; and hashing.
Transfers to Third Parties
In view of the possible sensitivity of the vehicle-usage data (e.g., journeys made, driving style), the EDPB recommends that the data subject’s consent be systematically obtained before their data are transmitted to a commercial partner acting as a data controller(e.g., by ticking a box that is not pre-ticked, or where technically possible, by using a physical or logical device that the person can access from the vehicle).
Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance & International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.