Connected vehicles, alongside autonomous vehicles, are often cited as the technology that will transform the way we travel - a transport revolution, some claim. Connected vehicles are, however, not without their challenges. A connected car can generate 25 gigabytes of data every hour and the associated processing is taking place in a complex ecosystem of traditional automotive companies and new digital players. It is against this backdrop that the European Data Protection Board (EDPB) has published draft guidelines on processing personal data in the context of connected vehicles.
What is a connected car?
The guidelines define this broadly as “a vehicle equipped with many electronic control units that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle”. From mobility management to road safety and driver assistance to entertainment, the applications for connected vehicles are multiple and diverse.
What risks does the EDPB identify?
Citing “significant data protection and privacy concerns”, the guidelines highlight several key risks:
- information asymmetry and quality of the user’s consent, with a lack of information posing a barrier to obtaining valid consent;
- further processing of personal data without additional consents;
- excessive data collection; and
- security of personal data caused by the pluralities of functionalities, services and interfaces.
What mitigations does the EDPB suggest?
To mitigate such risks, the EDPB has set out a number of general recommendations for industry participants. Key takeaways include:
Relevance and minimisation: Data controllers should only collect personal data that is relevant and necessary for the processing. Location data should only be collected where “absolutely necessary”.
By design and by default: Wherever possible, data should be processed within the vehicle to mitigate cybersecurity risk and reduce latency. Where data must leave the vehicle, the EDPB reiterates the value in anonymization and pseudonymisation techniques in mitigating risk.
Information: The need for clear, simple and easily accessible information is a central tenet of the recommendations. Alongside providing a list of information to be provided, the guidelines also discuss how information may be communicated in “layers”, according to its importance.
Rights of the subject: Unsurprisingly, the guidelines focus on the ability for data subjects to control their data. Specifically, the EDPB suggests a profile management system is used to centralise data settings and record preferences.
Security: In light of the increased risks posed by a security breach, the guidelines call for participants to adopt a number of specific measures (including a unique encryption-key management system and the partitioning of vital functions from "infotainment").
In addition to its general recommendations, the EDPB also sets out specific guidance in connection with three types of data that it considers warrant special attention - geolocation data, biometric data and data revealing criminal offences.
So do these guidelines herald a bumpy road ahead for industry participants? The application of our legislative controls to this technology doesn’t make for an easy ride, but nobody expected otherwise – after all, the transport revolution cannot ignore the privacy revolution. We await the final guidance (following the 20 March 2020 submissions deadline) with anticipation.