Connected Vehicles and Data Protection

Following a public consultation procedure, the European Data Protection Board (EDPB) published last March the final version of its Guidelines on processing personal data in the context of connected vehicles and mobility related applications (hereinafter the “Guidelines”). One of the objectives of the EDPB is to clarify the terms of European data protection law in order to facilitate its interpretation and application.

In the Guidelines, the EDPB points out that the incidence of data processing in vehicles is increasing and that vehicles are “massive data centres”. Much of the data in this context can be considered personal data allowing drivers or passengers to be identified directly or indirectly. Not only is data processed within the vehicle itself, location data for instance, but there is also a large amount of data shared between the vehicle and users’ smartphones. For example, applications used for receiving and making calls, messaging or listening to music that are displayed on the vehicles’ screens process personal data. Furthermore, personal data collected in-vehicle is also communicated to third parties, e.g. tyre condition indicators.

Therefore, the EDPB lists personal data protection risks in connected cars and a number of general recommendations to mitigate the identified risks. For example, since a vehicle may have other drivers in addition to the owner, e.g. in case of sale or rental of the vehicle, there is a risk that information on the processing of personal data is provided only to the owner, and that, as a consequence, the other drivers are not offered sufficient functionalities or options to exercise the necessary control to make use of their data protection and privacy rights. In view of this, EDPB recommends implementing a system that deletes any personal data of the former owner.

The EDPB is also concerned about the risks of processing three kinds of data in connected vehicles. In particular, location data, biometric data, which fall under the special categories of personal data, and data that could reveal criminal traffic offences. Therefore, the EDPB recommends manufacturers, service providers and other data controllers not to collect location data unless it is absolutely necessary for processing purposes. For instance, when processing biometric data required to authenticate the driver as the owner of the vehicle, the EDPB recommends providing an alternative, such as the use of a password, and otherwise storing and comparing the encrypted biometric template only locally inside the vehicle. Finally, with regard to data that could reveal criminal traffic offences, they are subject to specific restrictions in data protection regulations.

Consequently, the EDPB recommends processing such data only locally, i.e. the data should not be processed by an external reading/comparison terminal. It also urges the introduction of strong security measures to protect against illegitimate access, modification and deletion of such data.

Florencia Arrébola
IP/Media Area