Connected vehicles and the GDPR

Connected vehicles collect a lot of data about their drivers: Who they are, where they are, and how they use their cars.

In 2016, research by the “My Car My Data” campaign found that 95% of people surveyed believed there was “a need for specific legislation to protect their rights concerning vehicle and driver data”.

However, Europe has laws covering almost every aspect of connected vehicle data processing. In this article, we’ll focus on how connected vehicle providers can meet their obligations under the EU and UK General Data Protection Regulation (GDPR).

My Car, My Data

My Car My Data is a campaign set up by the Fédération Internationale de l’Automobile (FIA).

In 2016, the campaigners conducted research into consumer attitudes towards connected vehicles and found:

• 90% of respondents felt drivers “owned” data collected about them by their connected vehicle.
• 91% of respondents wanted the option to turn connectivity off.
• When asked about specific connected vehicle privacy concerns, respondents identified the following issues:
  • Disclosure of private information (88%)
  • Commercial use of personal data (86%)
  • Vehicle hacking (85%)
  • Vehicle tracking (70%)

Let’s explore whether GDPR compliance addresses such concerns about connected vehicles.

Do connected vehicles collect personal data?

Yes, connected vehicles can collect, share, and otherwise process personal data.

Under the GDPR, personal data is any information related to an identified or identifiable individual.

If a connected vehicle provider can identify you using data collected by your vehicle, the provider is processing personal data about you.

Why do connected vehicles collect personal data?

Connected vehicles generally collect personal data that is required to provide services to the driver.

Some of these services are “core services”. Drivers must provide certain personal data so the connected vehicle’s systems work properly.

Other services will be optional extras, requested specifically by the driver, that are not necessary to make the connected vehicle’s systems work.

Some connected vehicle providers might also collect personal data for their own purposes, such as delivering targeted advertising and training machine learning algorithms.

Under the GDPR, all processing of personal data requires a “legal basis”. Examples of legal bases include:

• Where the “data subject” (user or person) has provided
• When processing personal data is necessary to enter into or perform a
• When the “controller” (such as a connected vehicle provider) needs to process personal data to comply with a legal obligation.
• When processing personal data is in the controller or a third party’s “legitimate interests”, and those interests outweigh the data subject’s rights and freedoms.

We’ll explore how these legal bases apply to connected vehicles throughout the article.

What sorts of connected vehicle services require personal data?

Let’s look at an example. Volkswagen is a market leader for connected vehicles in Europe. The German car manufacturer offers a connected vehicle service called “VW Connect”.

Volkswagen’s privacy policy explains how the company collects and uses personal data in relation to various connected vehicle services.

Account Creation

To use VW Connect, the user must set up an account. Setting up an account with VW Connect creates a “Volkswagen ID”, which identifies a specific driver. This identifier is personal data.

Additionally, Volkswagen collects the following types of personal data on account creation:

• Title
• Surname
• First name
• Email address
• Password
• Vehicle identification number (VIN)
• Vehicle make
• User role
• Nickname
• S-PIN
• Place of residence
• Preferred language
• User ID
• Time of activation
• Front end used for activation
• Scope of services subscribed

Not all of this information constitutes personal data in isolation.

For example, information such as “time of activation”, “vehicle make”, and even “first name” might not be personal data in some contexts. But if Volkswagen can combine such information with other data to identify an individual, then the information is personal data.

If the user chooses to activate the VW Connect mobile app, Volkswagen will collect other information that can also constitute personal data, such as the user’s international mobile equipment identity (“IMEI”) number and profile picture.

Guests can also use another person’s VW Connect service, and Volkswagen will collect similar types of personal data to provide the service to that person.

Volkswagen relies on the lawful basis of “contract” for these types of data processing—the driver enters into a contract with Volkswagen in order to receive VW Connect services, and Volkswagen says it needs to process the above personal data to perform the contract.

Guest users, however, are not in a contract with Volkswagen. For guest users, Volkswagen relies on its “legitimate interests” to enable the creation and use of “guest” profiles.

Troubleshooting

When something goes wrong with a connected vehicle, the provider may need to collect personal data to fix the problem.

Volkswagen states that it will collect information about “the time and type” of services used by the driver in order to “identify and analyze faults”.

Other types of information, such as the VIN and Volkswagen ID, are also processed for troubleshooting purposes. Contact details might also be processed if the user contacts Volkswagen for troubleshooting purposes.

As above, Volkswagen relies on “contract” and “legitimate interests” to process personal data in this context, for drivers and guests respectively.

Marketing

In addition to providing services requested by the user, Volkswagen uses connected vehicle data for marketing purposes.

According to the company’s privacy policy, such data can include the following:

• Identification data (such as name, email, phone number, VIN)
• Transaction data
• Vehicle usage data (such as logbook, fluid levels, mileage)
• Contract data (such as vehicle equipment, ongoing contracts with related services)
• IT usage data (such as login time, information about how the driver has used certain functions)
• Location data (such as truncated GPS data)

Volkswagen uses these types of personal data to deliver personalized advertising. The personal data might be shared with advertising service providers and other vendors.

Volkswagen relies on “consent” for this type of data processing. This should mean that users make an informed, specific, unambiguous choice about whether they wish their personal data to be used in this way.

What are some other GDPR considerations for connected vehicle providers?

The GDPR provides many other rules and principles that impact connected vehicle providers, including:

• Applying the “principles of data processing”, such as the principle of “data minimization” (only collecting personal data that is adequate, relevant, and necessary for a specific purpose.
• Keeping personal data secure from accidental loss or unauthorized access.
• Facilitating people’s “data subject rights”, including the right to:
  • Confirm that a provider is processing their personal data and access a copy of the data.
  • Erase personal data under certain conditions.
  • Access a copy of personal data in a portable, “machine-readable” format, so the user can transfer the data to another provider (“data portability”).

This is a complicated area. And it’s likely to get more complicated when other EU laws take effect—such as the Data Act, which focuses heavily on internet of things (IoT) and connected devices.