Connected cars raise tricky data protection questions. In 2021, the European Data Protection Board (EDPB) tried to provide some answers with its “Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications”.
The EDPB’s guidance is aimed at companies designing or implementing connected vehicle technologies—from the developers of connected vehicle software to the manufacturers of connected vehicles themselves.
This article looks at six of the most prevalent themes in the EDPB’s guidance: Consent, “information society services”, special category and criminal offence data, transparency, and unanswered questions.
Consent, consent, consent
The word “consent” appears in the guidelines 86 times. References to other legal bases are much less frequent. “Contract” appears 32 times, but often in different contexts. “Legitimate interests” appears just twice—and only in a list of the information required in a privacy notice.
Consent is required under the ePrivacy Directive for “storing information” or “accessing information stored” on a device (with some limited exceptions). This rule applies to the equipment installed in connected cars as much as to mobile phones and other devices.
As such, consent is the EDPB’s preferred legal basis for most connected car-related activities.
Information society services
The EDPB concedes that the ePrivacy Directive does not require consent in certain contexts, including when “strictly necessary” to provide an “information society service” requested by the user.
The EDPB characterizes the following types of activity as information society services that would not require consent if requested by a user:
- GPS navigation services
- Renting and booking a parking space
- Locating a stolen vehicle
In the above cases, the EDPB suggests that “contract” would be an appropriate legal basis for processing—as long as the personal data collected is “necessary” for the performance of the contract.
Special category and criminal offence data
Connected cars can collect “special category data”. Processing special category data requires an additional legal basis under Article 9 of the GDPR. “Explicit consent” appears to be the only appropriate Article 9 basis in this context, according to the EDPB.
The EDPB identifies biometric information as a type of special category data that can be collected by connected cars, for example for security and authentication purposes.
Other data types might not explicitly fall under Article 9 but are nonetheless deemed particularly sensitive by the EDPB. For example, location data can reveal lifestyle habits, including, in some cases, religion or sexual orientation.
The guidance also suggests that certain data collected by connected cars could constitute “criminal offence data”, for example data relating to speeding or other traffic offences. Under Article 10 of the GDPR, requiring especially strong safeguards.
Transparency is another key concern for the EDPB throughout its guidance.
The use of “standardized icons” in privacy notices is encouraged, along with a persistent emphasis on the requirement for “transparent and understandable” information.
The EDPB recommends providing quite extensive information regarding data subjects’ rights. For example:
- The guidance suggests explaining the different types of data available via requests under the “right of access” and the “right to data portability”.
- Consent requests must be accompanied by an explanation of the right to withdraw consent.
- Each of the data subject rights should be explained in context. The EDPB advocates notifying data subjects about their rights to access, rectification, restriction, erasure, and data portability when offering services relating to booking a parking space.
Finally, the EDPB’s guidance arguably leaves several difficult data protection questions unanswered.
For example, the guidance notes that location data may reveal a person’s religion or sexual orientation. Arguably, such data is covered by Article 9 of the GDPR.
Where location data arguably constitutes special category data, the EDPB does not explain whether an Article 9 legal basis is required—and if so, which basis might be appropriate. In fact, the guidance suggests that processing GPS data does not require consent at all.
Elsewhere, the EDPB’s insistence on obtaining consent for the majority of connected car-related data processing could arguably also degrade the effectiveness of certain security and safety features.
Connected vehicles present many data protection challenges. The EDPB’s guidance clarifies how regulators might interpret the GDPR in response to these challenges.
However, connected vehicle manufacturers and connected vehicle software providers might struggle to reconcile these interpretations with the reality “on the ground”.