Increasingly, cars too are connected to the internet. These smart cars, or ‘connected vehicles’ as they are also referred to, are capable of processing a multitude of data which, at the end of the day, can paint a detailed and definitely privacy-sensitive picture of the driver. The information we are talking about ranges from location data to the full communication and driving behaviour. 1 The person driving may use a phone or the car’s navigation system, or may be reminded of their next scheduled maintenance appointment at the workshop. These data are available to the car manufacturers as well, without the car owners usually knowing which data are being processed at the manufacturer’s end and how these data are being used. This is why, addressing the issue of personal data processing in the context of connected vehicles, the European Data Protection Board (EDPB) has published a set of (draft) guidelines for public consultation.
In its draft, the EDPB sets out to submit that the data processed by connected vehicles are indeed personal data, as they can be traced back to the person driving or to the passengers that may be present in the car. Moreover, the information often qualifies as sensitive personal data, in the sense that just the location data by themselves provide information on where a person lives and works and when he or she has gone to see a doctor. It may even provide information about, for instance, religion by recording visits to a specific church. Other special categories of personal data mentioned by the EDPB include biometric data and data indicative of illegal actions or violations of the law, like speeding.
Furthermore, the EDPB submits that the ePrivacy Directive applies, since the processing of personal data is taking place within the sector of electronic communication. Article 5(3) of the ePrivacy Directive specifies that storage of or access to the data collected by, in this case, the vehicle, is subject to consent by the user who, before having given or refused such consent, must have been provided with clear and comprehensive information. Apart from this, consent must have been obtained in accordance with requirements specified by the GDPR, which means that consent must not only be informed, it must also be freely given and specific for the purposes of the intended processing. Consent to data sharing, therefore, should be separately obtained, as opposed to being part of the car’s purchase or lease contract. Also, the user must have the option to withdraw previously given consent at any time and the car must perform to the same standards without data sharing as it does with data sharing.
More often than not, however, it remains unclear which data are actually being used, with cars leaving the dealership without the customer having been properly informed, according to the Dutch Financieel Dagblad. 2 A former Mercedes salesperson, according to the same source, even states, under cover of anonymity, that the importer grants bonuses to dealers who manage to persuade sufficient numbers of customers of the benefits of data sharing. A further complication is that obtaining legally valid consent is not a straightforward matter in the case of connected vehicles, because a car can be used by multiple individuals or serve as a rental or sold on the second-hand market. The EDPB is aware of the issue, but does not offer a definition of legal consent in terms of the practical circumstances. It does emphasise, however, that further processing of the personal data cannot be based on initial consent. What this means, for instance, is that without specific consent the car manufacturer cannot make driving behaviour information available to car insurance companies.
Generally speaking, users must be able to exert some kind of control over the use of their personal data. The EDPB’s advice is for users to have the option to individually activate or disable all different forms of processing and, prior to re-selling their vehicle, remove all accumulated data by one touch of a ‘delete button’. The same sentiment was expressed by Aleid Wolfsen, chairman of the Dutch Data Protection Authority (DPA), who, in the Financieel Dagblad article mentioned above, promoted incorporation of a delete button directly in the dashboards of new car models. Taking its cue from the EDPB, the Dutch DPA, on March 2 2020, published a How-to guide for protection of personal data when purchasing, renting, using and re-selling connected vehicles. In this guide, people are advised to first contact the manufacturer, dealer or lease company if they have questions concerning their personal data, which, if not handled to satisfaction, can be followed up by a complaint to the Data Protection Authority. On March 24 2020 the Dutch DPA also announced that it is currently investigating to what extent Dutch car manufacturers are acting in compliance with the privacy laws by asking them, in writing, which personal data they are processing, for which purposes and for how long, how these data are being protected and with which parties they are being shared. Before the beginning of this year’s summer, the DPA hopes to have finished analysing the results of its survey. The (draft) guidelines of the EDPB are open to comments until May 1 2020.
1. Dutch Automobile Association ANWB even concludes, based on its own 2015 research, that ‘apart from the automotive industry nobody really knows what data are being collected, stored and shared’.
2. See also the answers to questions asked by members of the Dutch House of Parliament after publication of the article: https://www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id=2020Z05474&did=2020D1138.