Connected vehicles are only one “thing” among many that are connected with the Internet, and consequently fall under the term “Internet of Things” (IoT). Particularly in connection with accidents, but also otherwise, it will be necessary to collect data from such connected vehicles.
The European Data Protection Board (EDPB) has published draft guidelines on processing personal data in the context of connected vehicles and mobility related applications[1]. The period allowed for comments was 20 March 2020, and it will be interesting to see whether the adopted guidelines will depart from the present proposal.
The proposed guidelines can be summarised as follows:
Personal data from the connected vehicle are divided into three categories:
- Location data
- Biometric data; and
- Data that could reveal traffic violations or offences
Location data are particularly sensitive, as they will map the movements of the car and accordingly reveal a person’s driving habits. This may in turn reveal information about a person’s leisure activities, place of work, etc. According to EDPB:
- one should avoid constant collection of data,
- that such collection is only activated when necessary, and
- that the driver is aware of that location data are activated and that he could be able to deactivate the system.
Biometric data may be used instead of e.g. a traditional car key, to enable access to a vehicle, to start the vehicle, enable access to a driver’s profile settings and preferences. In the draft guidelines, EDPB is of the opinion that:
- a person must be assured full control of personal biometric data,
- the car manufacturer should provide for the existence of a non-biometric alternative (e.g. using a physical key or code),
- the biometric data should be encrypted and stored on a local basis.
With regard to data from connected vehicles that could reveal traffic violations and other offences, EDPB emphasises that the processing of such data can only be carried out under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safety measures. At the same time, EDPB stresses that data from connected vehicles are already subject to the ePrivacy Directive and the General Data Protection Regulation (GDPR).
In the future, we expect two things: that there will be a lot of discussions concerning the ownership to data from connected vehicles, involving private as well as from public players, and that EU’s new Data Act due in 2021 will provide a clarification of the rights to “co-generated data” from the Internet of Things (IoT).
[1] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202001_connectedvehicles.pdf