The European Data Protection Board (EDPB) has launched a consultation[1] on its draft guidelines on processing personal data in the context of connected vehicles and mobility-related applications.
The EDPB’s Guidelines 1/2020[2] were adopted by the EDPB at its 17th Plenary Session on 28 and 29 January 2020 and focus on the processing of personal data in relation to the non-commercial use of connected vehicles. More particularly, the guidelines deal with personal data which is (a) processed inside the vehicle, (b) exchanged between the vehicle and personal devices connected to it (e.g., a driver’s smartphone) or (c) collected within the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.
Much of the data generated by a connected vehicle relate to a natural person that is identified or identifiable and thus constitute personal data. With many models launched over the past few years using sensors, telematics devices, and connected on-board equipment to collect and record, among other things, engine performance, driving habits, locations visited, and potentially even the driver’s eye movements, pulse and other biometric data for authentication or identification purposes, the guidelines identify a number of issues arising from the personal data of drivers and passengers processed by the vehicle and communicated by the vehicle as a connected device.
For example, the EDPB point out that geolocation data are particularly revealing of the life habits of data subjects - the journeys they take are very characteristic in that they enable one to infer the place of work and of residence, as well as a driver’s leisure interests, and may possibly reveal sensitive information such as religion through the place of worship, or sexual orientation through the places visited.
As vehicles become increasingly connected, the automotive ecosystem is becoming more and more complex with the emergence of new “digital economy players” alongside the traditional automotive manufacturers and their supply chain. Relevant services include infotainment services such as online music, road condition and traffic information; driving assistance systems and services, such as autopilot software; vehicle condition updates; usage-based insurance and dynamic mapping services. Since cars are connected via electronic communication networks, road infrastructure managers and telecommunications operators involved in this process play an important role with respect to the potential processing operations applied to the drivers’ and passengers’ personal data.
The guidelines are directed at vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities.
The closing date for responses is 20 March 2020.
[1] https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-12020-processing-personal-data-context_en
[2] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202001_connectedvehicles.pdf
