Update: EDPB publishes personal data guidelines for connected vehicles and mobility applications

On the 7th of February, the European Data Protection Board (“EDPB”) published its Guidelines 1/2020 on processing personal data with reference to connected vehicles and mobility related applications (the “Guidelines”) for public consultation. The Guidelines mainly concern non-professional use of connected vehicles and is directed towards several industry players, including for example vehicle manufacturers, equipment manufacturers suppliers and rental companies.

The Guidelines include:

• Clarification that most data associated with connected vehicles will be considered personal data, including e.g. technical data regarding the vehicle’s movement (speed, distance) as well as of the vehicle’s condition (engine RPM, temperature etc.).
   
• Guidance on the use of geolocation data, which according to the EDPB warrants special attention, since it may reveal private habits (with regard to e.g. religion, sexual orientation and a driver’s personal interests). The use of geolocation data in connected vehicles should as a general rule be subject to several principles in order to mitigate privacy risks, such as:
  – the option to deactivate geolocation at any time,
  – defining limited storage periods,
  – activating geolocation only when the user launches a functionality that requires the vehicle’s location to be known (i.e. no activation by default when the vehicle is started), and adequate configuration of the frequency of access to and level of detail of geolocation data collected in relation to the purpose of the processing.
   
• Guidance on the use of data revealing criminal offences or other infractions:
  – Instantaneous speed data combined with precise geolocation data may be considered offence-related data which means that processing of such combined data may only be carried out under the control of an official authority or when authorised by Union or Member State law.
  – EDPB does not consider that instantaneous speed data in itself constitutes offence-related data, but such data may however become offence-related depending on the context and the purpose of the processing.
   
• Guidance on the use of biometric data, e.g. to enable access to a vehicle and a driver’s profile.The processing of biometric data should comply with several principles, including for example:
  – limited authentication attempts,
  – storage of biometric template/model in the vehicle in a state of the art encrypted form,
  – adjustment of the biometric solution used shall be adapted to the security level of the required access control, and
  – solely processing the raw data used to make up the biometric template for user authentication in real time, i.e. without being passively stored.
   
• The EDPB’s view with regards to when a data protection impact assessment (DPIA) should be performed. The EDBP’s view is that such assessment will likely be necessary in situations where personal data is processed outside of the vehicle’s systems (i.e. not only stored locally in the vehicle systems) and that best practice is to always, including when not required, perform a DPIA as early as possible in the design process.
   
• Case studies on e.g. “pay as you drive” insurance, eCall and accidentology studies.
   
• General recommendations with regard to anonymization, security measures and provision of information.
   
• ​Consent – The EDPB also stresses that the e-Privacy directive applies where relevant, and as a consequence consent must be obtained in many cases.

SETTERWALLS HAS ONE OF SWEDEN’S LEADING TEAMS WITH EXPERTISE IN PRIVACY & DATA PROTECTION RELATED MATTERS IN THE CONTEXT OF CONNECTED VEHICLES. PLEASE CONTACT US FOR ASSISTANCE AND WITH REGARDS TO EDPBS’S RECOMMENDATIONS IN THE GUIDELINES.