The past several years have seen a rapid increase in the scope of data connectivity in passenger vehicles, in particular. Whereas previously such features as online radio and music streaming, real-time weather and navigation, driver assistance, and mobile device connectivity were found primarily in luxury and high-end vehicles, such features are now common place across the market.
Data protection laws in the UK and Europe include a requirement for organisations to practice ‘data protection by design and by default,’ which means adopting appropriate technical and organisational measures to meet the principles of data protection law.
Accordingly, it is important for vehicle manufacturers, and those developing connected systems for use with vehicles, to consider during the design phase how a system’s functionality will support compliance with data protection laws. By way of example, systems must be designed to provide mandatory information to individuals about how their data will be processed, and this extends not only to a vehicle’s owner but to anyone who is a driver or passenger.
Updated guidance approved following industry and public feedback
The European Data Protection Board (EDPB) has recently adopted updated Guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (the Guidelines). The Guidelines highlight the most prevalent technologies currently deployed, identify areas of heightened risk for organisations deploying such technologies, and set out measures which should be adopted in order to use those technologies in compliance with the law. The principle of data protection by design and by default is explicitly cited by the Guidelines, and practices such as localised data processing, pseudonymisation and anonymisation, and transparency of processing are highlighted.
The Guidelines focus on technologies which process personal data in ‘non-professional’ circumstances, as different considerations arise from processing personal data in the context of public transport or commercial vehicles. In particular, the uses highlighted are those where personal data is:
- Processed solely inside a vehicle;
- Communicated between a vehicle and a connected personal device such as a smartphone; and
- Vehicle telemetry which is transmitted to the manufacturer, vehicle repairer, insurance company or other service provider.
High risk personal data processing
Three categories of data processing are identified in the Guidelines as ‘high risk,’ where organisations deploying the technology that collects and processes the data must be particularly cautious to do so in compliance with data protection law:
Location data: Real-time location data, particularly if it is recorded and retained over time, can be particularly intrusive and can reveal ‘special category’ data about an individual, including their religious beliefs, health status, or sexual orientation;
Biometric data: This is also ‘special category’ data where it is used to identify an individual, for example using facial recognition technology to enable access to a vehicle or its functions;
Data revealing criminal offences or traffic violations: Real-time vehicle speed data, particularly in combination with vehicle location data, can reveal the commission of an offence.
Risk mitigating measures to foster compliance
The Guidelines recommend numerous considerations and strategies to assist with personal data collection and processing in accordance with the law. These include:
- Considering the frequency and specificity of data collection for the particular functionality in question. For example, a weather application likely does not need to access the vehicle’s location every second, rather than at longer intervals; this is the case, the Guidelines note, even with the consent of the driver;
- Providing appropriate and accurate information about data processing and its purposes, including how data may be shared with third parties and how long data will be stored;
- Where personal data processing relies on consent, obtaining that consent in a fully compliant manner (e.g. freely given, specific, and informed);
- Providing the ability to deactivate location tracking at any time;
- When processing biometric data, for example to access a vehicle or authenticate the driver, the biometric template should be stored and compared (in encrypted form) locally, rather than requiring transmission externally, and importantly, providing a non-biometric alternative such as the use of a physical key or electronic code;
- In order to remain compliant, vehicle systems should process data which may reveal criminal offence only locally and protected with strong security measures; the driver should have full control of such data.
The Guidelines recognise that whilst data security measures such as pseudonymisation and anonymization are useful tools in combination with other measures, it is important for data controllers to consider available re-identification techniques which could be applied to anonymised data, for example in the event of a data breach. The UK Information Commissioner’s Office (ICO) has recently acknowledged the increasing difficulty of rendering personal data truly anonymous, in particular in the face of a ‘motivated intruder,’ and will be issuing updated guidance in the near future to assist organisations in determining how best to protect data from illicit de-identification. Accordingly, organisations should limit data transmission, by processing data locally, and wherever possible using encryption, in particular where local processing is not possible and data will be transmitted from the vehicle for processing.
The Guidelines set out the legal basis for processing personal data, as well as the challenges arising from that processing, for some common connected vehicle applications.
Usage based insurance
It is increasingly common for vehicle owners and drivers to elect for ‘pay as you drive’ insurance which ties insurance rates to the time and distance travelled, and often other metrics including braking patterns and rapid acceleration. Drivers are then assigned a ‘score’ calculated from the data collected during the vehicle’s usage.
The Guidelines emphasise that (as with the collection of biometric data, addressed below in relation to the eCall system), drivers should be provided with the option to subscribe to a non-usage based insurance policy which does not require the collection and processing of personal data whilst driving. The Guidelines arrive at this conclusion as the processing of personal data in the context of usage based insurance can only be carried out with the consent of the driver, and without an option to subscribe to an alternative form of insurance, a driver’s consent cannot be freely given as required by the law.
Data security and data minimisation are identified as areas of particular sensitivity for usage based insurance. In such cases, data should be processed insofar as possible, only locally in the vehicle’s telematics box or on the driver’s smartphone; numerical scores (but not raw data) can then be transmitted either to the insurance provider or its telematics services provider. Where raw data are processed by a telematics services provider on behalf of an insurer, data linked to the identity of the driver must be separated from the raw data, including names and licence plate numbers; those would be held only by the insurer who can then associate the calculated scores received with the corresponding driver.
As with all other data processing, providing drivers with complete and accurate information about the insurer’s processing will be key to deploying a compliant usage based insurance system. Where the calculation of a score for a driver’s activities – resulting in the application of an insurance price – is fully automated, insurers will need to be mindful to explain the use of such fully automated decision making, and the driver’s right to obtain human intervention in the process.
Reserving and renting parking spaces
It is increasingly common for the owners of parking spaces to make those spaces available for rent when not in use. This is generally accomplished using a web based application which prospective renters can then access from smartphones, or on board systems. Unlike usage based insurance, the collection and processing of personal data – for example the data stored locally in a renter’s smartphone – does not rely on consent of the user, but rather is carried out on the basis that it is required to fulfil a service requested by the user.
It will nonetheless be necessary to provide complete and accurate information to the renter about the data processed to conclude the transaction, the parties with whom such data may be shared, and the length of time for which data will be conserved before either being deleted or duly anonymised.
Vehicle theft tracking
Similar to location based services for parking space rentals, access to a vehicle’s real time geolocation data can be provided by the owner of a stolen vehicle in order to assist law enforcement. In contrast with the use of parking space reservation systems, the vehicle owner’s consent will be the legal basis upon which authorities gain access to a stolen vehicle’s location data, and that access must cease if the owner’s consent is revoked. Data security and data retention are highlighted by the Guidelines as being central to compliance in such cases, with data to be deleted once the investigative purposes have been met by the competent authorities.
Emergency ‘eCall’ system
The eCall system functions in accordance with EU Regulation 2015/758 (the ‘Regulation’) and is triggered automatically when a connected vehicle within the EU detects that it has been involved in a serious collision; the vehicle will automatically place a call to 112, the EU-wide emergency number. When the system is triggered, two data events occur: (i) the audio communication channel in the vehicle will be enabled; and (ii) the vehicle will generate and transmit the Minimum Set of Data to the designated public safety answering point.
The eCall system’s approach to personal data processing provides an instructive example of system design for compliance with data protection law, in particular in meeting the principles of data minimisation and data retention. The Minimum Set of Data collected by the system is designed to be precisely what its name suggests – only data essential to achieving the eCall system’s purpose are collected.
In accordance with the Regulation, the data collected by the eCall system are to be deleted completely once they are no longer required for the emergency response purpose; the internal memory of the system is automatically and constantly deleted, and only the last three positions of the vehicle can be stored in order to permit the current position and direction of travel to be ascertained.
Connected vehicles offer myriad opportunities for owners, passengers and manufacturers to benefit from the data generated through the use of vehicles and connected applications, however, doing so in a manner compliant with data protection law presents challenges. In particular, the need for data minimisation, data security, data retention limits, and the provision of appropriate information to individuals about data collection, will require careful attention in the design and deployment of connected vehicle systems.