vehículos conectados

This post is also available in: Español

On February 7, 2020, the European Data Protection Board (“EDPB”) published draft guidelines on processing personal data in the context of connected vehicles and mobility-related applications (the “Guidelines”). This draft was submitted to public consultation from February 7, 2020 through May 4, 2020.

The most important points of these Guidelines are:

  • They argue for a broad interpretation and include any mobile application or device, even if it is independent from the vehicle, connected to the vehicle and that can share information both inside and outside it.
  • They consider connected vehicles “terminal equipment” in accordance with the definition of Directive 2008/63/EC. They, therefore, consider applicable the precept of Directive 2002/58/EC, reformed in 2009 (“ePrivacy Directive”), which requires the user’s consent to store or access information already stored on a user’s terminal, except when it is necessary for transfer or to render a service requested by the user.
  • Given that a large portion of this information can be used to identify individuals, the Guidelines stress the need to also apply the legal bases provided in article 6 of the GDPR, as long as they do not lower the protection envisaged in the ePrivacy Directive.
  • They prohibit the use of the information for subsequent data processing, unless additional consent is given.
  • They focus on the importance of data protection from design and by default (e.g., minimization, default privacy-friendly adjustments, possibility of modification at any time). They underline the need to (a) not collect more data than necessary; (b) implement robust security measures given that it is a critical system endangering users’ lives (e.g., by harmonizing, pseudonymizing, encrypting and storing the information locally); (c) clearly and specifically inform all the affected parties (not just the owner); and (d) grant control to the individual by settings to protect privacy by default.
  • They also analyze some case studies, notably including the provision of a service by a third party, such as “pay as you drive” insurance, parking space bookings, accident reviews or emergency calls (eCall system).

However, these Guidelines have not yet been approved, and some voices within the sector have criticized aspects such as the requirement for a “double” legal basis, the prevalence of the data subject’s consent and the prohibition on using the information subsequently without consent.

Therefore, during the consultation period, numerous comments have  been submitted  both from the public and private sectors in several EU countries (mainly Belgium and Germany but also the United Kingdom, France, Sweden, Austria, Denmark, the Netherlands and Spain). Most of the comments were submitted from the private sector or transport associations.

Spanish companies’ comments notably include the comments from  Telefónica S.A. advocating an assessment of personal data protection based on the risk and mainly stating a position on (i) consent as the main basis for processing, (ii) the prohibition on using personal data for subsequent compatible uses in the context of connected vehicles, (iii) the security of the cloud for storing data, and (iv) the compatibility of these Guidelines with the European Data Strategy (which we discussed in this blog post). The Spanish Data Protection Agency has published a blog post summarizing the most important points of the Guidelines.

Authors: Pedro Mendez de Vigo and Adaya Esteban

This post is also available in: Español

Autores:

Asociada

71 artículos



adaya.esteban@cuatrecasas.com

Asociado

44 artículos



pedro.mendezdevigo@cuatrecasas.com