The EDPB gives its view on connected car technology – but will it reach the chequered flag? – Lexology

admin on April 16, 2020 Leave a Comment

In February, the European Data Protection Board (EDPB) published its draft guidelines on the processing of personal data in the context of connected vehicles and mobility-related applications (the Guidelines). These are draft guidelines published for public consultation.

These are the first European-wide guidelines issued on connected car technology by privacy regulators. In France, the CNIL published its "compliance package" in 2017 and previous guidance has been issued in Germany. The Article 29 Working Party had previously issued guidance on the Internet of Things, but never ventured into the connected car space.

So, while perhaps overdue, it is helpful to have the views of the EDPB and, through them, the collective views of the European supervisory authorities on important issues this technology raises.

Some of the views adopted in the Guidelines will not be surprising an expansive view on the concept of personal data and the applicability of the ePrivacy Directive, to take two examples. These may still, however, cause operational challenges for many actors in the connected car space currently wrestling with using this innovative technology in a privacy-compliant way.

Equally, there are some areas of the Guidelines that are arguably more controversial particularly on the interface between GDPR and the ePrivacy Directive. The Guidelines also focus heavily on an owner-use scenario which, for some data privacy issues, lends itself to more practical solutions particularly where consent-led solutions are appropriate. However, as mobility service models have become more sophisticated, the Guidelines would benefit from being expanded to consider other scenarios where the issues they raise are not so easily handled e.g. company fleets, vehicle leasing arrangements, car sharing clubs and various forms of long-term and short-term vehicle rental services. The Guidelines specifically exclude employee use of vehicles, due to employee monitoring issues. However, they could address the other privacy issues that are raised in this context.

Due to the current COVID-19 crisis, the deadline for responses to the consultations remains open to the public (delayed to 1 May). So, interested organisations still have time to submit their views.

At the time of writing, more than 20 responses to the public consultation have been published, with many raising challenges with legal interpretations adopted in the Guidelines, as well practical difficulties in some of the solutions and restrictions proposed. Some of these represent important points of substance that, if not addressed by the EDPB in the final Guidelines, could lead to the "flashing of hazard lights" in developments in this area in the years to come.

We have set out below a selection of the key themes from the Guidelines, along with our thoughts.

What constitutes personal data?

The Guidelines widely construe the concept of personal data in the context of connected vehicle data. Under the Guidelines "personal data" could include directly identifiable personal data, such as the driver's name, as well as indirectly identifiable data, including data relating to driving style, mileage, vehicle wear and tear and metadata, such as the maintenance status of the vehicle. This is not surprising and is consistent with the approaches of regulators (and European case law) to date.

However, the Guidelines would benefit from acknowledging some flexibility here. Context and intention of processing are important considerations in determining when information constitutes personal data under GDPR in any scenario. This is the case both in law and under case law. This is particularly relevant for connected car technologies in scenarios other than user-owner arrangements. Should corporates have to treat "wear and tear" data of their assets as "personal data"?

The Guidelines also flag specific categories of personal data warranting special consideration due to the sensitive/high-risk nature of the information.

The Guidelines provide recommendations when processing such high-risk data, including ensuring consents obtained are valid and unbundled from other terms, defining a limited retention period, encouraging local processing within the vehicle where possible, providing alternatives (e.g. non-biometric access) and allowing for drivers to turn off certain tracking, such as location. Many are sensible privacy-enhancing measures. However, in certain scenarios, these requirements will present some controllers with challenges.

Interplay between GDPR and ePrivacy Directive

This is perhaps the most controversial topic that the Guidelines touch on. There is also, arguably, a degree of internal inconsistency with how the Guidelines address this issue.

The Guidelines are clear that, in addition to GDPR, the ePrivacy Directive will apply. Specifically, that connected vehicles and all devices connected to them are "terminal equipment" for the purposes of the ePrivacy Directive in the same way as a mobile device or laptop is "terminal equipment". This activates the requirement for consent to the storage of information, or gaining access to information stored, on the connected vehicle and other connected devices.

Strictly, this seems a fair interpretation of the applicability of the ePrivacy Directive (although a technical assessment of whether information is "accessed" from the vehicle for some technologies may permit some flexibility).

However, the Guidelines arguably fail to accommodate all potential solutions for obtaining consent resulting in a potentially unduly restrictive application, particularly in scenarios where the user (or, in this case, driver) is not the owner of the vehicle. The ePrivacy Directive allows for consent to be given by the "user or subscriber" of the relevant service. So, consent by actors other than the driver may be appropriate in some circumstances. The Guidelines could acknowledge this flexibility to allow the law to accommodate other connected car scenarios without fundamentally undermining the protection the ePrivacy Directive seeks to provide.

The challenges of obtaining a consent under the ePrivacy Directive in certain circumstances also arguably demonstrate a need for updates to it. Consent is not required for access to data requested as part of an "information society service" (i.e. a digitally delivered service; think Spotify or Netflix). This exemption makes sense. However, it is too inflexible to accommodate technology-enabled services that also involve a "real world" element that may, therefore, not constitute "information society services". For example, the Guidelines suggest that this issue in the context of "pay-as-you-drive" insurance can be managed by obtaining the consent of the driver. However, is that truly an "unbundled" and "freely given" consent (as required under GDPR)? Would it not be neater, and maintain consistent logic, if a similar exemption applied where connectivity was an inherent part of service delivery? Or should there be some recognition of the potential to rely on legitimate interests, subject to certain safeguards, as has been included in the most recent proposal on the new ePrivacy Directive issued by the Croatian Presidency?

In addition, and potentially most importantly, the Guidelines also appear to adopt an unduly restrictive interpretation of the ability to rely on legal basis other than consent under GDPR in scenarios where the ePrivacy Directive is also engaged.

The Guidelines state that any consent requirement under Article 5(3) ePrivacy Directive takes precedence over GDPR in relation to the storage/collection of information from the connected vehicle and other linked devices. In addition, further processing of personal data collected from the connected vehicle or device will require an Article 6 GDPR lawful basis of processing. This is in line with the EDPB's Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.

However, the Guidelines go further and suggest that, where consent is required under Article 5(3) ePrivacy Directive, then consent will generally be the most appropriate lawful basis under Article 6 GDPR for further processing activities. This is a direction of travel we have seen in the ICO's recent guidance on adtech. So, it is not entirely surprising. The stated intention is to ensure that the protection under the ePrivacy Directive is not undermined and this is potentially understandable in certain circumstances. However, it is debatable whether this is what GDPR says. There is no hierarchy to the lawful bases under GDPR.

There is clearly a concern that saying otherwise would, in the regulator's eyes, open the "floodgates" to allow controllers to rely on legitimate interests as a legal basis under GDPR. However, setting aside legalistic arguments for a moment, this is also potentially unfair on responsible controllers. Even if legitimate interests are properly available as a legal basis, this does not mean a "free for all". Responsible controllers understand the balancing tests that need to be carried out and the requirements to deal with issues such as proportionality, transparency and accountability this entails.

Indeed, the case studies included in the Guidelines acknowledge that appropriate reliance on basis other than consent under GDPR does not necessarily undermine the protection under the ePrivacy Directive. For example, in the "pay-as-you-drive" insurance scenario, the EDPB acknowledges that performance of contract would also be appropriate legal basis.

As it stands, the Guidelines leave significant scope for confusion here and clarification would be welcomed.

Other key concerns

The EDPB also helpfully highlights specific concerns and recommendations in relation to connected vehicles and mobility, and focuses on the need for:

These are all existing obligations under GDPR that would need to be considered when processing personal data in any event although some issues are more relevant and high risk in a connected vehicle context. This should all effectively be considered in an associated data protection impact assessment.

However, it is clear from these recommendations that there is need for reliance on multiple actors across the connected car space from OEMs to mobility service providers. Each will have a different ability to implement the measures needed to ensure privacy-compliant deployment of this technology. Again, it would be beneficial for the Guidelines to recognise this.

The Guidelines include a number of case studies applying the recommendations to specific scenarios including:

However, these are some of the most useful sections of the Guidelines. It would be helpful for the Guidelines to consider use cases in other scenarios. In particular, the inclusion of a use case relating specifically to the collection of vehicle maintenance and diagnostics data in a corporate or fleet scenario would be of value, being one of the most prominent use cases for this type of technology.

The consultation period for public submissions closes on 1 May.

Read the original here:
The EDPB gives its view on connected car technology - but will it reach the chequered flag? - Lexology

Related Posts
Posted in Cloud Servers

Comments are closed.