The European Automobile Manufacturers’ Association (ACEA) welcomes the publication of guidelines on personal data relating to connected vehicles, drafted by the European Data Protection Board (EDPB), but believes they are too broad in scope and should not be rushed through.
“The automobile industry is committed to providing its customers with a high level of personal data protection,” underlined Eric-Mark Huitema, ACEA Director General. “That is why it is so crucial that these guidelines are made more robust. Indeed, they need to provide authorities across the EU with a good and common understanding of how data protection rules should apply in the field of connected vehicles.”
Connectivity normally implies that vehicles communicate with the outside world, with data being transmitted from one device to another (mobile applications, other vehicles, infrastructure, etc). However, the EDPB guidelines go beyond this to also cover communications that occur within a vehicle. This does not make sense according to ACEA, nor is it consistent with national guidance in several member states, such as France and Germany. Similarly, the guidelines should make clear that vehicle manufacturers become data ‘controllers’ or ‘processors’ only from the moment that data leaves the vehicle.
In addition, the EDPB’s understanding of what constitutes personal data does not accurately reflect the reality of how motor vehicles are used and is too extensive, argues ACEA in a 21-page document setting out the auto industry’s comments on the guidelines. Huitema: “Motor vehicles are different from other products like smartphones in that they have multiple users and therefore multiple potential ‘data subjects’. Whether vehicle data can be considered personal data should be assessed in the context of data processing, considering the impact on the data subject in each case.”
Concretely, some data subjects such as passengers or pedestrians seen by outward-facing cameras or sensors are not identifiable for vehicle manufacturers. Equally, some data such as average fuel consumption or average speed is technical data that is not related to a data subject, and therefore does not have any privacy impact.
This also means that data subjects should not have the right to delete all vehicle data, contrary to what the EDPB implies. For example, data relating to components (such as the software version) or to the health status of the vehicle (such as diagnostic trouble codes) should not be deleted as this is needed to ensure compliance with product safety and product liability law, to carry out repair and maintenance work and to conduct periodic technical inspections (which are prescribed by EU law).
The draft guidelines provide a detailed assessment of data processing in connected vehicles based on the ePrivacy Directive, even though that Directive is about to be replaced with a new ePrivacy Regulation. If published in their current form, the guidelines would risk being outdated very soon, causing a lot of confusion. ACEA therefore calls on the EDPB to postpone the publication of the guidelines until the content of the new ePrivacy Regulation is known with certainty.
“We think the quality and accuracy of the guidelines are more important than the speed with which they are adopted,” said Mr Huitema. “Our industry stands ready to work with the EDPB to achieve pragmatic and workable guidance that can strengthen customer trust in new connectivity technologies.”