Connected vehicles. The European General Data Protection Regulation (GDPR) is already having an impact even before its official entry into force on May 25, 2018.
Having already published several “compliance packs” in the areas of smart meters, social housing, and insurance, the CNIL (French Data Protection Authority) has continued its work of informing and preparing professionals, this time targeting the automotive sector with a sector-specific compliance pack entitled “Connected Vehicles and Personal Data.” This pack addresses the interactions of modern vehicles with the outside world—mobile applications, other vehicles, infrastructure, etc.
This publication comes at a particularly opportune time for the development of connected cars, as Huawei announced this month a collaboration with the automaker PSA to develop a specialized platform called the “Connected Vehicle Modular Platform.”
GDPR & personal data: A balance between innovation ecosystems and personal data protection
Developed with the help of major automotive brands, public authorities, insurance companies, and telecom providers, the package aims to support sustainable innovation among industry professionals in the design of connected and autonomous vehicles. A growing amount of data will be collected via vehicle sensors, telematics devices, and other applications, which can be processed on-board or exported to a centralized server.
Driver name, trip details, vehicle usage data, and component wear data are all examples of data already stored by modern cars.
The document emphasizes the key principles to be respected with regard to the LCEN (French Law on Confidence in the Digital Economy) and the GDPR (General Data Protection Regulation):
- Informational self-determination, the obligation to have a legal basis for the processing carried out,
- the fairness and purpose of the data collection,
- proportionality, the limitation of the retention period, and data security,
Also reiterated are the need to inform individuals, the formalities prior to the implementation of processing, the limitation of processing, data portability, and the right to be forgotten – modification and rectification of data depending on whether the data is directly or indirectly identifiable.
Connected Vehicles & Compliance Pack: CNIL & Personal Data
Distinguishing three scenarios encountered by industry professionals, the package offers guidelines for each identified type of data processing, specifying, in compliance with the GDPR, the purposes, categories of data collected, their retention periods, the rights of individuals, the security measures to be implemented, and the recipients of the information.
“In-In” refers to data collected by the vehicle that remains under the sole control of the user and is not transmitted externally.
- Eco-driving
- Lane departure detection
- Collision risk alert
Particularly protective of data by preventing its transfer, digital tools operating on this model limit the risks of hacking and the prior formalities with the CNIL (French Data Protection Authority), while guaranteeing the user control over data export.
“In-Out” concerns vehicle data transmitted to the service provider without remotely triggering any automatic action within the vehicle.
- Personalized insurance
- Breakdown assistance
- Emergency call
Model optimization, accident analysis, commercial use of connected vehicle data, eCall, and anti-theft services: the CNIL (French Data Protection Authority) is considering requiring service providers to obtain explicit consent in the service contract, which must be separate from the vehicle sales contract, as well as granting users the freedom to activate or deactivate services.
Finally, “In Out In” allows the transmission of vehicle data to the service provider to remotely trigger, sometimes proactively, an automated action within the vehicle. This applies to situations involving insufficient computing power within the vehicle or requiring the use of additional data external to the vehicle.
- Dynamic traffic information
- Anticipatory messaging
- Remote maintenance
GDPR & CNIL: The obligations of connected vehicle stakeholders
In this situation, the CNIL recommends several security measures, such as separating the vehicle’s vital functions from those continuously connected to the internet, implementing all necessary safeguards, and using secure frequencies specifically dedicated to transportation.
The CNIL also notes that this document will be subject to revisions to reflect technological advancements and evolving professional practices, while ensuring its analysis is based on systems already in use.
