Overview
The French Data Protection Authority recently issued its Connected Cars Compliance Pack. The pack is designed as a toolkit not only for France, but with a European GDPR perspective on how connected cars can comply with data protection requirements. Although the pack was intended primarily for car manufacturers, insurers and software editors will also find it useful.
In Depth
In mid-October 2017, the French Data Protection Authority (CNIL) issued its Connected Cars Compliance Pack, which serves as a toolkit for ensuring that connected cars (for personal use) comply with French data protection requirements and the EU General Data Protection Regulation (GDPR). This toolkit provides relevant guidance on data protection topics beyond connected cars. It highlights the following principles in particular:
- Information can be provided by various means (e.g., contract, driver’s manual, car computer, standardised icons) depending on whether it is essential information.
- Pseudonymisation instead of anonymisation can be used as a guarantee of confidentiality, allowing service providers to produce statistics on the basis of legitimate interest but not necessarily with prior consent.
- Any data processed for a legitimate interest is not subject to portability.
Using an innovative approach that is both practical and technical, the CNIL has elaborated three possible scenarios. The CNIL takes into account for the first time the principle of informational self-determination, as inserted into domestic data protection legislation by Digital Republic Act No. 2016-1321 dated 7 October 2016, in terms of which individuals shall have full and free control of their data, which in practice will have significant consequences for technology use (e.g., geolocation) and user rights (e.g., data portability).
Scenario 1 (IN→IN)
In this scenario, data is collected within the car, but if such data is transmitted to service providers, they cannot access it. As a result, this scenario is considered to be household activity and thus falls outside the French Data Protection Act and the GDPR (from 25 May 2018 onwards). The CNIL provides some pre-requisites, however, all in congruence with the principle of informational self-determination:
- Any driver or user retains full control over his or her data.
- Data shall only be processed in real time and without storage.
- Any driver or user shall be able to erase his or her data at any time.
- Full and comprehensive information shall be given to data subjects regarding the processed data, the purpose of the processing, and how to disable this processing and erase data.
Scenario 2 (IN→OUT) and Scenario 3 (IN→OUT→IN)
Scenario 2 and scenario 3 are quite similar to one another. They both imply data transmitted outside connected cars and therefore are subject to the data regulation’s high standards of protection (e.g., the processing of real-time car speed is strictly interpreted). In these two scenarios, processing activities are categorized by purpose and must be based on a specific legal ground. The purpose of the processing activity determines the data storage period, any third recipients, the relevant information type (e.g., infotainment, driver’s guide, icons) and the required documents for information notices. Both scenarios are laid out in the table below:
Scenario |
Purpose |
Legal ground |
Storage period |
Concerned party |
Information |
IN→OUT |
Product optimisation |
Legitimate interest |
3 years (pseudonymised) |
– Data subject – Service provider – Processor – Business partner (pseudonymised) |
Contract |
Accident data studies |
Driver’s consent |
– Vehicle/driver data: study period – Vehicle technical data: 5 years |
– Data subject – Service provider – Processor |
Study’s consent form |
|
Commercial use of vehicle data |
Contract |
– Commercial data: contract period, and beyond that period data may be archived to prevent litigation – Utilisation data: limited period and then aggregated for the rest of the contract period |
– Data subject – Service provider (only for performance data) |
Contract |
|
eCall system |
Compliance with a legal obligation (Regulation 2015/758) |
As long as is required for the processing purpose |
– Data subject – Service provider – Processor |
Driver’s manual |
|
Auto theft strategy |
Driver’s consent/ |
Geolocation data: investigation period |
– Data subject – Service provider – Monitoring platform – Legal authorities |
Contract |
|
IN→OUT→IN |
Remote maintenance |
Contract |
– Commercial data: contract period, and beyond that period data may be archived to prevent litigation – Utilisation data: limited period and then aggregated for the rest of the contract period – Data relating to actions on the vehicle: vehicle lifetime |
– Data subject – Service provider – Processor |
Contract |
Enhancement of the driving experience |
Contract |
– Commercial data: contract period, and beyond that period data may be archived to prevent litigation – Utilisation data: limited period and then must be aggregated for the rest of the contract period |
– Data subject – Service provider – Processor |
Contract
|