French Connected Cars Compliance Pack Offers Helpful GDPR Toolkit

|

Overview


The French Data Protection Authority recently issued its Connected Cars Compliance Pack. The pack is designed as a toolkit not only for France, but with a European GDPR perspective on how connected cars can comply with data protection requirements. Although the pack was intended primarily for car manufacturers, insurers and software editors will also find it useful.

In Depth


In mid-October 2017, the French Data Protection Authority (CNIL) issued its Connected Cars Compliance Pack, which serves as a toolkit for ensuring that connected cars (for personal use) comply with French data protection requirements and the EU General Data Protection Regulation (GDPR). This toolkit provides relevant guidance on data protection topics beyond connected cars. It highlights the following principles in particular:

  • Information can be provided by various means (e.g., contract, driver’s manual, car computer, standardised icons) depending on whether it is essential information.
  • Pseudonymisation instead of anonymisation can be used as a guarantee of confidentiality, allowing service providers to produce statistics on the basis of legitimate interest but not necessarily with prior consent.
  • Any data processed for a legitimate interest is not subject to portability.

Using an innovative approach that is both practical and technical, the CNIL has elaborated three possible scenarios. The CNIL takes into account for the first time the principle of informational self-determination, as inserted into domestic data protection legislation by Digital Republic Act No. 2016-1321 dated 7 October 2016, in terms of which individuals shall have full and free control of their data, which in practice will have significant consequences for technology use (e.g., geolocation) and user rights (e.g., data portability).

Scenario 1 (IN→IN)

In this scenario, data is collected within the car, but if such data is transmitted to service providers, they cannot access it. As a result, this scenario is considered to be household activity and thus falls outside the French Data Protection Act and the GDPR (from 25 May 2018 onwards). The CNIL provides some pre-requisites, however, all in congruence with the principle of informational self-determination:

  • Any driver or user retains full control over his or her data.
  • Data shall only be processed in real time and without storage.
  • Any driver or user shall be able to erase his or her data at any time.
  • Full and comprehensive information shall be given to data subjects regarding the processed data, the purpose of the processing, and how to disable this processing and erase data.

Scenario 2 (IN→OUT) and Scenario 3 (IN→OUT→IN)

Scenario 2 and scenario 3 are quite similar to one another. They both imply data transmitted outside connected cars and therefore are subject to the data regulation’s high standards of protection (e.g., the processing of real-time car speed is strictly interpreted). In these two scenarios, processing activities are categorized by purpose and must be based on a specific legal ground. The purpose of the processing activity determines the data storage period, any third recipients, the relevant information type (e.g., infotainment, driver’s guide, icons) and the required documents for information notices. Both scenarios are laid out in the table below:

Scenario

Purpose

Legal ground

Storage period

Concerned party

Information

IN→OUT

Product optimisation

Legitimate interest

3 years (pseudonymised)

– Data subject

– Service provider

– Processor

– Business partner (pseudonymised)

Contract

Accident data studies

Driver’s consent

– Vehicle/driver data: study period

– Vehicle technical data: 5 years

– Data subject

– Service provider

– Processor

Study’s consent form

Commercial use of vehicle data

Contract

– Commercial data: contract period, and beyond that period data may be archived to prevent litigation

– Utilisation data: limited period and then aggregated for the rest of the contract period

– Data subject

– Service provider (only for performance data)

Contract

eCall system

Compliance with a legal obligation (Regulation 2015/758)

As long as is required for the processing purpose

– Data subject

– Service provider

– Processor

Driver’s manual

Auto theft strategy

Driver’s consent/
performance of a contract

Geolocation data: investigation period

– Data subject

– Service provider

– Monitoring platform

– Legal authorities

Contract

IN→OUT→IN

Remote maintenance

Contract

– Commercial data: contract period, and beyond that period data may be archived to prevent litigation

– Utilisation data: limited period and then aggregated for the rest of the contract period

– Data relating to actions on the vehicle: vehicle lifetime

– Data subject

– Service provider

– Processor

Contract

Enhancement of the driving experience

Contract

– Commercial data: contract period, and beyond that period data may be archived to prevent litigation

– Utilisation data: limited period and then must be aggregated for the rest of the contract period

– Data subject

– Service provider

– Processor

Contract