The EDPB guidelines on connected cars: vehicle data processing practices
Introduction
Like many other sectors, the automotive industry is not immune to technological challenges from the digital world. Such challenges prompted the European Data Protection Board ("EDPB") to adopt guidelines on connected cars.1 Their aim is to facilitate compliance with the GDPR and the e-Privacy Directive by the various stakeholders involved in the processing of personal data within the connected car ecosystem.
Smart cars are next-generation vehicles characterised by the ability to be networked or connected to each other. They collect data in the same way as a computer or smartphone, even if that data is not directly linked to a name. For example, the vehicle stores information on driving style and speed or collects data from the connection with the user's cell phone. Of particular importance is geolocation information, as it reveals the habits of the vehicle user and can indicate their place of residence or work, or their focus of interest, from which sensitive information such as religious orientation (through the place of worship) can also be deduced.
The guidelines lists the following personal data:
- location data;
- biometric data; and
- data that could reveal crimes.
Smart car manufacturers and developers are asked to act in line with the concepts of data protection by design (privacy by design) and protection by default (privacy by default), as required by Article 25 of the GDPR.
Cars and personal data processing
Among the several issues addressed by the EDPB, this paper analyses those of particular interest for data privacy practitioners.
The guidelines do not clarify the roles and responsibilities of the various parties (i.e. car manufacturers, infrastructure providers, third-party apps that provide information to the user, etc.) involved from time to time in the processing of personal data through the vehicles' devices. These are very complex ecosystems, for which there is no "one-fits-all" solution and a case-by-case analysis will have to be conducted.
With regard to the identification of the legal basis for the processing of personal data using in-car terminal equipment, the EDPB clarifies that - for the purposes of accessing and storing data on such equipment - the criteria set out in the ePrivacy Directive must be applied: therefore prior consent of the user has to be obtained.2 For all subsequent processing, Article 6 of the GDPR will apply.
Having identified the legal basis for the consent has important consequences also for subsequent uses (for purposes different from the original ones) of the huge amount of data that is collected through the connected car. In fact, the EDPB specifies that any further use of personal data must in turn be based on the (informed) consent of the user and it will not be possible - for the owner - to proceed to further processing based solely on the compatibility test provided by Article 6.4 GDPR. Indeed, it should be recalled that, according to Article 6.4 GDPR, a compatibility test, verifying the link between the various purposes, the context in which the data was originally collected, the nature of the personal data, the possible consequences of further processing for the data subject and the existence of adequate safeguards, should be conducted whenever there is a desire to proceed with further use of personal data for purposes other than those of the original collection. Only in the event that the test is positive could one proceed without the need for a new legal basis (and on this principle there is no consensus among the various commentators).
In such a case, however, the EDPB excludes the feasibility of such a procedure. Therefore, it will be necessary to re-obtain consent from the data subjects themselves unless a complete anonymisation of the data collected through the connected car is carried out. In this case, it might be sufficient to carry out the compatibility test mentioned above. This, however, would only apply if the data collected were to be completely anonymised, in accordance with the (very demanding) standards set forth by the EDPB.3 If the data were to be pseudonymised (and thus remain identifiable), it would be necessary to find a new legal basis, which could be linked to a legitimate interest, according to the interpretation of the EDPB.4
The purpose is as follows: cars must collect and transmit as little data as possible about the vehicle's occupants. In fact, the vehicle usually carries the owner, but it is possible that there are also other passengers, whose data is inevitably collected as well. The Privacy Authority states that companies processing users' data will have to operate on the relevant legal basis, which for connected cars is usually the consent of the data subjects (drivers and passengers), and on the principle of necessity, for example for driving assistance and road safety, or for "pay-as-you-drive" type insurance services. In addition, for this type of insurance, an alternative must be provided to motorists that does not require the installation of "black boxes" and mobility tracking.5
More than just cars: IoT devices
The revolution of the auto industry from a mere producer of "traditional" vehicles and ancillary services to a provider of mobility services is changing the face and operations of major players. Modern vehicles are, in fact, IoT devices. Vehicle data can be used for various types of ancillary or non-ancillary services: from navigation, maintenance and diagnostics to the provision of customised infotainment and insurance services, using "C-V2X" (Cellular Vehicle to Everything) technology that enables all-round vehicle connectivity services.
The sale of vehicles is not only associated with the offer of traditional "ancillary" services such as financing and after-sales service packages, but also with new "all-inclusive" mobility services. In this context, new operators are entering the market by offering digital services and competing with OEMs. Platforms are becoming the place where product and service providers meet users and customers and identify their preferences. Developments arising from the use of 5G technology in this sector enable new forms of so-called hybrid connection as illustrated in the recent study commissioned by the Transport Committee of the European Parliament and published in December 20206, which also identifies a multiplicity of applications pertaining to the world of mobility. These include CCAM (Connected Cooperative Automated Mobility) applications designed to integrate different driver assistance services, MaaS (Mobility as a Service) applications in which a variety of transport services are integrated into a single mobility service through apps available on demand, and C-ITS (Cooperative Intelligent Transport System) applications to offer services related to safety, traffic and vehicle sustainability.7
In this context, user data plays a key role.
Data and competition matters
While these are the solutions proposed in terms of data protection, it should be borne in mind that data is destined to play a central role in competition matters. This is true not only on the demand side, in terms of orienting customers' choice towards vehicle manufacturers able to offer the best digital services and not at the most competitive price, but also on the supply side, since the possession of or access to such data could lead to significant market power and the development of new business models and digital platforms. Access to the data that the vehicle is able to generate (or in any case related to it) becomes a "strategic" factor for operators, at all levels and in multiple ancillary or non-ancillary markets. From a competitive point of view, as has already happened in other sectors, data will represent a competitive advantage for those who possess it or a barrier to entry for those who are excluded.
Thus, the introduction of restrictive interpretations with respect to the ability to reuse personal data could have important competitive consequences, as we are already beginning to see in other industries, such as AdTech and online advertising, where certain data-intensive behaviours by major players have potentially anti-competitive consequences.8
In-vehicle data access
Specifically, in-vehicle data access is a highly contentious aspect. In fact, the models and standards proposed by the automotive industry based on the concept of the so-called extended vehicle and aimed at protecting cybersecurity and data protection needs, as highlighted by the ACEA Position Paper of 20169, are based on information flows that allow "off-board access" by third parties through external servers, so-called "neutral" servers, which will interface with those of vehicle manufacturers in order to avoid any direct access to vehicles or OEM servers that could jeopardise the safety of the vehicle and passengers.
Nonetheless, there is a clear risk that a range of information may not be immediately shared by vehicle manufacturers with third parties who may be interested in providing competing services. In the same consultation concerning the reform of block exemption Regulation no. 461/2010/EU in application of Art. 101.3 TFEU on the subject of motor vehicles, one of the points on which the interested stakeholders requested changes and raised concerns related to the access to technical information. More precisely, it related to the in-vehicle data access to enable suppliers to compete with all mobility operators, some of which might be tempted to act as "gatekeepers" through proprietary methods of access to data on board the vehicle. If not properly regulated, the extended vehicle concept would in fact allow vehicle manufacturers to arbitrarily decide how, when and to whom access is granted. In addition, available data could be limited and pre-processed, thus preventing the development of technically advanced and competitive new services by independent service providers. This control, which would occur primarily through technical design, could therefore deprive consumers of the ability to choose the best services for themselves, while also limiting the ability of market players to innovate. In this case, it would therefore be essential to identify standards that guarantee FRAND (fair, reasonable and non-discriminatory) access to such data to avoid the asymmetries that might otherwise arise between operators.10 On the other hand, compulsory access to data represents a very delicate issue also for the newly proposed Digital Markets Act11 intended precisely to regulate, from a competitive point of view, the conduct of gatekeepers in order to prevent possible violations ex ante, highlighting how it is necessary to treat this issue with great caution in order to avoid it having a negative impact on innovation.
In this regard, one option could be to develop alternative models of data access, which is what has been recently proposed by the main European associations of the supply chain related to the automotive distribution and services industry, which published an alternative sharing model, the Secure On-board Telematics Platform (Secure OTP) in March 2021.12 This is aimed at clearly defining the different roles of vehicle manufacturers, who would act as both manufacturers and service providers, whereby in the latter role they would then compete directly with all other service providers. The implementation of Secure OTP would therefore allow service providers to have their own access to vehicle data through different levels of authorisation depending on the services to be provided.13
Conclusions
From this point of view, we can therefore understand how the same EDPB guidelines could take on a totally different connotation, more or less cogent, depending on the model adopted. Based on such logic, the goal should be, however, to prevent the distortions already experienced in other markets in which data protection arguments have been used by gatekeepers precisely to deny access to data on the basis of the lack of consent of data subjects.14 What is certain is that the digital revolution in the automotive industry is proceeding apace, and it will be necessary to respond to the new market challenges based on an overall logic that takes into account multiple aspects, including regulatory and antitrust issues, IP and data protection, and the necessary interaction between them, to avoid repeating the mistakes of the past.
1 Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications, Version 1/2020 available at: https://images.go.wolterskluwer.com/Web/ WoltersKluwer/%7Ba78b36d5-0e92-4e39-8852-a9e4f0e1fd6b%7D_edpb-linee-guida-9-marzo-2021. pdf.
2 Guidelines 1/2020, para. 1.5.3. “Further processing of personal data”.
3 Opinion 05/2014 on Anonymisation Techniques.
4 Ibid.
5 For more information, please see https://www.garanteprivacy.it/web/guest/home/docweb/-/docwebdisplay/docweb/9568537#3.
6 The impact of emerging technologies on the transport system, PE 652.226 – November 2020.
7 The latter closely related to the implementation of the Delegated Regulation adopted by the Commission in March 2019 implementing Directive 2010/40/EU on the framework for the deployment of Intelligent Transport Systems in the field of road transport and interfaces with other modes of transport but rejected by the Council in July 2019 and currently under review.
8 In this regard, please see the recent article published in "Competition Policy International", Data Privacy and Competition Protection in Europe: Convergence or Conflict?, available at: https://www. competitionpolicyinternational.com/data-privacy-and-competition-protection-in-europeconvergence-or-conflict/.
9 ACEA Position Paper, 2016, Access to vehicle data for third party services.
10 In this regard, it is worth mentioning the Nokia Technologies/Daimler case which the Court of Dusseldorf has referred to the European Court of Justice for a preliminary ruling.
11 Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act), December 15, 2020.
12 Secure On-board Telematics Platform Approach, Cecra, FIA, ADPA, etc., 30 March 2021, available at: https://35e4493c-8f48-47f6-86fd-c7f7ae0ab150.usrfiles.com/ ugd/35e449_34d53f5358a04910b6125f8096942e1f.pdf.
13 Distinguishing between standard SDK (software development kit) and extended SDK. Specifically, the standard SDK would include all available standardised functions that would not be related to performance/ environmental, safety and security functions and no access to functions that could interfere with the type approval requirements of the vehicle. In this way, the vehicle manufacturer would remain responsible for the type approval of the vehicle. The extended SDK would also include access to features related to the environmental, safety or security performance of the vehicle. In this case, as the manufacturer would remain responsible for the approval of the vehicle, the apps created with the extended SDK would have to be validated by the manufacturer or a third party authorised by the manufacturer for use.
14 As was recently the case in the investigation opened by the AGCM in the Google display advertising case, Case A542 of October 2020.