EDPB Publishes Draft Guidelines on Connected Vehicles
The European Data Protection Board (EDPB), an independent body that promotes cooperation and consistent application of data protection rules throughout the European Union, has released draft guidelines on connected vehicles and mobility-related applications. The final guidelines will be released after comments are reviewed.
Connected vehicles collect data that surpass what we would have imagined possible in the past, and include countless sources and types.
Connected vehicles already available on the market collect data from sensors and onboard equipment. They are truly computers on wheels, collecting and recording data such as engine performance, driving habits, locations visited, and even driver biometric information, such as eye movements, pulse, and fingerprint data.
Under European law, most of the data collected by connected vehicles are considered personal data because the sensors and equipment compile data and metadata that relate to natural persons, whether it be the driver or passengers. Even if the data may not directly link to a particular individual by name, increasingly sophisticated technical aspects and features of vehicles will make it more and more possible to identify data to a particular driver or passenger. For example, data relating to driving style or distance covered, wear and tear on vehicle parts, or data collected by cameras may be considered personal data over time.
According to the EDPB, there are three categories of sensitive data that need particular attention and special treatment.
Three categories of personal data need special attention as they are particularly sensitive. They are: (1) location data, (2) biometric data, and (3) data that could reveal offenses or traffic violations.
- Location data reveals “life habits” of drivers and passengers. It provides inferences about employment, home address, centers of interest, and protected classification information like religion or sexual orientation. Vehicle and equipment manufacturers, service providers, and other data controllers should only retain location data when it is absolutely necessary. For example, a weather application should not access the location data every second, even if the data subject gives consent.
- Biometric data is increasingly used for identification purposes, such as to enable access to a vehicle or enable access to a driver’s profile settings and preferences. Biometric data such as face models, voice models, or fingerprint minutiae are implemented in many models. Suggestions for biometric data include limiting the number of authentication attempts, using sensors resistant to attacks, processing raw biometric data in real-time and not storing it even locally, and incorporating encryption using key management that complies with the state of the art.
- Data related to potential criminal offenses, including traffic violation data can be processed for some exceptions, such as accidentology studies. However, the EDPB suggests that this type of information only be processed locally and under the control of the data subject (the vehicle operator). If processed by a manufacturer or central processor, it should be protected with strong security measures to prevent illegitimate access, modification, and deletion of such data. Manufacturers may provide such data to law enforcement if specific conditions for such processing are in place. Note, processing data for the sole purpose of fulfilling requests from law enforcement is not a specified, explicit, and legitimate purpose under Art. 5(1)(b) of the General Data Protection Regulation.
EDPB Guidance
The EDPB provides general guidance as well as several case studies. The case study examples cover situations where sending personal data to a third party or processing cannot be done locally in the vehicle.
Some notable general guidance are below.
- Consider how to obtain consent in the connected vehicles context. Consider obtaining consent on the onboard computer distinct from general consent of sale or use. And don’t collect these types of data by default or continuously, but only when activated. Also, when possible, consider using icons on screens to show when sensitive data is being collected. After collection, define a limited storage period.
- Implement local processing of personal data where possible and ensure adequate security. Privacy by design and other general best-practice principles continue to apply to connected vehicles. But in particular, local data processing should be used wherever possible. If local data processing is not possible, then consider “hybrid processing,” which prevents third parties from gaining access to raw data. Instead, third parties like insurance companies would receive aggregate data.
- Recognize the different potential security vulnerabilities and risks involved in the event of a breach. The multiple functions and interfaces in connected vehicles increase the number of potential vulnerabilities and domains for attack. And the security breach of a connected vehicle may endanger the lives of drivers, passengers, and others on the road. Implement security measures such as partitioning the vehicle’s vital functions from telecommunication capacities, set up an alarm system in the case of an attack, and implement technical measures that enable vehicle manufacturers to rapidly patch vulnerabilities during the entire lifespan of the vehicle.
- Rigorously utilize encryption and hashing. The EDPB recommends specific guidance on how encryption can be implemented. For example, the EDPB recommends regularly renewing encryption keys and putting in place an encryption-key management system that is unique to each vehicle, as opposed to management systems for different vehicle models. In addition, data integrity can be bolstered through methods like hashing.
Practical Tips
We recommend reviewing the examples and case studies provided in the EDPB guidance and considering implementation into your organization’s policies, not just for vehicles but for other Internet of Things devices, even if your organization does not formally fall under EDPB jurisdictional scope.
From a practical standpoint, manufacturers may work now to institute steps to obtain just-in-time consent to collection and to work on implementing local processing. While the guidelines are focused on Europe, US manufacturers may also consider these steps as safeguards in the development process.
Additionally, consider whether you or your organization would like to submit comments. To view the draft guidelines, please see here. The EDPB will accept comments through May 1, 2020, through the EDPB form, which can be accessed here. Please note, that comments may be published on the EDPB website for public view.
- Related Practices