Nowadays a growing number of car manufacturers are including services such as camera assistance for parking, remote control of the vehicle, voice recognition or breakdown alerts in their vehicles. These tools are incorporated in our daily life to enhance road security and customer satisfaction.

The announcement of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) on the investigation of 10 big car manufacturers on the use of personal data collected via so-called ‘connected cars’ has reopened the discussion on whether connected vehicles are GDPR compliant or not.

Far-reaching Implications

The lack of compliance of connected vehicles might affect a great number of users. According to the European Data Protection Supervisor (EDPS), car manufacturers obtain 25 gigabytes of data per hour from our vehicles. In December 2019, the EDPS also published TecDispatch#3 Connected Cars. It confirmed that last year 80 cyberattacks took place against the smart mobility ecosystem.

Read together these numbers underline the importance of the data generated by connected vehicles. They highlight the need for addressing and investigating their compliance.

GDPR principles & Connected Cars

Following the Guidelines of the European Data Protection Board, connected vehicles potentially involves a risk to five out of seven GDPR principles:

  • Lawfulness, fairness & transparency: connected vehicles have created a complicated system of parties that process the data (car manufacturer, road authorities, insurance companies…) This leads to the complexity of drafting a privacy statement that includes all the different purposes, controllers and processors and still keep it short and readable for the customer.
  • Data minimization: car manufactures might be collecting more data than needed to provide their services. The use of sensors or learning machines allows the capture and processing of a large amount of data that might not be needed for providing the services.
  • Data accuracy: due to the big number of parties involved, it is challenging for the data subject to know to whom to go in case s/he wants to correct his/her personal data.
  • Purpose limitation: since the car manufacturers do not inform you about who the data is shared with and for what. The data collected to improve the quality of car parts could also be used by insurance agencies to offer a different insurance premium or by the road authorities to improve traffic safety.
  • Storage limitation: once the data is no longer needed for the purpose it was collected for, it must be deleted. Connected vehicles collect data for different purposes therefore, different deletion times might apply. It is not clear how long the data is stored for and how manufacturers ensure deletion.

Accountability, integrity and confidentiality

In addition, we (i.e. Cuccibu) also believe that the principles of accountability and confidentiality & integrity might be endangered within connected cars:

  • Accountability: There is a lack of clarity of which parties are involved in data processing within connected vehicles. This creates a great difficulty on making companies accountable for their use of our data. Car manufacturers might be aware of who are their subcontractors and processors. Nevertheless, are they really aware of the subcontractors of the subcontractors or processors of the processors? How can they ensure that all of these companies are GDPR compliant?
  • Integrity & Confidentiality: as the number of parties involved in connected vehicles is large, the data flow circulation is also high and therefore, the possibilities of leaks are also more likely. Moreover, all the companies that are dealing with the data processing need to ensure that the security measures are appropriate. For example to avoid any unauthorized access.

What risks does this pose for me?

The most obvious risk that we encounter as customers is the lack of control over the processing of our data. It is complicated to know who is processing our data, what the purpose of the processing is and what the legal basis is etc.

The absence of clarity has an impact on the possibility of exercising our data subject rights. It also has an impact and our ability to make an informed decision on whether we want to purchase a connected car or not.

What should I watch out for when buying a connected car?

When you a buying a new car, make sure to remember that the dealer needs to inform you about:

  • Which personal data the vehicle will collect, process and transfer;
  • Why they are processing this personal data;
  • Who the vehicle will share this personal data with;
  • How you can exercise your data subject rights, such as the right to access or erasure;
  • Who you can contact, in case of questions or complaints, about the personal data your car processes?

Please note that the legal ground applicable for the data processing will determine the rights of the data subject. For instance, on the one hand, if the processing is based on the consent of the customer, they always have the right to refuse the processing. Or, they may at a later time withdraw the mentioned consent. If special personal data is recorded the controller needs to obtain explicit consent. For instance, the geolocation of your vehicle that records you going to the doctor.

Alternatively, if the legal basis is legitimate interest the data subject has the right to object the processing. Additional explicit consent for the processing of special personal data will still need to be obtained.

Need advice?

If you have any questions or concerns related to the selling of connected cars in a GDPR compliant way, please contact our professional consultants via info@cuccibu.nl or +31 (0) 85 303 2984.