OUT-LAW NEWS 3 min. read

Automotive businesses get connected vehicles location data guidance

Cars and the Arc de Triomphe

Dovapi/iStock.


New guidance issued by France’s data protection authority offers strong legal and technical support to automotive businesses concerning the processing of location data, an expert has said.

Paris-based Anne-Sophie Mouren of Pinsent Masons, who specialises in data protection law, was commenting after Commission nationale de l'informatique et des libertés (CNIL) set out final recommendations (60-page / 1.56MB PDF, in French) on how businesses can use location data from connected vehicles. The guidance focuses on the use of connected vehicles by private individuals, whether as owners or hirers. The CNIL made clear that it does not cover the use of company cars or service vehicles made available to employees by their employers.

Location data is information that records the geographic position of connected devices. Because those devices – including vehicles – are commonly associated with individuals, it can reveal where a person is or where they have been, and in turn provide an insight into a person’s habits, interests and activities. As a result, location data can constitute personal data, the processing of which in the EU is subject to the rules in the General Data Protection Regulation (GDPR).

Under the GDPR, ‘controllers’ are mainly responsible for the processing of personal data, but businesses that process the data on a controller’s behalf – ‘processors’ – also face specific legal obligations under the regulation, on top of contractual requirements imposed by controllers.

Mouren said: “In the context of a connected vehicle, many different businesses may have a role to play in the processing of location data. Those businesses might include the car manufacturer, the fleet manager, maintenance or assistance providers, data aggregators and integrators, telematic solutions suppliers and insurers. The CNIL goes into specific details and provides practical examples to clarify who qualifies as a controller or processor and when.”

“The guidance also addresses the legal basis on which location data can be processed and the conditions under which data subjects’ rights should be handled. It also states that the purpose of the processing should determine whether vehicle location tracking is activated, and to what extent it is activated, and addresses how long location data should be retained for,” she said.

“Although the document is not exhaustive, it will help the industry understand the CNIL’s rationale and apply its reasoning to their specific situation,” Mouren added.

Personal data can only be processed on specific grounds, each of which the GDPR refers to as a ‘lawful basis’. Consent is one possible lawful basis, but there are others too. The CNIL said it may be possible to process location data on the basis that it is necessary for the performance of a contractual service provided to the data subject. It gave examples in its guidance.

For example, it said that the contractual basis could apply to the processing of location data for the purpose of combating theft if the vehicle user has entered into a contract or an optional contractual clause specifically for this purpose – such as if the contract provides for vehicle tracking to enable it to be located in the event of theft. The CNIL said, though, that the processing of location data cannot be based solely on the contract of sale for the vehicle, as this processing is not objectively necessary for the supply of the goods.

The CNIL also advised that, in general, the processing of location data should take place locally, within the vehicle or the device connected to the vehicle, where feasible, with only certain events – like a breakdown – triggering its transmission to a controller’s servers.

Automotive companies should also provide for the segregation of location data uploaded to their systems, so that if there is a breach of the confidentiality of data in one part of the system it does not directly result in the loss of confidentiality of data in another part.

The CNIL recommended the use of separate databases, permissions, views or controls in respect of location data from connected vehicles, such as differentiated authorisation profiles and access rights per client and processing purpose. It also said consideration should be given to segregation according to the risks associated with the location data and by purpose of processing, with the latter aimed at ensuring compliance with the ‘data minimisation principle’ that applies under the GDPR. This requires organisations to ensure that their processing is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Trending topics across the site:

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.