Legal challenges of data-driven mobility

Out-Law Analysis | 04 Nov 2020 | 4:56 pm | 6 min. read

Data is central to the way new connected, autonomous and electric vehicles operate. This requires automotive businesses to address issues such as data ownership, data access and data sharing, as well as the protection of personal data, at the outset of vehicle development.

Sound data governance, beginning at the earliest stage of development, can help original equipment manufacturers (OEM) and their suppliers address the legal challenges that arise around data privacy and security as well as broader data-related issues of availability, accessibility, consistency, integrity and efficient data and risk management.

Data trusts have the potential to help improve data sharing within the automotive sector at a time when stiffer regulation on that front is anticipated. Automotive manufacturers should explore such options and look to understand how the regulation of data in the sector is likely to evolve.

Data ownership

In the EU, the concept of data ownership is not regulated, and statutory protections of interests in data are very limited. For instance, data might be protected in exceptional cases by copyright or database rights, if it qualifies as a 'trade secret' or is subject to obligations of confidentiality. In all other situations, businesses only "own" data as long as they have the data in their possession or otherwise under control.

Appt Stephan

Dr. Stephan Appt, LL.M.

Rechtsanwalt, Partner, Head of German TMT

Issues to consider upfront are whether, to what extent and under which conditions the various businesses involved can collect, store, share, use or sell the data 

This fact can serve as a barrier to the sharing and trading of data, as some businesses fear they will lose the ability to capitalise on their investments in data if they share that data with others. Properly designed contractual frameworks are therefore important to enable businesses to exercise control of their data when collaborating with others.

Issues around data ownership are exacerbated in the context of future mobility because of the often large number of individuals and businesses with interests in the data derived from vehicles. For instance, connected or autonomous vehicles will transmit large volumes of data that is relevant to or about the driver, the car owner – if different from the driver, the manufacturer, insurance firms, telematics service providers, and public bodies, among others.

In certain cases, individuals and organisations could lay claim to having created or produced the data, or compiled, chosen, structured, re-formatted, enriched, evaluated, licensed, or added value to the data. However, any data ownership claim raised on this basis could affect the further application of the related technology.

Issues to consider upfront are whether, to what extent and under which conditions the various businesses involved can collect, store, share, use or sell the data.

Although the EU strategy on the future of transport and mobility – towards a data driven European transport and mobility ecosystem – is still evolving, and data-related reforms in this context remain possible, for now the only feasible option is a complex capturing of relationships between different actors in contractual arrangements. Agreements may govern specific issues, including obligations relating to the data sharing, warranties regarding the quality of data, recipient's responsibilities to handle the data following specific rules set forth by the data owner, possible transfers of data to third parties, ownership issues, consideration, confidentiality and many others. Given the complexity of data flows, and a multitude of stakeholders, an elaborate chain of agreements needs to be put in place.

One way of navigating issues of data ownership, and promoting better sharing of and access to data, is through data sharing platforms and data trusts, with the latter providing a framework for independent stewardship of data and the way it can be used.

Processing personal data

The generation and use of mobility data impose significant risks for personal data protection. The use of personal data is governed strictly by data protection laws. The providers of future mobility solutions often think globally, and so global compliance with data protection rules requires a holistic approach. Compliance with the EU General Data Protection Regulation (GDPR), as one of the strictest data protection laws worldwide, can be taken as a blueprint for further adjustments in other relevant jurisdictions.

Appt Stephan

Dr. Stephan Appt, LL.M.

Rechtsanwalt, Partner, Head of German TMT

Complex consent management systems may need to be created to account for the sheer volume and various categories of data and the potential involvement of many different individuals who may use the same means of connected transportation

Under the GDPR, and increasingly in other jurisdictions too, the concept of 'personal data' is defined broadly. For example, mobility data that on the face of it is not attributable to an individual may nonetheless be classed as 'personal data' under the GDPR if it can be traced back to individual, such as after being linked with a vehicle identification number or licence plate registration. Because of this broad definition, many businesses often lack the confidence to assess data as non-personal data falling outside the scope of data protection law.

Differentiating between personal and non-personal data is even harder in mixed datasets where both types of data are inextricably linked and it is not technically possible or economically feasible to separate the different data types. However, the EU's Free Flow of Data Regulation makes clear that datasets of this nature, including the non-personal data they may contain, should be processed in its entirety in accordance with the GDPR.

The European Data Protection Board (EDPB) has issued guidelines on processing personal data in the context of connected vehicles and mobility related applications. The EDPB has said that, in many cases, such as when processing location data, the consent of the individual to the processing of their data is required. Consent is one of the lawful bases for processing personal data specified by the GDPR. Complex consent management systems may need to be created, however, to account for the sheer volume and various categories of data and the potential involvement of many different individuals who may use the same means of connected transportation. Businesses involved in smart mobility should:

  • Have a real-time insight into the consent status of each consumer;
  • Give transparent information in a concise and engaging way: only informed consent is valid;
  • Use a multi-channel and customer-friendly approach: deliver information, data management as well as opt-in and opt-out opportunities via all human-machine interfaces, such as in apps and at the website;
  • Consider that a vehicle can have more than one owner or driver: family members, rental cars, corporate vehicles, car sharing or even ride sharing;
  • Establish a data lifecycle strategy and consider anonymisation of data necessary for future use, as consent to the processing of personal data can be withdrawn at any time

Data access and data sharing

Although data sharing and arrangements around data access can increase the value of data to its owners and users, the current legislative framework does not regulate conditions for active data sharing between businesses in the mobility market. However, EU policymakers are behind efforts to liberate data from the silos they are currently held in.

Measures under consideration include paying companies compensation to share data, providing them with tax breaks, or investing public funds in new technology tools or recognition schemes for data sharing. New data sharing obligations are also under consideration and could focus on public policy aims of improving road safety or promoting competition.

Appt Stephan

Dr. Stephan Appt, LL.M.

Rechtsanwalt, Partner, Head of German TMT

Given the direction of travel on policy and regulation around data sharing, businesses in the automotive sector may wish to consider exploring voluntary industry codes of conducts for data sharing to ward off more burdensome and prescriptive intervention

The mobility sector is one of the few sectors already subject to various data sharing obligations. There was recent reform in this area. The EU Vehicle Type Approval Regulation, which entered into force in September 2020, extends the scope of information to be made available to third party aftermarket services by OEMs.

In addition to already existing obligations to provide unrestricted and standardised access to vehicle repair and maintenance information (RMI), on-board diagnostics (OBD) information and respective training materials, OEMs are now required to provide information necessary for the remote diagnostic support of a vehicle. The information must be provided in standardised and machine-readable format. OEMs are not necessarily obliged to provide this information free of charge, but any pricing must be appropriate and non-discriminatory.

Given the direction of travel on policy and regulation around data sharing, businesses in the automotive sector may wish to consider exploring voluntary industry codes of conducts for data sharing to ward off more burdensome and prescriptive intervention. The EU code of conduct on agricultural data sharing, developed by industry bodies COPA-COGECA and CEMA, is an example of what has been achieved in other sectors. The German automotive industry is already leading ongoing discussions around the Neutral Extended Vehicle for Advanced Data Access (NEVADA).

EU data-related reform on the horizon

The European Commission's digital strategy is largely focused on creating a single market for data which would ensure Europe’s global competitiveness and data sovereignty. The Commission has pledged to further promote data sharing and data access in several sectors, including the mobility sector. This is likely to shape the further development of so-called intelligent transport systems (ITS) and have an impact on a wide-range of businesses active in the sector.

While the Commission has said that its general approach will be to "facilitate voluntary data sharing" it has not ruled out making data sharing mandatory in some cases "under fair, transparent, reasonable, proportionate and/or non-discriminatory conditions" if voluntary instruments for data sharing would fail. The Commission has said that legislative intervention on business-to-business data sharing would be "sector-specific" and only in cases where "market failure in this sector is identified or can be foreseen, which competition law cannot solve".

Automotive manufacturers and other companies concerned with the future of mobility services must also closely track the planned reforms to EU 'e-Privacy' rules. It is currently envisaged that both electronic communication between persons and machine-to-machine communication will be regulated under the proposed new e-Privacy Regulation. Processing of such communication will require its own legal basis. If adopted in current form, this regulation will be especially relevant to connected cars and smart transport systems which require constant communication with their surrounding environment.

Co-written by Lauro Fava and Christina Kirichenko of Pinsent Masons.

The way we move is changing radically – climate change, superfast telecoms networks, electrification, AI and digital payments are rewriting the transport rulebook. Autonomous and shared vehicles and mobility as a service are fast becoming a reality.