Out-Law Analysis 9 min. read
13 Apr 2017, 1:42 pm
This brings significant new challenges and obligations relating to the collection, use and protection of such data.
Legislation is developing that stands to have a major bearing on the way car manufacturers develop connected cars. The European Commission's planned new Privacy and Electronic Communications (e-Privacy) Regulation is one area of reforms that businesses involved in developing connected cars should track closely.
Car manufacturers could be barred from selling 'connected cars' if they do not conform to new data sharing standards envisaged in the Commission's proposals.
The e-Privacy proposals, together with reforms delivered under the General Data Protection Regulation (GDPR), require vehicle manufacturers to make the management of customer data a more central part of their business.
Developing connected cars with rules on third party data sharing in mind
The e-Privacy reforms, as drafted, could affect the way connected cars are built and sold, and restrict manufacturers' scope for sharing data from those vehicles with third parties.
Under the proposed Regulation, which would be directly applicable in each EU member state, manufacturers and retail distributors of vehicles would have to ensure that the systems in vehicles being "placed on the market" are configured in a way that prevents third parties from processing data generated by those vehicles, unless they have the user's consent to enable third party access to that data.
This requirement can be read as building upon the privacy-by-design and privacy-by-default requirements of the GDPR. The e-Privacy provisions could effectively prohibit the sale of connected cars in the EU which do not meet this requirement.
Car manufacturers could look to raise awareness of the benefits of data sharing to customers and obtain consent from connected car buyers to third party data sharing through sales contracts or associated documentation to meet the obligations.
Like with breaches under the GDPR, sanctions for non-compliance could be severe. Fines of up to €10 million, or 2% of a car manufacturers' total worldwide annual turnover, whichever is higher, are envisaged for a breach of the provisions on default third party data sharing settings under the proposed e-Privacy Regulation.
MEPs and law makers at the EU's Council of Ministers could amend the Commission's e-Privacy proposals, so car manufacturers should monitor for developments on the legislation.
New obligations on confidentiality
The Commission also intends for the e-Privacy Regulation to apply to machine-to-machine communications, such as the communications that are envisaged between connected cars and other vehicles or road infrastructure.
This means that, for the first time, connected car manufacturers could find themselves subject to rules designed to ensure the confidentiality of communications and the data flowing over communication networks. It would mean they would be responsible for ensuring that there is no interference with electronic communications data through listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of such data.
Some EU countries have already taken steps to bolster the powers that law enforcement agencies and intelligence and security services have to access data for the purpose of preventing, detecting and investigating acts of terrorism or serious crime.
The connectivity of the car, therefore, could see car manufacturers drawn into a scenario where law enforcement agencies could demand access to a vehicle’s data to help them track a terrorist’s location. Connected cars mean everyone’s location and journey history is potentially available to a third party. This places the vehicle manufacturer at the centre of far reaching questions about civil liberties and the role of the state.
In most jurisdictions, data protection regulations have not been developed to deal with the specific implications of connected and autonomous cars.
CNIL, the French data protection authority, has taken particular interest in privacy issues concerning the connected car, however. In March 2016 the watchdog launched a connected car compliance package in consultation with the automotive industry, some innovative companies in the insurance and telecoms sectors and public authorities. The final package is expected to be published in spring 2017, according to CNIL's most recent annual report.
CNIL uses compliance packages to promote good practices among actors in a particular sector, as well as to introduce legal obligations in an operational manner and simplify administrative formalities.
The connected car compliance package should provide guidelines in order to ensure the most responsible use of data in the next generations of cars, and is likely to look to boost transparency and give people more control over how their data is collected and processed. It is also likely to further promote the protection of personal data throughout the product life-cycle, starting from the conception of the products, in line with the principle of 'privacy by design'.
The approach taken by CNIL should be watched keenly by car manufacturers as the head of the organisation also serves as chair of the Article 29 Working Party, a committee that represents all national data protection authorities across the EU.
The current divergent approach to data protection taken by countries inside and outside of the EU raises the question of what happens when the vehicle crosses a border. Can collected data be sent across borders e.g. in order to establish a centralised connected car data centre, and if so, under what restrictions?
The GDPR will provide some comfort by providing a common set of laws for all the EU member states. However, challenges remain with regard to data transfers to recipients outside the EU. Non-European car manufacturers or service providers will be subject to the GDPR as it applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU in many cases. This will, however, be difficult to enforce.
Apart from mandatory data protection impact assessments, the use of privacy by design and privacy by default, and the question around data portability, a further significant change coming with the GDPR will be the threat of fines for non-compliance of up to 4% of the total worldwide annual turnover.
In the context of the connected car, a whole range data could be gathered, ranging from infotainment systems, event data recorders and diagnostic systems, the cameras and the safety sensors on the car and embedded SIM cards. Increasing connectivity and power of data analytics means that the data generated by connected cars is likely to qualify as 'personal data', and therefore fall subject to the GDPR and e-Privacy Regulation.
Indeed, a data protection declaration issued in 2014 by global data privacy watchdogs on the subject of data generated by devices, or 'internet of things' (IoT) sensor data, said businesses should treat that sensor data as personal data.
The European Commission confirmed that approach applies to connected cars in a new connected cars strategy published in November 2016. It said that all data broadcast by connected cars "will, in principle, qualify as personal data", and that the processing of that data would need to adhere to the GDPR when it comes into force in 2018.
However, it is less clear who owns data generated by connected cars.
Germany’s civil law code, for example, does not recognise ownership of personal data, only the ownership of data carriers. The concept of ownership of personal data is not clearly recognised under English law either.
If manufacturers are not able to achieve the contractual ownership of certain data carriers, the rightful ownership of the vehicle as a data carrier would entitle the owner to prevent third party access to vehicle data and to demand access to technically locked data memories in the vehicle. Because of this, external access is usually subject to a contract or declaration of consent.
Clarity is required around the data that may be generated, stored, and used and where required consents secured from owners, drivers and even passengers. This is even more complicated where the vehicle is shared amongst various users or when it is sold. Users of connected data may need to set up procedures to establish contact and obtain consent to the use of the new owner/users’ data.
Manufacturers and service providers must manage risks posed by any third-party IT suppliers who process data on their behalf. If they collaborate with a tech company to provide connected services and that partner breaches data protection rules, then manufacturers and service providers themselves may also be liable. Due diligence and contractual assurances will be ever more important.
Questions of ownership may be addressed in future regulations.
In January 2017, the European Commission set out its plans to build the EU's 'data economy'. Its paper set out a wide range of options that it could pursue to liberate data held in "silos" and help businesses put it to use to boost economic growth.
One of the options under consideration is the creation of a new licensing regime for anonymised "machine-generated data". The Commission said such a framework could require manufacturers – such as connected car manufacturers – required to provide access to the data they hold on fair, reasonable and non-discriminatory (FRAND) terms.
A new "data producer's right" could also be introduced, it said, giving the owner or long-term user of a device a right to use and authorise the use of non-personal data.
Cybersecurity will be critical
Data security, including cybersecurity, is a critical issue. Whether the data is stored in the car or in a cloud database, effective security measures will need to be in place to protect the data.
Manufacturers of connected cars will also have to plan for data loss incidents, including implementing appropriate crisis management procedures to ensure the cause of the data loss can be analysed without undue delay, to minimise the impact of a data breach and to comply with reporting obligations to the authorities and affected individuals.
The GDPR provides for the possibility for stiff financial penalties to be imposed where businesses fail in their duties to implement reasonable measures to protect personal data.
The proposed e-Privacy Regulation could also put the onus on connected car manufacturers to share knowledge of security risks directly with customers.
Regulatory authorities are expected to pay particular attention to vehicle IT, and the role of encryption, program code signatures, hacking tests as well as the practical implementation of principles of data protection law, including data economy, privacy by design and privacy by default.
In a sign of the increasing scrutiny, the European Union Agency for Network and Information Security (ENISA) said earlier this year that technology developed to enhance car user experience or vehicle safety should be the subject of independent third-party cybersecurity testing.
The market has been responding to the increasing cybersecurity risks posed by increasing connectivity and the IoT. A new IoT Cybersecurity Alliance has been established to research and promote better IoT security. Members of the Alliance include IBM, Nokia and Symantec.
Managing data effectively is a critical business issue
Significant potential revenue streams and manufacturer and customer benefits risk being lost if the data from connected cars cannot be widely used, in particular for big data analytics.
More information about the use and operation of vehicles can improve customer satisfaction; allow for predictive maintenance; enable more personalised insurance products; make more effective use of road space and improve safety.
The use of data is going to be a complex issue for the developers of connected and autonomous vehicles. It will require careful management and a detailed understanding of the different approaches in different countries and their changing requirements.
Manufacturers need to consider the concept of 'privacy by design' from the very beginning. If data regulation is not considered from the start of the design phase for a new vehicle, car makers may not be able to use the vehicles in particular countries without unplanned adjustments which are costly and have a potential to disturb any uniform sales as well as maintenance processes.
Wherever the applicable regulation is unclear, manufacturers would be well advised to consider the potential for deactivation of certain features in order to avoid, in a worst case, product recalls if the car does not comply with privacy laws in a particular jurisdiction.
On the other hand, where more or less any car data qualifies as personal data and if, in many cases, the users have a right to opt out of sharing, for example, location data this will undermine connected and autonomous car safety features, like the ones based on the ability of connecting all cars and their location.
Careful assessment will therefore be needed to determine in which instances a public good, like avoiding collisions, can override privacy concerns. For example, should a driver be able to opt-out of the use of personal data for a feature that warns drivers of slippery roads or obstacles lying ahead? At the moment, there is no obligation that drivers keep their radios on to listen for traffic and road hazard warnings, so it would represent a change of approach to use more advanced technology to favour health and safety potentially at the cost of privacy.
In this context some argue that European privacy concerns could potentially stand in the path of connected and autonomous car collision avoidance strategies, making it clear that these complex and profound issues will need to be addressed by policy makers.
Stephan Appt is an expert in data protection laws and connected and autonomous vehicles at Pinsent Masons, the law firm behind Out-Law.com.