French data protection authority to focus attention on connected cars and smart cities

Out-Law News | 20 Apr 2015 | 2:34 pm | 2 min. read

The data protection watchdog in France has outlined plans to work with car manufacturers and technology companies to ensure people's privacy is respected as 'connected cars' systems become more sophisticated.

In its latest annual report (94-page / 7.10MB PDF), the Commission nationale de l'informatique et des libertés (CNIL) listed connected cars as one of five areas it will focus its attention on in 2015. 'Smart cities' is another subject CNIL will try to increase its influence over, data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said. 

"In the case of both connected cars and smart cities, CNIL will look to see how business models are structured and involve themselves at an early stage in the development of these industries with the aim of ensuring that citizens' privacy rights are respected," Richard said. 

CNIL plans to collaborate with companies operating in the connected cars market to "build tools that are compliant with data protection laws", Richard said.

Munich-based expert on data protection and connected cars Stephan Appt of Pinsent Masons said the development of connected cars raises a number of privacy issues. 

"Original equipment manufacturers and some of the world's biggest technology companies are in the process of developing increasingly sophisticated 'connected' vehicles," Appt said. "The vehicles are being fitted with technology that enables information to flow over communication networks, providing for new functionality and services, such as predictive maintenance and repairs based on data recorded about car components, to 'infotainment' services." 

"Connected car manufacturers must address a number of data protection issues. This includes ensuring they have a legal basis to collect any personal data recorded by their connected cars technology, they have drivers' consent to the sharing of that data with prospective commercial partners, and that the data is secure from unauthorised access both during its transmission and when at rest on its servers," Appt said. 

"If the CNIL takes a pragmatic approach to engaging with the connected cars industry in its new initiative, there is a chance for the industry to get a steer on data privacy and security issues and take forward new products and services with greater confidence in the French market," he said. 

Richard said the CNIL report also showed that the authority had been active in using new audit powers last year. 

"From October 2014, CNIL has been conducting remote assessments of organisations' compliance with privacy rules," Richard said. "Its annual report shows that, of the 421 inspections it conducted last year, 58 were undertaken online. Nearly half of the online controls involved assessment of whether organisations' use of cookies complies with e-privacy regulations. We can expect CNIL to continue its focus in this area in 2015 and to expand the purposes of its online controls to cover other areas of data protection compliance." 

CNIL also hopes to influence the thinking of the French government's plans for a new digital law in France, Richard said. 

"In its report, CNIL has said it hopes the new digital law will strengthen individuals' privacy rights, lead to more simplified procedures for businesses, improve the legal framework around the processing of personal data by public bodies, boost collaboration between it and public bodies and see its powers on controls and sanctions adapted for the digital age," Richard said. 

"CNIL hopes the digital law will allow it to anticipate some of the changes that look like being implemented under the new EU General Data Protection Regulation. In theory this could be positive for businesses, because it could allow them to address reforms coming their way bit by bit and not have to implement wide-ranging changes all at once. However, efforts will have to be made by the French government and CNIL to ensure that there is no discrepancy between the French laws and new Regulation which would force companies to adapt their practices when the EU reforms are finalised," Richard said.