Connected vehicles and personal data
The development of connected vehicles has raised many concerns from drivers concerning the protection of their personnel data.
With regard to the risk of the violation of the regulation applicable to the personal data by these new technological tools (sensors, telematics boxes and mobile applications), the French Data Protection Authority (CNIL) published a conformity pack entitled
"Connected vehicles and personal data" on October 17.
Since spring 2016, the CNIL had initiated discussions notably with automotive industry stakeholders, insurance professionals, telecom operators and the French telecom regulator (ARCEP) in order to propose a baseline to ensure the "responsible use of the data" from the vehicles.
This pack aims to bring attention to stakeholders that "all data which may be related to an identified or identifiable natural person, notably via the vehicle number plate or the vehicle serial number, is personal data" and their processing is subject to the respect of the provisions of the French Data Protection Law (Loi Informatique et Libertés) and the General Data Protection Regulation (GDPR).
Therefore, this conformity pack underlines the main obligations which must be followed by the data controllers:
- the data subject must be informed about the processing (notably by provisions included in a sales agreement and/or a services agreement);
- the collect must be accurate;
- the purpose of the processing must be determined, explicit and legitimate;
- the data cannot be stored indefinitely;
- the security of the data must be guaranteed;
- the right of access and opposition must be ensured.
These good practice guidelines intend to assist professionals of connected vehicles in implementing these principles. These guidelines are organised in a very concrete manner around three main scenarios which may be encountered by a professional:
- Scenario n°1 « IN => IN »: the collected data from the vehicle stays in the vehicle without transmission to the service provider;
- Scenario n°2 « IN => OUT »: the collected data from the vehicle is transmitted outside in order to provide a service for the data subject;
- Scenario n°3 « IN => OUT => IN »: the collected data from the vehicle is transmitted outside in order to trigger an automatic action in the vehicle.
This initiative will be transposed at the European level for the purpose of drafting European guidelines concerning this issue.
Tags:
Juris Initiative, Behring, Anne-Solène Gay, conformity pack for connected vehicles and personal data, conformity pack, connected vehicles, 17 October 2017, French Data Protection Law, General Data Protection Regulation, GDPR