knowledge 24 March 2021 |

EDPB Adopts Guidelines on Connected Vehicles following Public Consultation

As discussed in our previous briefing on the draft Guidelines (see here), the EDPB recognises that connected vehicles and mobility applications have the potential to generate significant volumes of personal data relating to drivers and passengers and as such, give rise to certain data protection and privacy risks.  The EDPB’s recommendations and suggested mitigation measures to reduce such risks have not been subject to material change in the final version of the Guidelines.  However, key stakeholders in this sector will be interested in the EDPB’s clarification on the precise scope of the Guidelines and confirmation on the applicability of the ePrivacy Directive.

Clarification of Scope of the Guidelines

The ‘household exemption’

The Guidelines apply to a wide range of industry participants, including vehicle manufacturers, car repairers, automobile dealerships, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities, as well as data subjects. 

The final version of the Guidelines clarify that some data processing performed by data subjects within a connected vehicle will fall within the ‘household exemption’ under Article 2(2)(c) of the GDPR, i.e. processing which is “in the course of a purely personal or household activity”. Such processing is therefore outside the scope of the GDPR and the Guidelines.

By way of example, the EDPB confirms that the Guidelines do not apply to the use of personal data within a connected vehicle by a sole data subject who provided such data into the vehicle’s dashboard. Similarly, where Wi-Fi connectivity is put in place in a vehicle for the sole use of the driver, the processing of personal data is considered to be a purely personal or household activity. 

It is worth noting, however, that the household exemption applies only to processing performed by natural persons and controllers and processors which provide the means for processing personal data for personal or household activities (such as system designers, suppliers, manufacturers etc.) are subject to the GDPR.

Public and shared transport

The specific considerations which arise in respect of data processing in the context of commercial vehicles used for professional purposes (such as public transport) and shared transport and ‘Mobility-as-a-Service’ (MaaS) solutions do not fall within the scope of the Guidelines, which are intended to be of general application.

However, the EDPB expressly recognises that many of the principles and recommendations in the Guidelines will apply to these types of processing.  As such, the Guidelines will be relevant to future initiatives in the public transport sector which utilise MaaS solutions and in-vehicle connectivity. 

Rental cars

The final Guidelines no longer make specific recommendations concerning rental cars and the security of personal data stored on the dashboard of a rental car, as distinct from other types of connected vehicles.

Applicable Law

GDPR and ePrivacy Directive

The Guidelines continue to focus on consent as the primary legal basis for processing data generated by connected vehicles for the purpose of both the GDPR and the ePrivacy Directive.

The final version of the Guidelines reiterates the EDPB’s view that the ePrivacy Directive is partially applicable in this context, as a connected vehicle and all devices connected to it are to be considered ‘terminal equipment’ (that is, an internet connected device) for the purposes of Article 5(3) of the ePrivacy Directive. Article 5(3) requires prior user consent for the storing of or the gaining access to information already stored in terminal equipment, except in limited circumstances. The Guidelines highlight that consent should be the primary legal basis not only for the storing and gaining of access to data stored in the terminal equipment under the ePrivacy Directive, but also for the subsequent processing of that personal data under the GDPR.

Some submissions on the draft Guidelines called for this position to be broadened and for all legal bases for the processing of personal data under the GDPR to be recognised on an equal footing. The EDPB declined to amend its recommendations in relation to the legal basis for the processing of personal data generated by connected vehicles in the final version of the Guidelines, however, and the position remains that “another legal basis can be lawfully chosen as long as it does not lower the additional protection provided by article 5(3) ePrivacy Directive”.  The revised Guidelines provide some further examples of where consent would not be required under Article 6 of the GDPR, including where data processing is necessary to provide GPS navigation services requested by the data subject where such services can be construed as “information society services”, which do not fall within the remit of Article 5(3).

New ePrivacy Regulation

The new ePrivacy Regulation, once adopted, will replace the ePrivacy Directive. The European Automobile Manufacturers’ Association (ACEA) and the connected vehicle manufacturer Tesla, among others, requested that the adoption and publication of the Guidelines by the EDPB be postponed until the content of the new ePrivacy Regulation is known with certainty.

The extent to which the ePrivacy Regulation will diverge from the current ePrivacy Directive remains to be seen, and the Guidelines refer to the new ePrivacy Regulation only in the limited context of emergency calls as an exception to the requirement for user consent.

What’s next?

The ePrivacy Regulation is currently being negotiated by the EU institutions and, once adopted, will have a 2 year implementation period before it will enter into effect. Any impact the new ePrivacy Regulation may have on the legal regime applicable to connected vehicles is therefore unlikely to be felt in the immediate future, however, developments in this area will be monitored closely be industry participants.

Upcoming EDPB guidelines, as set out in its recently adopted 2021-2022 Work Programme, may also be of relevance in this area. In particular, the EDPB is due to publish Guidelines on Anonymisation and Pseudonymisation, which are among the recommended practices set out in the Guidelines for the use of personal data which cannot be processed within a connected vehicle and its applications.

Also contributed by Ruth Hughes.