The 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong published a Resolution on Data Protection in Automated and Connected Vehicles, which sets out fundamental data protection requirements for the mobility of the future (“Resolution”). The Resolution proposes common international standards.
The Resolution addresses not only vehicle and equipment manufacturers, but also providers of personal transportation services, car rental providers, and providers of data driven services (e.g., speech recognition, navigation, remote maintenance or motor insurance telematics services), as well as standardization bodies and public authorities (“Addressees”). The Resolution expressly calls upon Addresses to “fully respect the users’ right to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services”.
Following the German Federal Data Protection Commissioner’s earlier proposals for automated and connected vehicles of June 2017 (available in German language here), the Resolution describes how the rights of users should be protected. In particular, the Addresses are seriously urged to comply with the following 16 items:
1. “give data subjects comprehensive information as to what data is collected and processed in the deployment of connected vehicles, for what purposes and by whom,
2. utilize anonymization measures to minimize the amount of personal data, or to use pseudonymization when not feasible,
3. keep personal data no longer than necessary in relation to the legitimate purpose for which they are processed, for further compatible purposes, or in accordance with law or with consent, and to delete them after this period,
4. provide technical means to erase personal data when a vehicle is sold or returned to its owner,
5. provide granular and easy to use privacy controls for vehicle users enabling them to, where appropriate, grant or withhold access to different data categories in vehicles,
6. provide technical means for vehicle users to restrict the collection of data,
7. provide secure data storage devices that put vehicle users in full control regarding the access to the data collected by their vehicles,
8. provide technical measures for secure online-communication components that protect against cyber-attacks and prevent unauthorized access to and interception of personal data,
9. develop and implement technologies for cooperative intelligent transportation systems in ways that
a. prevent unauthorized access to and interception of personal data collected by vehicles (v2v), transportation infrastructure (v2i) or other third party’s entities (v2x),
b. enable vehicle users to inhibit the sharing of positional and kinematic data while still receiving road hazard warnings,
c. provide safeguards against unlawful tracking and tracing of drivers,
d. ensure the security mechanisms of v2v, v2i and v2x communication during authentication processes do not pose additional risks to privacy and personal data and
e. limit the possibility of illegitimate vehicle tracking and driver identification.
10. respect the principles of privacy by default and privacy by design, by providing technical and organizational measures and procedures to ensure that the data subject’s privacy is respected, both when determining the means of the processing and when processing the data,
11. develop privacy preserving technologies and architectures that favorably process personal data onboard,
12. guarantee the self-learning algorithms needed for automated and connected cars are made transparent in their functionality and have been subject to prior assessment by an independent body in order to reduce the risk of discriminatory automated decisions,
13. provide vehicle users with privacy-friendly driving modes with default settings,
14. undertake data protection impact assessments for new, innovative or risky development or implementation of these technologies,
15. promote the respect of the personal data privacy of vehicle users by responsible processing of their personal data, and giving due consideration to the potential harm that may be caused to the vehicle users as a result of the processing and use and
16. enter into a dialogue with the data protection and privacy commissioners to develop compliance tools to accompany and provide legal certainty to connected vehicles’ related processing.”
The German Federal Data Protection Commissioner, Andrea Voßhoff, said in a press release of 28 September 2017: “Cars are symbols of freedom and autonomy. Digitisation of traffic may cause a fundamental change. Already today, modern vehicles use a countless number of sensors to collect data on driving behaviour and distance travelled. Such data may be used to create detailed personal profiles. Therefore, drivers must be able at any time to have the full control of the use of identifiable vehicle data. As a general rule, drivers should be informed in a comprehensive and transparent manner about how their data are used. This requires data protection compliant technologies as well as privacy by default.” (English translation of the original German version).