Connected vehicles: a compliance package for a responsible use of data

13 February 2018

The CNIL publishes the compliance package “Connected vehicles and personal data”, elaborated in consultation with 21 stakeholders both from the public and private sectors. The purpose of these sectorial guidelines is to enable the stakeholders to comply with the General Data Protection Regulation, applicable from 25 May 2018.

The compliance package has been elaborated in consultation with stakeholders from the automobile sector, businesses in the insurance and telecoms sectors, as well as public authorities, in order to constitute a sectorial reference framework and to ensure that car users enjoy transparency and control in relation to their data.

Such approach conditions user confidence, and thus the long-term development of those technologies.

It is also an example of an innovative regulation, both progressive and concerted.

The presentation of three case scenarios:

To support “sustainable innovation”, the compliance package identifies three case scenarios:

  • Scenario n°1 « IN => IN »: The vehicle’s data are not transmitted to the service provider.
    Example: an eco-driving solution that processes data in the vehicle in order to display eco-driving advice in real time on the onboard computer.
  • Scenario n° 2 « IN => OUT »: The vehicle’s data are transmitted to the service provider without automatic action being triggered in the vehicle.
    Example: « Pay as you drive » insurance offers.
  • Scenario n° 3 « IN => OUT => IN »: The vehicle’s data are transmitted to the service provider to remotely trigger an automatic action in the vehicle.
    Example: dynamic traffic information with a new route being sent after an incident is detected along the road.

These guidelines specify for each type of processing the intended purposes of the processing, the categories of data collected, the retention period of such data, the rights of data subjects, the security measures to be implemented and the recipients of the information.

The compliance package points out the following:

  • Personal data include all data associated or that can be associated with a natural person (driver, vehicle owner, etc.), notably via the vehicle serial number or the vehicle licence plate number. They may be directly identifying data, e.g. the driver’s name, as well as indirectly identifying data, e.g. details of journeys made, the vehicle usage data (e.g. data relating to driving style or the distance covered), or the vehicle’s technical data (e.g. data relating to the wear and tear on vehicle parts), which, by cross-referencing with other files, can be related to a natural person.
  • The compliance package draws the attention of the stakeholders in the automobile sector to the principles of informational self-determination, transparency and loyalty of the data processing: such principles imply that data subjects be at least informed, and in certain cases freely consent to the processing of their personal data.
  • A « privacy by design » has to be adopted. In practice, it implies privacy settings that can be easily modified, so as to empower users and give them control over their data.
  • The CNIL encourages the stakeholders to adopt the IN => IN scenario, whereby data are processed locally, directly in the car, without being transmitted to the service provider. Such scenario offers guarantees regarding data privacy and alleviates the obligations of data processors.

The compliance package is a “living document” that will be updated after 25 May 2018.

These guidelines were designed to be promoted at the European level to enable stakeholders to position themselves on a European if not global market.