Connected vehicles and mobility-related applications must protect related personal data by default beginning in the design stage. This what the European Data Protection Board (EDPB) recalled in a document open for consultation until 20 March 2020.
Three categories of sensitive data
The independent body established by the General Data Protection Regulation (GDPR) has identified a series of risks in the context of connected mobility, such as incorrect information, non-qualitative consent, further processing without additional consent, excessive data collection, and hacking risk.
It therefore is submitting for consultation a series of recommendations to mitigate these risks. For example, it recommends that particular attention be paid to three categories of personal data: location data, biometric data, and data that could reveal a traffic offence. On the first point, the EDPB emphasises that the geolocation service should only be activated when the user launches a function that requires the location of the vehicle to be known, and not by default upon launch. With regard to biometric data, it stresses the need to provide alternatives and to ensure that the storage and comparison of biometric templates takes place locally, in encrypted format. Finally, the EDPB contends that data processing that may reveal an offence should only be carried out under the control of an official authority or where EU or Member State law provides for such processing with appropriate safeguards.
Applicable law
More generally, the EDPB reiterates that the GDPR and the e-Privacy Directive apply to connected mobility and related applications. This means that personal data originating from these applications can only be processed if the user has given his/her consent, unless such processing is necessary to route the communication or to carry out a specific service.
The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles. It specifically covers data processed inside the vehicle, data exchanged between the vehicle and the personal devices connected to it (e.g. the user’s smartphone), and data collected in the vehicle and exported to external entities (e.g. car manufacturers, insurance companies, etc.) for further processing.
Link to the document: http://bit.ly/2OJgWet (Original version in French by Sophie Petitjean)