Increasing networking and automation in road traffic, large volumes of vehicle data: in this highly dynamic environment, new "data-driven" areas of business for innovative mobility services are currently emerging. Via interfaces, modern vehicles allow communication with other devices in the "Internet of Things" and often enable data collected in the car to be accessed by more than just the car manufacturers. Insofar as personal data are used in these and other constellations, the participating actors have to address the issue of the permissibility of their actions under European and national data protection law. In this article, we present a selection of topics on which we advise our clients from the automotive sector
Personal reference of data in and around the connected vehicle
Data protection law applies to almost all data processed in and around the connected vehicle. With regard to the vehicle owner, it already constitutes personal data if data is linked to the registration number or the vehicle identification number (VIN). This is the case even if the data in question is purely technical information such as tyre pressure, engine speed or brake pad wear. If a driver is not simultaneously the owner, he can be identified by being assigned to a personalised account. Other road users are data subjects within the meaning of the GDPR if, for example, they are captured on the video cameras installed in or on the vehicle. Due to the highly indicative value of video recordings, it may be possible to identify such road users by linking them to publicly available information.
The general legal framework for processing personal data is derived from the GDPR. Accordingly, the controller requires a legal basis for any processing (so-called prohibition with reservation of permission). The controller is the person who determines the purposes and means of the processing. This is frequently the manufacturer of the vehicle. Processing means all operations related to personal data, such as their collection, storage, analysis or transmission.
The possible legal bases pursuant to the GDPR arise from Articles 6 and 9 GDPR. Most often, processing can be justified on the basis of consent (Article 6 (1) sentence 1 (a)) to the performance of a contract with the data subject (Article 6 (1) sentence 1 (b) GDPR) or on the basis of legitimate interests (Article 6 (1) sentence 1 (f) GDPR). As regards the legal basis of Article 6 (1) sentence 1 (b) GDPR (performance of a contract with the data subject), please note that it can only be applied insofar as a contract actually exists with the specific data subject. In the automotive sector, however, what often happens is that more than one person is affected (in addition to the owner, other vehicle drivers and other road users). If the controller intends to carry out processing operations, where contractual relationships do not exist with all the (potential) data subjects, additional legal bases must be applied.
Cooperation of several actors as joint controllers?
The consequence of the abovementioned networking of vehicles is that car manufacturers are increasingly enabling service providers to access vehicles and, in some cases, the data stored in them via interfaces. Prominent examples include Android Auto from Google and Apple Carplay. Smartphone users can use these offers to display and use apps in a visually optimised form on their vehicle’s display.
In such and similar cooperations between vehicle manufacturers and service providers, the question arises as to who is responsible under data protection law for the processing of which personal data. In fact, both parties are more likely to have separate independent responsibilities if the processing operations of the vehicle manufacturer and the third-party service provider can be functionally clearly separated in such a way that they each independently determine whether and how certain data are processed. The decisive factor in this respect is the technical details of how each service works. If car manufacturers and service providers collaborate in the data processing, then this indicates a joint responsibility pursuant to Article 26 (1) sentence 1 GDPR. According to the "Fashion ID" decision of the European Court of Justice (ECJ), the mere enabling of processing by one party and the pursuit of similar own interests by both parties can establish joint liability. In this case, they are jointly liable (Article 82 (4) GDPR) and must conclude a special data protection agreement (Article 26 (1) sentence 2 GDPR).
Consent according to the rules of the TTDSG
While, under the GDPR rules, controllers can often take the performance of a contract or their legitimate interests as a legal basis and thus no consent is required, consent may (additionally) have to be obtained pursuant to special legislation arising from the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz - TTDSG). The Act has already passed through the Bundestag and will come into force on 1 December 2021.
Section 25 TTDSG provides that the storage of information in "terminal equipment" or access to information already stored there is only permissible if the end user has given its consent on the basis of clear and comprehensive information. An exception to the consent requirement applies if the storage or access is absolutely vital for the provider of a telemedia service to be able to provide a service expressly requested by the user (Section 25 (2) No. 2 TTDSG).
The provision transposes the requirements of the European ePrivacy Directive into German law with almost identical wording. The European Data Protection Board (EDPB) had already clarified in its Guidelines on data processing in the context of connected vehicles that, in its view, the provision also applies to vehicles when they are connected to a public telecommunications network for the purpose of sending, processing or receiving information (margin Nos. 12 and 13 of the Guidelines).
Consequently, both vehicle manufacturers and third-party providers must obtain consent if, for example, they wish to retrieve location data from a connected vehicle. Exceptions apply if the driver or owner of the vehicle has requested a service for which the readout/access is absolutely vital.
Autonomous driving: use of cameras and other sensors on the vehicle
Particularly relevant and currently much discussed are the innovations brought about by the new law on autonomous driving (which we reported on in our article of 6 July 2021). However, the new Section 63a of the German Road Traffic Act (Straßenverkehrsgesetz - StVG) only regulates the rough framework conditions for the processing of "time and position data". Moreover, key questions regarding the location and method of storage have been left open and are reserved for an ordinance of Federal Ministry of Transport and Digital Infrastructure (Bundesministerium für Verkehr und digitale Infrastruktur - BMVI) (Section 63b StVG). It remains to be seen whether the German Association of the Automotive Industry (Verband der Automobilindustrie - VDA) will succeed with its proposal to store data centrally at the particular vehicle manufacturer (see the VDA's so-called NEVADA Share & Secure Concept). Alternatively, data could be stored in the vehicle or with a neutral data trustee.
According to its wording, Section 63a StVG does not cover the processing of camera recordings and other sensors on the vehicle that enable autonomous driving. At present, therefore, only the regulations of general data protection law apply in this respect. For the processing of video recordings, in particular, high hurdles exist. If vehicle manufacturers wish to use recordings to further develop algorithms, then Article 6 (1) sentence 1 (f) GDPR (legitimate interests) in conjunction with the privilege for scientific research (Article 89 GDPR) come into consideration as legal bases.
Independently of this, the processing of recordings taken by so-called dashcams must be assessed. Their purpose is entirely different to the sensor technology to enable autonomous driving functions - namely, for evidence purposes of the driver or owner. The same applies to cameras that record the interior of the vehicle in order to analyse the driver's behaviour for so-called pay-as-you-drive tariffs of car insurers.
Besides a multitude of innovations, the dynamic change in the automotive industry also creates several legal challenges. One of these is undoubtedly compliance with data protection requirements. Despite the rapid development, these requirements should always be considered from the outset. Otherwise, there is a risk of fines, damage claims or damage to reputation.