European legal challenges for manufacturers of connected vehicles regarding data

It is often said that: 

1. “Data is the new oil” - The irony is that electric connected vehicles (“CVs”) generate a lot of data - which is the new oil!  
   
   
2. “You can tell a lot about someone through their vehicle” – The irony is that this expression has a double meaning! It could mean that it may be possible, for example, to guess someone’s social status through their vehicle. It could also mean that it is possible to extract a lot of data about someone through their vehicle given that CVs can amount to computers on wheels^[1].

Consequently, there are many European legal challenges for manufacturers of CVs regarding data:

Personal data – The European General Data Protection Regulation (“GDPR”) regulates the processing of “personal data” i.e. any information that relates to an identified or identifiable living individual. It could be that different pieces of information, such as vehicle service information, which on the surface don't appear to constitute personal data, can be collated and linked to an individual via, for example, a VIN (a Vehicle Identification Number). The consequence of this is that the CV manufacturer as the data controller might be under an obligation to divulge this data in response to data access requests which can be time consuming. There is a solution known as “tokenisation” which involves anonymising the data irreversibly. The European Data Protection Board has recently published useful draft Guidelines on the processing of personal data in the context of CVs and mobility related applications. 

Privacy notice – The CV manufacturer will need to ensure that the privacy notice is drafted in a sufficiently broad and precise manner so that the data subject can understand that his or her personal data could be subject to big data analytics.

Data minimisation – It is important for CV manufacturers to bear in mind this principle i.e. that personal data processing should be kept to a minimum and that personal data should not be held for longer than necessary.

Transfers of data – There are restrictions on the transfer of personal data out of the European Economic Area. The CV manufacturer needs to put in place a compliance program to ensure that personal data is transferred between corporate entities in a legitimate manner.  It is also necessary to make strategic decisions as to where to store and process data collected from vehicles.

Privacy-by-Design solutions - CV manufacturers can use these solutions which take data privacy requirements into account in the development of new systems.  In this way they can use data collected from vehicles for new purposes.

Police requests – The Police are aware that CV manufacturers keep a lot of log file data. The Police would be happy to be able to use this log file data to prove that, for example, a vehicle customer has been speeding at a certain point in time. The CV manufacturer will need to have a mechanism in place to ensure that such data is not handed over to the Police unless there is a court order to do so or a written order from the Public Prosecutor to do so. Otherwise, the CV manufacturer could be held to have infringed the privacy rights of the individual concerned.

E-mail marketing – CV manufacturers may increasingly rely on e-mail marketing. In accordance with the GDPR, email marketers need to obtain affirmative consent from subscribers which is freely given, specific informed and unambiguous. As consent requires a positive opt-in, the email marketer should not rely on pre-checked-in boxes which assume consent. Each promotional email must include an option making it easy to unsubscribe. E-mail Marketers should keep consent requests separate from other terms and conditions. They should keep evidence of consent – when, who and how.

Data Security – Employees and contractors of CV manufacturers tend to be the source of data security breaches (as opposed to cyber-attacks) i.e. it’s usually an inside job. Therefore, CV manufacturers should have strong training and monitoring programs of employees and contractors. Furthermore, the European Directive on security of network and information systems (“NIS Directive”) puts an obligation on operators of intelligent transport systems (which includes CV manufacturers) to implement security measures and report data securities breaches to national regulatory authorities. They also have a responsibility to patch software vulnerabilities through software updates after the vehicle has been sold.

Right to repair – In accordance with the EU Right-to-Repair Regulation, a CV manufacturer has to provide unrestricted and standardised access to vehicle repair and maintenance (“VRM”) information to independent operators. This VRM information needs to include, for example, service handbooks, technical manuals and wiring diagrams. Manufacturers may charge reasonable and proportionate fees for access to VRM information taking into account the extent to which the independent operator uses it. The EU Right-to-Repair Regulation does not require a CV manufacturer to make the tools needed to perform some of the tasks related to this VRM information. However, if certain tools or software are needed to repair a vehicle and can´t be purchased through other sources than the CV manufacturer, then an CV manufacturer's refusal to supply a repairer with these tools or software could be considered a violation of competition law under certain circumstances.

Technical access conditions to vehicle data – While CV manufacturers face competition in vehicle sales and after-sales services, they could have a monopoly on data for vehicles with their brand where data is collected exclusively on data servers operated by them (through the “extended vehicle concept”). In such circumstances, after-sales service suppliers would have no other option than to buy data from the CV manufacturers and accept the conditions for the supply of that data, including pricing, in order to perform data-driven after sales services. In order to address these competition law concerns, there are regulatory discussions to oblige manufacturers to share such data through a shared neutral server. In any event, in relation to in-vehicle data, considering the risk to vehicle safety and security posed by connected plugs developed by third-party service providers, CV manufacturers should reserve to themselves the right to limit the data accessible via the on-board diagnostic interface to data required for repair and maintenance.

[1] “We really designed the Tesla Model S to be a very sophisticated computer on wheels” - Elon Musk, Los Angeles Times, 19 March 2015