Martin
Wodraschke, Partner,
Head of CMS CEE
Automotive Team, CMS Budapest

European data protection authorities are mainly concerned with information asymmetry among the connected car users and manufacturers. The scope of data may not be adequately reviewable by the customer; moreover, the individuals may not be aware of data collection or the communication between connected cars at all. As a result, it will become very difficult for them to control the data flow and the subsequent use of the data, as required by EU data protection laws.

In this context, distinguishing between personal and non-personal data is essential. In particular, it is important to understand if the data collected is personal data at all, when and how it is aggregated and pseudonymised, and how likely it is to be linked to identifiable individuals. If data collected in the car can be used to create any kind of user profiles with personal preferences, the data should be treated as personal data and can only be processed with the consent of the individual.

Currently there are no express requirements regarding connected cars, but Hungary’s Data Protection Authority (NAIH) recently issued general guidance on the necessary content of privacy notices that requires companies to provide detailed privacy information to their customers before collecting their data. For example, privacy notices in Hungary should contain detailed information on data transfers, data retention periods and the people who may have access to the data.

According to the latest legislative plans of the German government, all personal data collected by cars can be processed only with the consent of the person concerned and in a pseudonymous form. The buyer of a car must be fully and comprehensibly informed when buying the car regarding all kinds of data collection, including what data is transferred on which channel, and for what purpose. According to this plan, the owner of a car can decide who has access to their personal data, and all access and every transfer of personal data needs the owner’s prior consent.

However, in practice it is challenging to obtain informed consent and to provide sufficient privacy notices during the day-to-day use of a car. The possibility to refuse certain services or features may not be a viable alternative in practice either. In addition, while the user was comfortable with sharing the original information for one specific purpose, such as the provision of a service pertaining to the connected car, they may not want to share it for secondary purposes, such as analysis of driving habits by an insurance provider.

As regards the cooperation of the stakeholders themselves, the contracting background of connected car services involves multiple parties (receiving data from or sharing data with third parties), which requires the precise allocation of legal responsibilities. More importantly, all actors who process connected car data should carry out Privacy Impact Assessments, implement Privacy by Design and Privacy by Default solutions, and share the relevant results with each other. Further, it is of primary importance to consider new ways of obtaining the users’ valid data privacy consent.

The lawful collection and secure transfer, as well as storage, of car data will be important issues for the future relationship between the manufacturer and the customer. In the past, the customer trusted mainly in the technical aspects of their car, but today manufacturers can establish a good customer relationship only if the customer trusts in the security of their personal data and in protection against any risks posed by third parties.