Is everything new in May? What the GDPR means for driverless cars
According to an old German saying: “Everything is new in May”. Could this recently have been the case for data privacy, data protection and data security in Europe?
Several years ago, the term EU General Data Protection Regulation (GDPR) appeared, promising to standardize data protection laws across the European Union. Then in May this year, the long-awaited GDPR entered into force.
Through the harmonization process, data protection rules will be unified in each member state. The law has been introduced in response to the new digital age, where big data, IoT and private global companies present a potential threat to a person’s privacy. The GDPR has regulated several rights which strengthen the legal position of those affected, for example the right to be forgotten. But can it really apply to all cases and thus fulfil its “one size fits all” promise?
To us, obviously the most important questions are: what will change? And how will these changes affect driverless technology?
Data – the oil of the future
Nowadays, enterprises are built on the concept of collecting data in order to sell or trade the resultant insights. It is therefore not surprising that many companies have their eye on the market of connected cars and autonomous vehicles (CAVs) – not to mention their technology. As cars become connected to other vehicles and infrastructure, substantial volumes of data can be collected. And it doesn’t end there. Cars will eventually be linked to many more objects – aka every IoT device. When this happens, the amount of data available will be of key interest to companies given the great impact and economic value it will have.
Targeted marketing is already a well-known term in the market. But data protection isn’t the only applicable law. The unfair competition act also often comes into play here. When speaking about data, one must first differentiate between purely technical data and personal data. Only personal data is covered by the protection of the GDPR. In times of big data and the IoT developing alongside CAVs, most of the data involved is neither completely irrelevant nor solely technical. This means the term “personal data” needs to be understood in a broader sense.
According to Art. 4 para. 1 GDPR, personal data means any information relating to an identified or identifiable natural person (“data subject”): “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
With regard to autonomous vehicles, OEMs might be interested in factors such as vehicle speed, battery life, engine injection behavior or fuel pump performance. At first glance, this data may seem purely technical. However, in combination with information about passengers, such as name or age, location (GPS) or in-car footage, it is easy to gain several personal insights. Even anonymized data can be transformed into personal data if enough additional material is available. Data related to driving behavior is interesting for insurance companies as they build their business models on contracts which are based on the analysis of such insights.
Storing of personal data only with the consent of the data subject?
If no exceptions apply, collecting, using or storing personal data is prohibited by the GDPR. In legal terms, one speaks of a “prohibition with reservation of permission”. Data can only be used in accordance with the articles of the GDPR or with consent from the data subject. However, when dealing with large amounts of data, a problem arises. In the era of CAVs, passengers may only use vehicles if they give consent to the usage and storage of data, in addition to the general terms and conditions. If the usage is solely possible by agreeing to those terms, it seems consent might not always be given of an individual’s own free will. In other words, it becomes “sink or swim”.
The GDPR also requires that every passenger gives consent before a car will drive. Rather than being carried forward for any future rides, this consent must be given again ahead of each new ride.
Using cameras and sensors, CAVs will collect data from their surroundings. This raises the question of whether the vehicle passenger / owner becomes the data controller under the GDPR, or whether it is the OEM. If the passenger is the data controller, does he need consent to capture personal information? The answer is yes, he most certainly does. The next question is whether the passenger is able to argue that an exception to the GDPR applies. One could probably highlight the exception stated in Art. 2 para. 2 subs. C) GDPR: “This regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”. Here it is important to know whether a car is only collecting and storing data as part of a personal or household activity, or whether the ride might be considered to have a commercial purpose. These distinctions can mean the exception is not applicable. Unfortunately, it is currently difficult to apply the GDPR – made for big data and IoT issues – to such commercial trips, and will most certainly have to be adapted for automated driving.
Providing mobility is one of the biggest selling points of automated driving. Children can travel short distances without their parents in a car, for example. And here another issue arises: minors are not able to give their consent if they are under the age of 16 (see Art. 8 para. 1 GDPR). Interestingly, member states are allowed to change this age limit to 13 years. If underage passengers cannot give lawful consent, their parents need to do so on their behalf.
The transfer of personal data to a country outside the European Union is restricted by a number of criteria and conditions under the GDPR. Enterprises will have to use Binding Corporate Rules (BCRs) with its affiliates in order to comply with the requirements of the GDPR. Data processing agreements are also necessary to work with other companies. This leads to the need for a thought-out data concept, a deletion concept.
More rights for people in times of more data
The amount of data available is increasing rapidly. With this comes the risk that data subjects might lose the overview of their own data. As knowing which data is collected and stored, and by whom, is a constitutional right in Germany, this can create a significant problem.
Natural persons have the right to receive information from any data controller. The GDPR also grants the right to be forgotten. In the case of a data breach, the GDPR could come knocking in the form of fines and sanctions.
The new regulation is certainly a milestone in the journey towards a harmonized high level of data protection, but the promise to offer a “one size fits all” law has not been fulfilled.
In the end, the most important conclusion for OEMs is to build cars based on the concept of privacy by design. This means that technical systems will be built to minimize the amount of data which will be collected. In addition, the system will include technical and organizational measures to protect any stored data. OEMs will also follow the principle of privacy by default, meaning the pre-settings of a car will automatically be privacy friendly. Should a passenger of a car want to share his personal data – for any reason – he must then activate such settings himself. Both principles are regulated for the first time in Art. 25 GDPR.
Further details with regard to aspects of telecommunication law and data privacy law can be found in Stender-Vorwachs/Steege, “Kleine SIM-Karte – große Konsequenz: Automobilhersteller als TK-Anbieter? Eine tk- und datenschutzrechtliche Analyse im Kontext autonomer Fahrzeuge”, in: MultiMedia und Recht (MMR) 2018, S. 212 – 217.
With a main focus on urban mobility and data privacy law, more information can be found in Stender-Vorwachs/Steege, “Legal aspects of autonomous driving. Changing face of urban mobility in a connected mobility”, in: International Transportation (70) 1, 2018, S. 18 - 20.