Digitisation is advancing relentlessly - especially in the automotive industry. The ever-increasing volumes of data generated daily in the operation of connected vehicles require new technical solutions. Processes, including software updates are increasingly being shifted to the cloud, and vehicle functions are controlled via mobile apps. Vehicles are becoming ecosystems for digital services and entertainment.
In their developing role as providers of mobility services, vehicle manufacturers are confronted with new legal issues which do not have easy solutions. The wave of regulation currently crashing over businesses in the EU tech sector makes the management of these issues even more complex.
Data protection is and will remain a defining compliance issue for automotive manufacturers.
Data protection regulations (almost) always apply to the processing of vehicle data. According to the now established opinion of the European data protection supervisory authorities, vehicle data is already personal data if it is linked - as is often the case - to a vehicle identification number (VIN) (or another ID related to the vehicle, device, driver or owner). Corresponding clarifications have already been codified in German national law (s63f (1) No. 6 StVG). Even for pure 'in-car' data processing processes, in which the car manufacturer does not have any access to the data in the vehicle, certain data protection rules apply, not least, the principle of privacy by design and default.
Although individual European data protection supervisory authorities (see, among others, the guidelines of the CNIL and the statement of the VDA and the German data protection supervisory authorities ) have considered vehicle data. The European Data Protection Board (most recently with the update of the guideline in 2021 ) has also published the first guidelines on the data protection-compliant handling of vehicle data. And yet, significant questions remain.
For example, the meaning and scope of Article 5(3) of the ePrivacy Directive (access to data in "terminal equipment") or its implementing regulations in Member State law (including Article 25 of the TTDSG in Germany) remain controversial. The EDPB follows a broad interpretation of the scope of Article 5(3) of the ePrivacy Directive with the consequence that the use of vehicle data for secondary purposes such as product development without the consent of data subjects is made considerably more difficult.
It also remains unclear to what extent vehicle data may be stored for the purposes of product monitoring and defence and, if so, for how long. And what about data from vehicle sensors or cameras that are installed in the vehicle and support or monitor the driving process? Much of this data can play an essential role in development, quality control and product monitoring. It is often difficult to determine the boundaries between the legal obligations of manufacturers (in the area of product compliance, among other things) and what is legally permissible in terms of data protection. Similar questions arise against the background of the requirements of UNECE regulations r155 (Vehicle Cyber-Security Management System) and r156 (Updates of vehicle software/systems), which will apply from 2024. Here, it is often unclear exactly which vehicle data must or may be used under which conditions for the purposes of cybersecurity of the vehicle ecosystem. We highlight the tension between data protection, cybersecurity and product liability/product monitoring in this article.
Manufacturers of connected vehicles also have to consider additional data protection regulations which apply to this sector under European or national law. These include the special data protection requirements in the Law on Autonomous Driving that came into force in Germany in 2021 (ss 63 a ff. StVG) as well as, for example, the European legal requirements for eCall (VO 2015/758), driver assistance systems (VO 2019/2144) or the transmission of (VIN-based) vehicle consumption data to authorities (Implementing Regulation (EU) 2018 /2043). This is a complex framework for legal teams when it comes to assessing the data protection law compliance of new car features.
The increasing interconnectedness of the various players in the connected vehicle ecosystems also raises the question of which party has which data protection responsibilities. Where data flows can no longer be easily secured with an agreement on commissioned processing under Article 28 GDPR, there may be joint responsibility or controllership, requiring complex contractual arrangements in accordance with Article 26 GDPR, for example in the area of (cross-border) sales/aftersales, connected vehicle services and third party arrangements.
Extended vehicle concepts will also give rise to new data issues in 2023. In particular, whether and to what extent vehicle manufacturers must make data arising in connection with the operation of vehicles available to third parties e.g. to enable other market participants to develop and offer comparable products and services. Under Regulation (EU) 2018/858, manufacturers are obliged to do this to a certain extent within the scope of applicable data protection rules. Read our article for more on this issue.
Connected vehicles are undoubtedly a focus for data protection regulators, In the past year, various car manufacturers including Tesla and VW have come under scrutiny and supervisory authorities are in contact with automotive manufacturers such as Porsche on these and other issues. Setting up a functioning car data protection management system is vital given the extent of the legal requirements involved. Read more about it here.
Against the backdrop of the steadily increasing cyber threats, the topic will become and remain a top priority for automakers in 2023, not least because of the constantly tightening legal requirements.
Manufacturers in scope are currently working at full speed to implement the requirements of UNECE Regulations r155 (Cyber Management System for Vehicles) and r156 (Requirements for Updates of Vehicle Software/Systems), which will apply from 2024, and to obtain the corresponding official approvals, without which it will no longer be possible to sell vehicles in the EU in the future. The respective regulations are accompanied by corresponding industry standards which also need to be taken into account.
Until now, automotive manufacturers have not usually been directly subject to the strict IT security requirements of the BSiG (which incorporated aspects of the NIS Directive). However, as a result of the changes introduced by the IT Security Act 2.0, several automotive manufacturers will likely be deemed companies in the special public interest (s8f BSiG), and will likely be subject to the strict requirements, including to submit a self-declaration and reports of malfunctions in accordance with s8a BSiG.
The requirements will be tightened by the NIS2 Directive once implemented in German law. In addition to an expansion of the sanctions framework for breaches of corresponding IT security requirements, regulated companies will be subject to significantly more comprehensive technical and especially organisational requirements (including in the area of cyber risk management).
The EU legislator is also planning to introduce further legislation, including an update of the Directive 2001/95/EC on general product safety (see here) and has proposed a Regulation on cybersecurity requirements for products with digital elements (Cyber Resilience Act) which will also be relevant to connected vehicle manufacturers.
The requirements of the new EU digital sales law (applicable since 1January 2022), the transposition laws to the Omnibus Directive (applicable since 28 May 2022) and the requirements for fair consumer contracts (some which became applicable last year) will keep automotive manufacturers on their toes in 2023. The new laws have a significant impact on automotive manufacturers, particularly in the area of connected vehicle services. They introduce new requirements specifically for digital products and services and can apply to free services where non-essential personal data is provided in return for services. Warranty and revocation rights are extended. Digital products will be subject to new support and update requirements to prolong their use. This network of obligations is complex; see our article on Connected Vehicle Services for more.
The automotive industry is highly data-driven and this goes far beyond personal data. This means the sector is particularly affected by the EU's digital strategy. Alongside the Data Governance Act, the Data Act forms the basis of the European data strategy. The regulatory framework is supplemented by other legislation, including the Digital Services Act and Digital Markets Act, which have already come into force. This legislation will determine how data is handled in the EU in the future.
The Data Governance Act (DGA), which was published on 30 May 2022, and will apply from 24 September 2023, includes, among other things, rules for providers of data intermediation services (so-called data intermediaries, such as data marketplaces) to ensure that they act as trustworthy organisers of data exchange or pooling within the common European data spaces. The specifications are of great importance for manufacturers, suppliers as well as providers of corresponding data services, since the exchange and trade of vehicle and mobility data already represent a relevant business field, e.g. in the area of product development. Respective services such as data marketplaces and data pools will be heavily regulated under DGA, for example, data intermediaries will not be allowed to process data for own business purposes (neutrality), must apply “fair” pricing models and will need to register with competent authorities. This is a major topic to watch out for – read more here.
The Data Act (DA), which is still being discussed, is already casting its shadow. If the Regulation, which is currently expected to be in place by 2024/25, is implemented as planned, it will have a huge impact on the automotive industry. The objective of the DA is to regulate the most efficient possible access to and usability of data from networked devices for the benefit of those affected and companies. Vehicle data is explicitly included in the scope of the planned standards (see Recital 14). According to the provisions of the DA, so-called data owners (e.g. the automobile manufacturer) will be required to provide access to the data not only to users (e.g. vehicle owners) but also to providers in vehicle-related business areas such as aftersales at the request of the data subject. This will present vehicle manufacturers with major legal and practical challenges, including extended transparency obligations and the obligation to conclude a data licence agreement with the user for non-personal data. Read more.
In addition, the Digital Services Act (DSA), which came into force in 2022, will bring various issues with it as early as 2023. Certain services offered by automotive manufacturers to customers and/or business partners may be subject to the new regulations e.g. as hosting services or platform services. Whenever data is transmitted, stored or made accessible to third parties, for example, in the area of connected vehicle services or aftersales, the DSA might apply. Various obligations including regarding transparency, the establishment of complaint channels and an obligation to report criminal offences may apply, some of which already from February 2023, so the issue will continue to occupy automakers now and throughout 2023.
See more about the DSA here and for an overview of the EU's various digitisation plans, check out our Deep Dive Session from Taylor Wessing's Digital Legal Academy 2022 .
Connected vehicle manufacturers and service providers will also need to focus on telecommunications law in 2023. The new legal framework (in Germany, the TKG/TTDSG), has failed to clarify when connected vehicle services fall within the scope of application of telecommunications law standards. Statements by the competent authorities indicate that connected vehicle services are not always subject to the strict provisions of telecommunications law, especially if they are closely related to functions of the vehicle and do not constitute an additional telecommunication or telecommunication-supported service offered by the car manufacturer for a fee (services such as car WiFi). Falling within scope brings a significant compliance burden so automobile manufacturers need to pay close attention to what the regulators are saying.
Another development that will concern connected car manufacturers in 2023 is the noticeable increase in requests they receive for data from law enforcement authorities in the context of criminal prosecutions. These have been increasing since the introduction of new rules in the TTDSG (s21 ff TTDSG). Businesses need to have processes and policies in place to ensure they deal with these requests appropriately.
The strict requirements of the GDPR for international data transfers have presented global automotive manufacturers with major challenges since the CJEU ruling in the Schrems II case and the publication of the new EU standard contractual clauses (SCCs). The growing number of correspondingly strict data protection laws in other countries of the world (including Brazil, Korea, etc.) further complicate the transfer of vehicle data in international corporate groups and joint ventures. Read more about the latest on international data transfers here.
Most recently, China has increasingly come to the attention of carmakers, not only as one of the most important sales markets, but also as one with strict requirements for the handling and export of vehicle data. The Draft Provisions on Car Data Security Administration published in 2021 apply to a wide range of players in the automotive industry, from car manufacturers and suppliers to insurers, when they have to deal with relevant data. Unlike the GDPR, the scope of the various regulations is not limited to the processing of personal data and includes the mere processing of data in the vehicle (without access by the OEM). These regulations are supplemented by a raft of new requirements, including those under the Personal Information Protection Law and other laws relating to cybersecurity and data localisation.
As in many other industries, the question for connected vehicle businesses is what will emerge as the 'gold standard' privacy regime going forward. The GDPR could well be overtaken. China's framework appears to go significantly beyond the European law requirements. It poses considerable practical and legal challenges for automotive manufacturers with businesses in China, especially since the actual requirements have not yet been fully specified by the authorities involved. The incoming regulations allow for a partial six month compliance grace period which runs out at the end of February 2023. Given the tight deadlines and existing legal uncertainties surrounding the newly introduced requirements, impacted manufacturers will be kept busy during 2023.
Read more on the changes in Chinese law and the consequences for automotive manufacturers.
Automotive manufacturers of connected vehicles will be faced with major legal compliance challenges in 2023. Not only is a raft of new requirements coming in, but important questions remain unresolved and look likely to need the intervention of regulators and the courts. As is so often the case, preparation for compliance and early involvement of legal advisors (whether internal and/or external) is the key to ensuring the journey goes in the right direction from the start.
Miles Harmsworth considers the next generation of IoB devices and the approach to regulating them.
1 of 5 Insights
Matt Quezada looks at what the UK's PSTI Act means for the security of the Internet of Things.
3 of 5 Insights
Advancing technologies are forcing legal updates to product safety but what are the proposed changes and how will they impact manufacturers of connected products?
4 of 5 Insights
Paul Voigt looks at the EU's plans to protect the security of digital products.
5 of 5 Insights