The development of automated and autonomous driving is progressing, the roads are (slowly) filling up with vehicles with alternative drive models, and car manufacturers are gradually transforming themselves into mobility service providers that aim to provide a variety of tech and media services in the vehicle ecosystem. This transformation is accompanied and driven by growing competition from new market players, particularly from high-volume markets like China, which are currently shaking up the industry developing new concepts at high speed. At the same time, the legal requirements for car manufacturers and mobility service providers are becoming increasingly complex.
A wave of digital regulation is crashing over businesses in the EU tech sector, making digitalisation in the automotive industry considerably more challenging. In particular, the EU’s Digital Strategy 2023/2024 will bring a wide range of innovations, some of which will have a significant impact on the automotive industry such as the Data Act and – of course – the AI Act.
While the Data Act, AI Act and other incoming EU legislation may be grabbling the legal headlines for automobile manufacturers, data protection remains a dominant issue in digitalisation projects in the automotive industry and should not be forgotten in the regulatory onslaught.
Data and AVs
The technologies used to develop autonomous driving rely on processing large amounts of data - some of it personal - both inside and outside the vehicle. During the development phase, technologies and algorithms are trained with data in order to make the systems fit for use. In the vehicle, sensors of all kinds collect a wide variety of data during the operation of assistance systems in order to increase driving safety, but also to control other features like comfort and entertainment. This data might need to leave the vehicle and be processed in the manufacturer's backend system, for example for use in aftersale maintenance (eg via Over-The-Air Software Updates). A variety of different rules and requirements will apply.
Vehicle data = personal data?
Data protection regulations (almost) always apply to the processing of vehicle data but the issue of when and whether data is considered as personal is less straightforward than it may initially appear. The European Data Protection Board (EDPB) published an Opinion in which it said that Vehicle Identification Numbers (VINs) are personal data (as discussed here). However, the European Court of Justice later held that a VIN is only likely personal data, where the data holder has additional data (or knowledge) to link it to a natural person. In some respects, the ECJ ruling is not surprising as it simply reflects the principles of the GDPR. However, many regulators, including the German supervisory authorities, the automotive industry itself, and some Member State legislation such as § 63f (1) No. 6 StVG in Germany (Straßenverkehrsgesetz) continue to view the VIN as personal data in and of itself.
Will the ECJ ruling now make it easier for original equipment manufacturers (OEMs) to process vehicle data especially for autonomous driving? As always, the answer is: it depends. First, a distinction must be made between the processing of data that takes place exclusively in the vehicle (in-vehicle) and the processing outside it (external). The GDPR will have limited application to in-vehicle processing where the data cannot be accessed by the manufacturer or other third parties. This is often the case with autonomous driving technologies. However, as soon as the manufacturer gains access to data such as sensor information the manufacturer will need to consider whether the data is personal data engaging the GDPR.
If (as will often be the case) the OEM has additional information about the owner/driver of a vehicle (eg through sales/aftersales or connectivity services), the data will be personal data although GDPR obligations may be reduced by pseudonymising and ringfencing access to the data. Whether or not the data is personal, other EU legislation including the Data Act (discussed in more detail here) may play a major role.
In-vehicle vs external processing activities
Even for pure in-vehicle data to which the manufacturer does not have any access, certain data protection rules apply, not least, the principles of privacy by design and default and transparency. These require OEMs to explain to vehicle owners and users at an early stage what data is processed in the vehicle and how it can be stored (see, for example, the CNIL guidelines and the joint statement of the VDA and the German data protection supervisory authorities).
This has an impact on the use of autonomous driving technologies, as assistance systems and sensors generally collect and process the data in-vehicle (often for reasons of safety and data protection). This must be explained to users, including where and how data is stored and how the user can delete it eg if the vehicle is sold.
Technologies must be designed to be data protection-friendly. The amount and duration of stored data must be limited, for example by using less invasive technologies (eg use of sensors that record fewer personal details than live video feeds; or use of circular storage for a constant overwriting of information that is no longer required; or access limitation).
The moment the manufacturer gains access to such data – be it via connected vehicle services, in aftersales or as a relay station for passing the data to third parties such as insurers – the GDPR and other laws will apply.
Guidelines for processing personal data
The EDPB statement on connected vehicles, as updated in 2021 (discussed here), remains the go-to guideline for GDPR compliance in the connected vehicle sector and provides valuable help on a wide range of questions. Various national supervisory authorities have also focused on this, yet significant questions remain.
Special requirements under other (EU) laws
It's not all about GDPR. Further regulations apply and must be observed when designing processes and systems used in vehicles.
For example, the meaning and scope of Article 5 (3) of the ePrivacy Directive (access to data in “terminal equipment”) or its implementing regulations in Member State law (including Article 25 of the TTDSG (Telekommunikation-Telemedien Datenschutz-Gesetz) in Germany, to be amended soon) remain controversial when car manufacturers extract data from vehicles.
To the extent that the data processing is carried out for a service or function that the user uses willingly and knowingly, the law does not generally preclude this. However, the boundaries here are often fluid, particularly in the case of assistance systems and services, as is the differentiation between primary and secondary purposes (eg product monitoring and improvement).
The EDPB follows a broad interpretation of the scope of Article 5(3) with the consequence that the use of vehicle data for secondary purposes such as product development, profiling, marketing etc. without the consent of data subjects is made considerably more difficult. It is often hard to determine the boundaries between the legal obligations of manufacturers (in the area of product compliance, among other things) and what is legally permissible in terms of data protection.
Similar questions arise against the background of the requirements of UNECE regulations R155 (Vehicle Cyber Security Management System) and R156 (Updates of vehicle software/systems), which will apply from 2024. Here, it is often unclear exactly which (personal) vehicle data must or may be used under which conditions for the purposes of cyber security of the vehicle ecosystem, eg when establishing a vehicle SIEM (Security Information and Event Management System).
Manufacturers of connected vehicles also have to consider additional data protection regulations which apply to this sector under European or national law.
Important guidelines for the interpretation and application of data protection principles for autonomous driving technologies can be found in Regulation EU 2019/2144 for driver assistance systems. This contains specifications on IT and data security for corresponding systems by reference to the UNECE r155 regulations, as well as individual data protection regulations, including those on the use of biometric data in assistance technologies.
There are also special data protection requirements in EU Member State laws, for example in the Law on Autonomous Driving that came into force in Germany in 2021 (§§ 63 a ff. StVG (Straßenverkehrsgesetz)).
And what about the development phase?
The collection of personal data during test drives in the development phase is also subject to the provisions of the GDPR. German data protection supervisory authorities, among others, have covered this. Data collection must be made transparent, for example by marking the vehicles and providing special data protection notices. Data processing must be limited as far as possible, for example by anonymising or pseudonymising test data at an early stage. The storage period must be appropriately limited. If several controllers (or processors) are involved in the processing, appropriate data protection agreements must be concluded. If this goes wrong, the authorities may well take action, as they did in the case of Volkswagen in Germany, where a fine was imposed for violations.
Here comes AI (Act)…
As technologies for automated and autonomous driving are often based on AI applications, manufacturers will have to engage with the requirements of the AI Act, which has just been approved by the EU Council, particularly where they are classified as 'high risk' under the Act. The AI Act is without prejudice to the GDPR which will continue to apply where systems process personal data.
Notably, if the AI makes automated decisions which have a legal or similarly significant effect on individuals, Article 22 GDPR will be engaged and the processing will require consent unless it is covered by an exception which must be assessed on a case by case basis. See more on the use of AI in automated and autonomous vehicles here.
The DSK's (German DPAs') statement provides useful assistance with implementation.
A complex framework
This complex data protection framework will get even more burdensome when the Data Act and AI Act apply. As is so often the case, preparation for compliance and early involvement of legal advisors (whether internal and/or external) is key to ensuring the journey goes in the right direction from the start and a Data Protection Impact Assessment should be carried out prior to processing, whether or not one is strictly required.
For a broader look at the topics that will keep vehicle manufacturers up in 2024 see our annual Mobility is going digital! article which focusses on legal topics in automotive digitization as well as the other articles in this edition of Interface.