Joint controllers and e-mobility: who is responsible under data protection law?

Authors: Thanos Rammos and Max Harttrumpf

E-mobility makes driving more sustainable, but at the same time more complex from a data protection law perspective. Various companies are involved in the context of a single charging process at a charging point alone. They interact with each other in different ways. They can be directly or indirectly involved and in doing so come into contact with the customers’ personal data. The distinction of the respective areas of responsibility under data protection law and the associated classification of the players involved as independent controllers, processors bound by instructions or joint controllers is always a question of the individual case. This distinction, in particular with regard to the legal institution of joint control, is subject to uncertainties, as courts, supervisory authorities and voices in literature sometimes use different - and not always convincing - assessment criteria for this purpose.

From the purchase of the electric vehicle to the charging point

When purchasing an electric vehicle, the question of charging options inevitably arises for the customer. In order to increase the attractiveness of the vehicle, the vehicle manufacturer (original equipment manufacturer, “OEM”) therefore usually has an interest in providing the customer with the widest possible access to charging points. This can be achieved, for example, by the OEM recommending a specific e-mobility service provider (“EMSP”). EMSPs can provide access to a large number of charging points in a specific geographical area. In this case, OEMs and EMSPs act completely independently and usually exchange customer data either only once or not at all. Either way, they do not jointly determine the purposes and means of data processing and are each independent controllers under data protection law.

Registration and authentication

Once the customer has decided to use a particular EMSP, a corresponding registration for its service is necessary. This includes, for example, provision of payment data, place of residence and vehicle type. Since the function of the EMSP is limited to providing access to available charging points, their actual operator (the so-called Charge Point Operator, “CPO”) is not yet involved at this point. The EMSP can therefore be assumed to act as an independent controller data protection. As soon as the customer arrives at a charging point and wants to start the charging process, he/she is asked to authenticate himself/herself. A common authentication method is the so-called charging card, which transfers an identification number (customer ID) to the charging point. If this ID is on a list that has been sent to the CPO in advance by the EMSP, the former activates the charging process. Therefore, the only information shared between the EMSP and the CPO is the specific customer ID, which informs the CPO of the customer’s authorisation to charge the car. Alternative authentication processes, for example by using an app of the EMSP, essentially follow the same principle. Although the identity of the customer is pseudonymised during registration, an identification is theoretically still possible, so that the customer ID is generally classified as personal data. In this context, it could be considered whether EMSP and CPO act as joint controllers. This would be the case if and to the extent that they collectively - but not necessarily equally - decide on the purposes and/or means of the data processing, whereby according to the case law of the CJEU, the enjoyment of economic benefits may already be sufficient for the assumption of joint control. With regard to the authentication process, however, the purpose of the data processing is determined solely by the EMSP, because app and charging card are intended to enable its customers to charge their electric vehicles. The means of data processing (app or charging card) are also determined exclusively by the EMSP. In particular, the CPO has no influence on the specific design of the charging cards. These usually follow a unified technical standard, as they are supposed to work at different charging points. Thus, again, the EMSP acts as an independent controller.

The charging process

Once the actual charging process has started, the CPO collects data directly from the customer, such as the duration of the charging process, the position data of the charging point and consequently of the customer, the costs of the charging process and its start and end time. In connection with the above-mentioned customer ID, this data can be attributed to the individual customer and is therefore personal data. The methods of this data collection are entirely up to the CPO. The EMSP has no influence on the software and hardware of the charging point. The same applies to the purpose of the data processing, because the CPO alone determines the activation of the charging process and the charging data required for the subsequent execution of the contract. Insofar, there are again strong indications for the assumption of independent controllership. The lack of a direct contractual relationship between the CPO and the customer is irrelevant because from a data protection law perspective, the actual and not the contractual relationships are decisive. At most, the criterion of economic benefits developed by the CJEU could be used as an argument for joint control between CPO and EMSP. After all, the data processing on both sides ultimately enables and promotes the overlapping business concepts in an economically advantageous way. However, the isolated and template-like application of this criterion must be rejected, unless further circumstances would substantiate joint control. Otherwise, joint control would have to be assumed in almost every economic transaction involving two or more parties, which would contradict the actual circumstances and result in improper joint liability of the parties involved.

The execution of the contract

In most cases, the CPO then transmits the information collected about the charging process to the EMSP for billing purposes. On the part of the EMSP, the information is assigned to the respective customer on the basis of the customer ID. The CPO has no influence on the means and purposes of this data processing by the EMSP. An economic interest of the CPO is also not recognisable, because the identification of the customer in the relationship between the latter and the EMSP is of no relevance for the CPO, whose direct debtor is the EMSP alone. Joint control is once again ruled out.

Special case: Tesla

The assumption of the previous explanations was that OEM, EMSP and CPO are different companies. However, if, for example, a CPO also acts as an EMSP, joint controllership is ruled out from the outset, because in this case CPO and EMSP form a processing unit as an individual controller. Tesla is probably a unique special case, as the company combines all products and services: Tesla does not just manufacture electric vehicles. Tesla also provides charging points (“Superchargers”) that can be used via its own app and integrated software. Tesla is therefore OEM, CPO and EMSP at the same time and consequently an independent controller.

Practical challenges

As has been shown, despite the interaction of various companies in the context of a charging process in the area of e-mobility, joint control under data protection law is rather not to be assumed. In particular, a strict application of the criterion of economic benefits developed by the CJEU in the context of internet-related cases would not lead to appropriate results in this regard. Of course, the previous classifications of the parties involved do not claim any general validity. Rather, a case-by-case consideration is always necessary, taking into account the respective specific circumstances, whereby a distinction should be made in particular between the individual stages of data processing and the associated data flows. Due to the resulting liability-related uncertainties and in view of the increasing popularity of electric vehicles, it would be desirable to obtain a clarifying position from the supervisory authorities on the data protection-related distinction issues in the area of e-mobility.