Non-personal vehicle data: new prospects for using and sharing?

The automotive and mobility industry has come a long way in terms of data collection and sharing with the increasing automation of vehicles. An early example is the TMC (Traffic Message Channel). Through the TMC, traffic information is shared through radio signals (RDS) to provide traffic information. Fast forward to (autonomous) cars that can be (partly) controlled with apps, (cargo) drones that offer real time video and audio feeds, and other unmanned vehicles equipped with cameras and various sensors that collect many gigabytes of data.

The potential value of that data is immense. New EU legislation, primarily the Data Governance Act (DGA) and the Data Act (DA) governs the sharing of both personal and non-personal data with vehicle data expressly featured. Various concerns like protecting trade secrets and new obligations on OEMs (original equipment manufacturers) to share data pose challenges for the industry.

In this article, we look at the impact of the new rules on vehicle data.

Non-personal vehicle data

The distinction between personal data (regulated principally by the GDPR) and non-personal data is not clear cut, especially when it concerns vehicle data. For example, a recent decision of the European Court of Justice, established that a Vehicle Identification Number (VIN) cannot, in itself, be considered to be personal data by default. This leaves wiggle room for OEMs to classify certain vehicle data (or datasets) as non-personal data which, in turn, makes it easier to share such data (see here for more).

Non-personal data is data that does not relate to an identified or identifiable natural person. This can be, for example, information on weather conditions, road condition, wear and tear of vehicle components (although the latter is a borderline case, for example data relating to driving-style could possibly be regarded as personal data). It may include:

• traffic information
• safety information - for example the sharing of the location of objects (eg lost cargo or wild animals) on the road
• detection of road conditions - data gathered by (external) vehicle sensors and cameras as well as data from the vehicle itself (for example on the suspension load or wear of tires)
• optimisation of cargo delivery routes, taking into account not only the traffic situation but also other external factors like (temporary) weight/height restrictions.

Data from driverless/autonomous vehicles is more likely to qualify as non-personal data as there is no driver.

Data Governance Act and Data Act

The main pieces of European legislation relevant in the context of non-personal data are the Data Governance Act and the Data Act (although both also cover personal data).

The DGA entered into force on 23 June 2022 and has been in effect since 24 September 2023. The DGA regulates, among other things, the creation of common data pools (so-called Common European Data Spaces), data intermediation services and data altruism. It also prescribes designating national supervisory authorities and the setting up of a European Data Innovation Board.

The DA supplements the DGA and covers, among other things, the actual sharing of data, related (contractual) safeguards and portability requirements for such data in the context of the DA. The DA entered into force on 11 January 2024 and will apply from 12 September 2025.

DGA and non-personal vehicle data

Arguably, the most important element of the DGA, is the creation of Common European Data Spaces. These will be managed by neutral, independent providers of data intermediation services. Examples in relation to mobility are PrepDSpace4Mobility, deployEMDS and Mobility Data Space.

The DGA:

• sets out conditions for the re-use of data held by public sector bodies that is protected for certain reasons. This does not create a right of re-use but rather the conditions under which re-use should be possible
• creates a notification and supervision framework for data intermediary service providers between data holders and potential data users, and data subjects and data users. This safeguards the neutrality and independence of such providers and prevents them from using any data they hold for their own purposes. It also covers: commercial terms, legal, physical and technical requirements; interoperability with other data intermediation services; administrative requirements; and supervisory and compliance requirements, including the appointment of competent authorities
• enables data altruism - the voluntary provision of data by individuals or companies in the public interest. In this context, the DGA covers, among other things: the registration of (and requirements for) recognised data altruism organisations; and a European consent form for the processing of personal data. Improving mobility is explicitly mentioned in the DGA as a public interest goal.

In the context of automated mobility, the concepts of pools of data and data altruism are of special importance. For example, data pools relating to road safety could be created in the public interest (eg enabling the identification of the most dangerous/harmful road conditions, allowing for prioritisation of roadworks). 

See here for more on the DGA.

DA and non-personal vehicle data

While the DGA focuses on the data sharing infrastructure, the DA focuses on the substantive aspect of the data to be shared. Primarily, the DA:

• requires data holders to make connected product data and data from related services available to users and gives users the right to obtain such data
• makes data available to certain EU bodies
• ensures data portability of data shared under the DA
• provides for interoperability (standards)
• includes qualified protection for trade secrets.

In the context of sharing non-personal vehicle data, the concepts of data user, data holder and data recipient can best be illustrated by the practical example of connected cars. These cars gather a plethora of data that is used for various purposes. The data holder would typically be the manufacturer of the car (OEM) that also provides various other services to the driver/owner of the car, for example app access for unlocking/locking or pre-heating/pre-cooling. The data user is the owner/driver of that car. The data recipient could be a third party, like a repair shop wanting to receive maintenance information, or a third party provider of real-time traffic information.

Data sharing with data users

• The car manufacturer (data holder) is required to share certain data with the data users (eg drivers/owners).
• Data holders are also required to share such non-personal data with third-party data recipients (like repair shops).
• The DA sets out conditions and requirements pursuant to which such data must be shared and stipulates parties' rights and obligations.
• When data holders and data recipients agree to compensate the data holder for provision of data to the data recipient, certain requirements apply.
• The DA also prescribes (technical) measures to prevent unauthorised access to data and limited protection for trade secrets.

Preventing use of unfair terms

• In a B2B context, the DA stipulates that unfair contractual terms are not binding on the weaker party. This is relevant for the interaction between OEMs and third-party suppliers.

Making available data to public sector bodies

• When exceptional need arises (for example a public emergency or, in relation to non-personal data, a task carried out in the public interest), EU public bodies may ask to use data from a licence holder. The request must contain specified information set out in a model template to be created by the EC.
• The public sector bodies and EU institutions are also bound by certain obligations, including regarding how they use the data, implementation of technical and organisational measures for confidentiality and integrity of the requested date and erasure terms.
• Compensation for the data holder may be applicable if costs are incurred by the data holder when complying with the access request.

Portability

The DA sets out rules on making it easy for users of data processing services to switch to other providers (similar to GDPR portability requirements). This includes switching from SaaS-based provision of services to on-premise-based provision of services and vice versa. From 12 January 2027, switching charges will be prohibited.

Interoperability

The DA includes various rules on interoperability including in relation to data spaces, data sharing mechanisms and services, in-parallel use of data processing services, and data processing services, including smart contracts for the execution of data sharing agreements.

See here for more on the DA.

Protection for trade secrets and unauthorised use or disclosure of data

The DA also includes (subject to certain requirements) the following safeguards/remedies against unauthorised use or disclosure of data by a third party or data recipient:

• Requirement to erase data by the latter at the request of the data holder/trade secret holder.
  
• Obligation to cease use of the data (where such use can comprise the offering or placing on the market of goods or derivative data or services on the basis of knowledge derived obtained through the data).
  
• Obligation to provide information on the measures taken to put an end to the unauthorised use/disclosure of the data.
  
• Duty to compensate the party for damage suffered due to misuse or disclosure of unlawfully accessed/used data.

Other European (legislative) initiatives on sharing of (non-)personal vehicle data

In addition to the DGA and DA, the European Commission has launched an initiative (a proposal for a Regulation) on setting conditions for accessing and using in-vehicle generated data.

The public consultation took place in 2022. The EC received 159 valid feedback instances, mostly from companies and businesses. The Commission adoption was scheduled for the second quarter of 2023, but has not materialised. It is unclear when the next steps will occur.

Outlook

The DGA and DA, provide the first stepping stones for a framework under which OEMs and third-party suppliers can prepare for the sharing of non-personal vehicle data. Further implementation of templates and documentation is expected in the near future to clarify the scope of the DGA and DA.

While the DGA and DA provide new frameworks that govern the sharing of non-personal and personal vehicle data, it seems there is a lack of clarity on how to implement them. The uncertain status of the pending European Commission initiative for a proposal for a Regulation on the accessing and using of in-vehicle generated data does not help.

Nonetheless, impacted businesses in the automated vehicle sector should consider the following actions:

• Identify potential relevant Common European Data Spaces and assess their relevance to your organisation.
• Identify the potential of data altruism initiatives for your organisation.
• Prepare for the implementation of contractual arrangements for the purpose of sharing data pursuant to the DA.
• Think of strategies to protect trade secrets in the context of sharing non-personal vehicle data under the DA.