In recent days, it was widely reported in the media that a well-known manufacturer began testing a system allowing for display of personalised ads in cars. But attentive drivers are not surprised. It is no secret that a modern car is a computer on four wheels, as it processes large amounts of data to ensure safety, transport efficiency, and access to navigation and infotainment services.
The nature of the processed data varies. Some of them are purely technical machine data. But there is no doubt that some of them are personal data revealing a lot not only about the driver, but also about passengers. This applies to data that uniquely identify a person, such as the driver, and seemingly neutral data that may constitute personal data once they are given a certain context.
Some of these data are particularly sensitive, as the context in which they are processed may pose serious risks to the fundamental rights and freedoms of data subjects. Most commonly, these are:
- Location data
- Special categories of personal data within the meaning of Art. 9 of the General Data Protection Regulation (2016/679), and
- Data that may reveal a prohibited act or traffic offences.
For example, rides taken do not just reveal residential and work addresses, but can also reveal the religion (through place of worship) or political views (through visited places) of persons using the car. Nevertheless, more and more often these data are widely shared with other vehicles, road infrastructure, and various public and private entities.
If there is processing, there must be information
In this context, data protection poses particular challenges to each of the core principles set out in the GDPR. Below we will focus on the first of these, i.e. the requirement to process personal data in a way that is transparent to the data subject.
Implementation of this principle is reflected in the familiar obligations aimed at informing data subjects of relevant aspects of the processing of their personal data. According to the GDPR, notices should be provided in a concise, clear, understandable and easily accessible form, in clear and simple language.
The data subject’s right to information is considered one of the pillars of data protection law. Proper implementation of this obligation is intended to allow individuals to exercise actual control over their personal data. Is this possible on the small interface of a user’s car?
Cars enable processing of personal data for a variety of purposes. Typically, such processing is carried out with participation of car manufacturers, insurers, road infrastructure managers, law enforcement authorities, various service providers (from navigation and infotainment services to car-sharing) and many other third parties, even including car repair shops. According to the GDPR requirements, the data controller (or controllers or joint controllers) should be identified, i.e. the entity which alone or jointly with others determines the purposes and means of the processing of personal data. It is the data controller that is responsible for fulfilment of information obligations under the GDPR.
One car, multiple profiles?
As a rule, information on processing should be provided to each data subject. This primarily means the drivers of a vehicle and their passengers, i.e. potentially many different people. Therefore, it is not sufficient to provide this information exclusively to the primary owner (or lessee or renter) of a car, who does not necessarily drive it every day. Therefore, the possibility of creating a user profile for each driver using the car (similar to profiles used in streaming services or VOD platforms) seems to be the right solution. Such an individualised user profile would not only fulfil the information obligation towards individual drivers but would also allow them to change their privacy settings, as well as exercise their rights under the GDPR. Furthermore, it would limit the risk of data breach for individual drivers, which is particularly relevant when the car is used by unrelated persons, as in the case of car-sharing services or traditional car rental companies.
Several layers of information
Information can also be provided to data subjects in layers.
In addition to the controller’s identity, the first layer includes the purpose of the processing and the data subject’s rights. It should also include any additional information about processing having the greatest impact on the data subject, including information that may surprise them (e.g. details on multiple recipients of their personal data).
The second layer contains all the information required under Art. 13–14 GDPR. The small interface presented to the driver of a car may not allow the data subject to effectively explore this layer, so making it available simultaneously in another way, e.g. on a website or by email, should be considered.
Apart from verbal information, standard graphical characters (icons) can also be used to provide transparency. Ideally, these should be the same symbols, regardless of the make or model of the vehicle (e.g. a commonly recognised location tracking icon).
Connected cars mean more data and more responsibilities
The principles outlined above refer to the simplest situation, i.e. processing of the vehicle user’s data. The situation of data processing by connected cars can be much more complicated. We signal three examples of factors that may lead to extension of information obligations.
First, connected cars may also process other traffic users’ data (e.g. users of other vehicles, cyclists or pedestrians). Fulfilling information obligations towards them can be particularly challenging.
Second, if within the meaning of Art. 22 GDPR, an automated decision-making system is installed in the car, the information obligation should include additional information. In that case, the data subject should be provided relevant information on the decision-making rules of such systems and the significance and foreseen consequences of such processing.
Third, devices installed in vehicles can be classified as telecommunication terminal equipment, which entails the need to meet additional information obligations provided for by Telecommunications Law.
Proper implementation of the information obligation affects the possibility for data subjects to exercise their rights. Therefore, in this context, all controllers processing personal data should pay special attention to this issue at the stage of designing how the data will be processed, in accordance with the principle of “data protection by design.”
Aleksandra Drożdż, M&A and Corporate practice, Wardyński & Partners
Krzysztof Wojdyło, adwokat, New Technologies practice, Wardyński & Partners