Summary
The automotive industry's shift towards digital technologies introduces significant legal and compliance challenges under EU law, particularly concerning data collection and usage. Key compliance areas include consent, transparency, data access, and deletion, with the GDPR and ePrivacy Directive playing crucial roles. Infotainment systems, autonomous driving technologies, and telematics for insurance purposes highlight the need for robust data governance, cybersecurity, and privacy by design. The Data Act enhances user rights, allowing data access and sharing with third parties, while the eCall system exemplifies the integration of public safety with data protection. The industry's future lies in embedding privacy, security, and user-centric principles to navigate compliance and foster innovation.
- How does the GDPR impact data collection in infotainment systems?
- What is the significance of privacy by design in automotive systems?
- How does the Data Act change data access for leasing companies?
- What are the cybersecurity requirements for connected vehicles under the NIS 2 Directive?
- What are the main legal challenges faced by the automotive industry due to digital technologies?
The automotive industry's digital transformation faces EU legal challenges, emphasizing data governance, privacy, and innovation.
As digital technologies rapidly transform mobility, the automotive industry is evolving to deliver smarter, more connected experiences for drivers and passengers alike. These systems offer significant user benefits but also face important legal and compliance challenges under EU law. Automotive manufacturers, suppliers, technology providers, and service operators move in an increasingly regulated data environment. However, with smart design and governance, these challenges are manageable.
In this overview, Lukáa Augustín Mrázik, of Kinstellar, highlights key examples of data collection and use in the automotive industry, illustrating how the focus has gone beyond General Data Protection Regulation (GDPR) compliance to encompass broader data governance and innovation.
Key compliance areas
Consent, transparency, and data access
In infotainment systems, valid consent remains critical for the use of a user's data. Closely linked to consent is the overarching obligation of transparency. Under the GDPR and the Directive on Privacy and Electronic Communications (the ePrivacy Directive), users must be informed clearly about the collection and use of their data, especially when infotainment systems access smartphone content. The GDPR requires that individuals be clearly and comprehensively informed about the types of personal data being collected, the purposes of processing, the retention periods, and third-party recipients. The design of many infotainment systems, with small screens and simplified menus, makes it difficult to give users full and clear information at the point of data collection.
The Consumer Protection Directive (EU) 2019/2161 reinforces transparency obligations, prohibiting the presentation of misleading or incomplete information to consumers as they interact with products and services, including vehicles. Given the limits of in-vehicle interfaces, compliance with GDPR transparency obligations and consumer protection rules requires creative approaches, such as layered notices and intuitive design. The Data Act (Regulation (EU) 2023/2854) now strengthens user rights, allowing data access and sharing with third parties (e.g., leasing companies) subject to user authorization.
Data deletion, third-party apps, and crossborder transfers
Proper deletion of personal data when vehicles change ownership also poses significant legal challenges. Infotainment systems often retain sensitive personal information, such as navigation history, contacts, and call logs, beyond the end of a lease or sale. Infotainment systems must implement effective deletion mechanisms to comply with the GDPR's minimization requirement and to avoid misleading second-hand buyers. Third-party apps integrated into infotainment systems require clear controller/processor role definitions and data processing agreements. Without proper oversight, unauthorized data sharing could breach the GDPR, the ePrivacy Directive, and consumer protection standards. Finally, since infotainment data may, in some cases, flow to cloud servers outside the EEA, or use systems in countries outside the EEA and send the data back to the EEA territory, companies must comply with cross-border transfer rules post-Schrems II, using Standard Contractual Clauses (SCCs) and additional safeguards, such as encryption.
Passenger data, cybersecurity, and system design
Infotainment systems frequently collect data from passengers or previous users without direct consent. To comply with the GDPR and ePrivacy Directive, manufacturers work hard to minimize passive data collection and offer easy-to-use privacy controls.
Cybersecurity is essential. The GDPR's security requirements are now complemented by the Directive on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive) and UNECE Regulation No. 155, mandating strong cybersecurity management systems for connected vehicles.
Privacy by Design principles must also govern system settings. By default, telemetry collection without user action violates the GDPR and consumer law. Instead, users should be given control over data sharing when they first use the system.
Autonomous driving
Autonomous driving technologies are among the most advanced systems in the entire automotive industry. They are also the most data-intensive, relying heavily on a wide array of sensors, cameras, GPS, and real-time analytics to interpret the environment, make decisions, and operate vehicles with various levels of human interaction. From a legal perspective, autonomous vehicles raise a wide range of data protection issues, as they process large amounts of data, including data about individuals in their surroundings, such as pedestrians or other drivers. However, not all footage of individuals would be automatically considered data processing under the GDPR. Data from various sensors might collect non-personally identifiable information (such as object size or shape, velocity, and distance in the case of Light Detection and Ranging (LiDAR)).
It is only if these individuals can be identified that processing of such data must comply with GDPR principles, including lawfulness, transparency, data minimization, purpose limitation, and security. To address these and other compliance and design requirements, complex assessments of impact relating to privacy, safety, and artificial intelligence (AI) are done. In the context of autonomous driving, cybersecurity and functional safety are critical, and obligations under the NIS 2 Directive and UNECE Regulation No. 155 must be respected. Sharing of liability among software providers, vehicle manufacturers, and service partners is yet another challenge.
Autonomous driving, as a relatively new technology, requires a proactive approach from a legal and compliance point of view. The legal framework must evolve to be in line with the latest developments in technology.
Mandatory data collection in case of an accident (eCall system)
The eCall system is a mandatory in-vehicle safety feature in the European Union, designed to automatically contact emergency services in the event of a serious road accident. Introduced under Regulation (EU) 2015/758, eCall must be installed in all new models of passenger cars and light commercial vehicles approved after March 31, 2018.
The primary purpose of eCall is to reduce response times for emergency services and save lives. Although eCall is intended solely for emergency purposes, it invariably involves the collection and transmission of personal data. The data transmitted through eCall is considered personal data under the GDPR as it can be linked to an identifiable driver or vehicle owner. eCall shows how public safety objectives can be brought together with individual data protection rights. Its design, focusing on minimal, purpose-specific data collection, is an early example of the Privacy by Design principle, now enshrined in Article 25 of the GDPR.
Data collection for insurance purposes (telematics)
Telematics systems used for insurance purposes typically operate through apps or devices provided by insurance companies, rather than by automotive manufacturers directly. These solutions may collect data, such as speed, braking patterns, acceleration, driving routes, and mileage, to offer personalized, usage-based insurance (UBI) products.
The primary goal of telematics-based insurance is to assess driver risk more accurately and offer tailored premiums, often rewarding safer driving behaviour. However, because telematics data relates to an identifiable individual's driving habits, it qualifies as personal data under the GDPR. Processing this data generally requires the driver's explicit consent, particularly where profiling or automated decisionmaking is involved. Insurers must also conduct Data Protection Impact Assessments (DPIAs) if the processing involves systematic monitoring on a large scale.
In addition to consent-based telematics programs, the Data Act provides insurers or other third-party providers with new tools for innovative services. For instance, insurance technology providers may request access to vehicle-generated data held by automotive companies, subject to user authorization. In some cases, even anonymized or aggregated datasets could be shared with insurers to improve risk modelling or to offer data-driven insurance services, subject to fairness and transparency safeguards.
Leasing companies and data access rights under the Data Act
The Data Act significantly changes how leasing companies can access data generated by vehicles. Traditionally, leasing companies had limited access to vehicle data collected by manufacturers, relying mainly on contractual arrangements or driver cooperation. Under the new regulation and subject to user authorization, leasing companies may now request access to readily available vehicle data, access operational data, maintenance data, and even aggregated usage information generated by a vehicle's infotainment and telematics systems, or use anonymized or aggregated vehicle data to support leasing activities (such as fleet optimization or risk analysis), without infringing on individual privacy rights.
Future outlook: Navigating compliance and enabling innovation
The increasing integration of smart systems into vehicles that collect and process data reflects a broader transformation of the automotive industry toward connectivity, personalization, and datadriven services. While the collection and use of vehicle-generated data pose important legal and compliance challenges under the GDPR, the ePrivacy Directive, the Data Act, and cybersecurity regulations, such as NIS 2 and UNECE standards, these challenges are manageable with the right approach.
Embedding privacy, security, and user-centric principles into product and service design from the outset will not only ensure compliance but also strengthen competitiveness in an evolving and increasingly connected automotive ecosystem. Rather than seeing regulation as an obstacle, the industry should embrace it as a blueprint for smarter, safer, and more sustainable mobility solutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
