With the development of information communication, internet, cloud computing, and artificial intelligence technologies, the automotive industry is facing a profound industrial transformation. Automobile is rapidly being transformed from a manually controlled traditional transportation tool to an intelligent mobile terminal device controlled by intelligent systems. Through various sensors and connected parts and equipment installed in the vehicles, cars will collect a large amount of data including personal data in the process of driving. Every connected vehicle is a massive data hub1. Moreover, the collected data will be shared, transferred and used in a complex ecosystem where the data processors include not only the traditional vehicle or part manufacturers or suppliers, but also various participants who provide services, software, platforms for connected vehicles and those who develop and provide products and services based on the data collected by connected vehicles. Therefore, personal information protection is an important topic for every participant and stakeholder in the connected vehicles industry.
On February 7, 2020, the European Data Protection Board ("EDPB") released the "Guidelines on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications" ("Guidelines")2 for public comment. In the absence of specialized personal information protection rules for the automotive industry in China, the recommendations in the Guidelines serve as good references for the players of the connected vehicles industry in China. In this article, we will focus on a number of key issues addressed by the Guidelines from in particular the perspectives of connected vehicles and parts manufacturers.
Scope of Application of the Guidelines
The Guidelines deal with personal data (1) processed inside the vehicle; (2) exchanged between the vehicle and personal devices connected to it (e.g., user's smartphone); or (3) collected within the vehicle and exported to external entities (e.g., insurance companies, car repairers, etc) for further processing. The Guidelines do not apply to data processing activities regarding monitoring employees' actions who use connected vehicles provided by the company. Connected vehicles under the Guidelines is to be understood as a broad concept which refers to a vehicle equipped with many electronic control units that can share information with other devices both inside and outside the vehicle, and is not limited to any specific category of vehicles. The Guidelines also apply to standalone mobile applications installed in smart phones to assist drivers which cover functions such as mobility management, vehicle management, road safety, entertainment, driver assistance and well-being, etc.
How to Identify Personal Data in the Context of Connected Vehicles Business
A common question in practice regarding personal information protection of connected vehicles is how to distinguish between personal data and technical data from the data generated from the vehicles. The definition of personal data under both EU and PRC laws is similar, i.e., information that can identify a specific individual or reflect the activities of a specific individual, either alone or in combination with other information (the specific individual is called "data subject").
The Guidelines divide personal data generated from connected vehicles into: (1) directly identifiable data, such as the driver's identity information; and (2) indirectly identifiable data, such as details of journeys made, vehicle usage data (such as data relating to driving style (e.g., braking pattern or acceleration) or the distance covered), vehicle's technical data (such as data relating to wear and tear on vehicle parts, engine coolant temperature, tire pressure), vehicle maintenance data, which by cross-referencing with other files and especially the vehicle identification number (VIN), can be related to a natural person and thus constitutes personal data.
Participants of China's connected vehicles industry face the same issue: data that can directly identify individuals belongs to personal information, but the question is how to define the scope of indirectly identifiable data? Since PRC law is still silent on this point to date, we suggest participants of connected vehicle industry in China refer to the Guidelines and adopt a broader standard to assess the scope of personal data in this context.
Further Protection of Special Categories of Personal Data
The Guidelines require vehicle and equipment manufacturers, service providers and other data controllers to pay special attention to three categories of personal data: geolocation data, biometric data, and data revealing criminal offenses or other infractions. Under relevant PRC law, all these three categories of data belong to personal sensitive information, which warrant higher protection by data controllers in their processing of such data. For example, express consent of the data subject is required prior to the collection of personal sensitive information; more detailed information must be disclosed to the data subject prior to the sharing or transfer of personal sensitive information; encryption measures are required for the transmission and storage of personal sensitive information; access to and modification of personal sensitive information may only be allowed depending on business needs based on authority control, etc3. The Guidelines provide detailed guidance on how to implement these general principles in the context of connected vehicles in the EU.
The Guidelines take the view that geolocation data are particularly intrusive and revealing of the life habits of data subjects. Accordingly, it's required that the data controller shall be particularly vigilant not to collect location data except if doing so is "absolutely necessary" for the purpose of processing.
The Guidelines further provide that in addition to the general data protection principles, data controllers shall also comply with the following principles when collecting geolocation data:
- adequate configuration of the frequency of access to, and of the level of detail of, geolocation data collected relative to the purpose of processing (e.g., a weather application should not be able to access the vehicle's geolocation data every second, even with the consent of the data subject);
- providing accurate information on the purpose of processing (e.g., whether history of geolocation data is stored, and if so, for what purposes);
- obtaining valid (free, specific and informed) consent from the data subject that is distinct from the general conditions of sale or use;
- activating geolocation only when the user launches a functionality that requires the vehicle's location to be known, and not by default and continuously when the car is started;
- informing the user that geolocation has been activated, in particular by using icons (e.g., an arrow that moves across the screen);
- the option to deactivate geolocation at any time;
- defining a limited storage period.
In the context of connected vehicles, biometric data (such as face or voice model and fingerprint) may be used, for among other things, to enable access to a vehicle, to authenticate the driver/owner, and/or to enable access to a driver's profile settings and preferences. When considering the use of biometric data, the Guidelines emphasize the need to guarantee the data subject full control over his or her biometric data, including providing for the existence of a non-biometric alternative (e.g., using a physical key or a code) without additional constraint (that is, the use of biometrics should not be mandatory), and storing and comparing the biometric template in encrypted form only on a local basis, with biometric data not being processed by an external reading or comparison terminal. The Guidelines particularly emphasize the need to ensure that the biometric authentication solution is sufficiently reliable.
Data revealing criminal offenses or other infractions
It is possible that personal data from connected vehicles could reveal the commitment of a criminal offence or other infraction ("offence-related data") and therefore, be subject to special restrictions. For instance, the instantaneous speed of a vehicle combined with precise geolocation data could be considered offence-related data. The Guidelines emphasize that the processing of such data can only be carried out under the control of official authority or when the processing is authorized by EU or Member State law. Instantaneous speed is, not on its own, offence-related data since it does not, by itself, reveal an offence given that speed restrictions vary by location. However, such data could nevertheless become offence-related data because of the purpose for which it is collected (e.g., for the purposes of investigating and prosecuting criminal offence). The Guidelines recommend to resort to the local processing of the offence-related data where the data subject have full control over the processing in question and external processing of offence-related data is forbidden. In addition, according to the sensitivity of the data, strong security measures must be put in place in order to offer protection against the illegitimate access, modification and deletion of those data.
In China, individuals' criminal records that have not been made public are also listed as personal sensitive information, which demands a higher degree of protection. However, relevant PRC regulations do not specify what category of data in the context of connected vehicles may be deemed as this type of personal sensitive information, whether such data must be processed locally in the vehicles, or only under the control of government agencies or the authorization of the law. The compliance requirements proposed in the Guidelines in this regard can serve as a good reference for us.
Some General Recommendations for Controlling Privacy and Data Protection Risks of Connected Vehicles
Personal data in the context of connected vehicles is processed for a wide variety of purposes, including but not limited to driver safety, insurance, efficient transportation, entertainment or information services. Taking into account the volume and diversity of personal data produced by connected vehicles, the Guidelines require the data controllers to ensure that technologies deployed in the context of connected vehicles are configured to respect the privacy of individuals by fulfiling the obligations of data protection by design and by default. The Guidelines require that technologies should be designed to minimize the collection of personal data, provide privacy-protective default settings and ensure that data subjects are well informed and have the option to easily modify configurations associated with their personal data. These considerations are in line with relevant data protection principles provided under relevant PRC laws which, however, lack of specific operational guidelines on how to apply these general principles in the context of connected vehicles in China.
Local processing of personal data
The Guidelines point out that in general, vehicle and equipment manufacturers, service providers and other data controllers should, wherever possible, use processes that do not involve transferring personal data outside of the vehicle (i.e., the data is processed locally). This scenario offers the advantage of reducing potential risks of cloud processing, guaranteeing to the user the sole and full control of his/her personal data and presents, by design, less privacy leakage risks especially by prohibiting any data processing by stakeholders without the data subject's knowledge. It also presents fewer cybersecurity risks and involves little latency, which makes it particularly suited to automated driving-assistance functions.
Form of notification to the data subject
Prior to the processing of personal data, the data subject shall be informed of the identity of the data controller, the purpose of processing, the data recipients, the period for which data will be stored, and the data subject's rights. The data subjects should be informed by concise and easily understandable clauses in the contract of sale of the vehicle, in the contract for the provision of services, and/or in any written medium by using distinct documents (e.g., the vehicle's maintenance record book or manual) or the onboard computer.
In addition, the Guidelines point out that standardized icons could be used by the connected vehicles to fulfil the duty of notification to enhance transparency by reducing the need for vast amounts of written information to be presented to a data subject. The Guidelines recommend the standardization of those icons, so that the user can find the same symbols regardless of the brand or model of the vehicle. For example, when collecting geolocation data, the vehicles could have a light inside to inform passengers about data collection.
Rights of the data subject
The Guidelines emphasize the importance of facilitating data subjects' control over their data during the entire processing period. For instance, the Guidelines recommend a profile management system be implemented inside the vehicle in order to store the preferences of known drivers and help them change easily their privacy settings anytime. Such profile management system in a vehicle should centralize every data settings for each data processing, especially to facilitate the access, deletion and removal of personal data from vehicle systems at the request of the data subject. Drivers should be enabled to stop the collection of certain types of data, temporarily or permanently, at any moment, except if a specific legislation provides otherwise or if the data are essential to the critical functions of the vehicle. In addition, the sale of a connected vehicle should also trigger the deletion of any personal data collected previously.
In addition to the above, the Guidelines also provide guidance on the protection of personal data relating to the use of encryption technology for connected vehicles, the transmission of data to third parties, and the use of in-vehicle Wi-Fi technologies. Data protection compliance is critical to the development, testing and manufacturing of connected vehicles, and it is expected that the standards and guidance set out in the Guidelines may pose a great challenge for works in these regards.
Up to now, China has basically established a general legal framework for personal information protection, but has not yet issued any industry-specific legislation or operational guidelines on this subject for the connected vehicles industry. Participants of this industry in China may refer to the standards and practices proposed in the Guidelines as a reference, and establish an integrated team composed of external lawyers, corporate legal counsels and technical experts to provide sound advice by taking into account both dometic legal requirements and international best practices to ensure the healthy development of connected vehicles business in China.
1. For example, currently a connected vehicle integrated with sensors such as three cameras, a 32-wire lidar, and a combined inertial navigation system can produce approximately 20GB of data per hour when driving autonomously. (Source: National Industrial Information Security Development Research Center, "Autonomous Driving Data Security White Paper", 2020).
2. See https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-12020-processing-personal-data-context_en for full text of the Guidelines. The public consultation period will end on March 20, 2020.
3. For details please refer to PRC Personal Information Security Specification.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.