Nowadays a growing number of car manufacturers are including services such as camera assistance for parking, remote control of the vehicle, voice recognition or breakdown alerts in their vehicles. These tools are incorporated in our daily life to enhance road security and customer satisfaction.
The announcement of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) on the investigation of 10 big car manufacturers on the use of personal data collected via so-called ‘connected cars’ has reopened the discussion on whether connected vehicles are GDPR compliant or not.
The lack of compliance of connected vehicles might affect a great number of users. According to the European Data Protection Supervisor (EDPS), car manufacturers obtain 25 gigabytes of data per hour from our vehicles. In December 2019, the EDPS also published TecDispatch#3 Connected Cars. It confirmed that last year 80 cyberattacks took place against the smart mobility ecosystem.
Read together these numbers underline the importance of the data generated by connected vehicles. They highlight the need for addressing and investigating their compliance.
GDPR principles & Connected Cars
Following the Guidelines of the European Data Protection Board, connected vehicles potentially involves a risk to five out of seven GDPR principles:
Accountability, integrity and confidentiality
In addition, we (i.e. Cuccibu) also believe that the principles of accountability and confidentiality & integrity might be endangered within connected cars:
What risks does this pose for me?
The most obvious risk that we encounter as customers is the lack of control over the processing of our data. It is complicated to know who is processing our data, what the purpose of the processing is and what the legal basis is etc.
The absence of clarity has an impact on the possibility of exercising our data subject rights. It also has an impact and our ability to make an informed decision on whether we want to purchase a connected car or not.
What should I watch out for when buying a connected car?
When you a buying a new car, make sure to remember that the dealer needs to inform you about:
Please note that the legal ground applicable for the data processing will determine the rights of the data subject. For instance, on the one hand, if the processing is based on the consent of the customer, they always have the right to refuse the processing. Or, they may at a later time withdraw the mentioned consent. If special personal data is recorded the controller needs to obtain explicit consent. For instance, the geolocation of your vehicle that records you going to the doctor.
Alternatively, if the legal basis is legitimate interest the data subject has the right to object the processing. Additional explicit consent for the processing of special personal data will still need to be obtained.
If you have any questions or concerns related to the selling of connected cars in a GDPR compliant way, please contact our professional consultants via firstname.lastname@example.org or +31 (0) 85 303 2984.