From 0 60: Privacy and the New Generation of Connected Cars The European Perspective

Transcription

1 From 0 60: Privacy and the New Generation of Connected Cars The European Perspective Boris Reibach, Attorney at Law (Germany), Data Protection Officer

2 Industry s Key Evolution Elements Autonomous driving chauffeur button Interacted driving car2x

3 European Union Activities Intelligent Car: Automatic emergency call (ecall) Safe usage of consumer ICT in cars Standardization package for car2car communication Intelligent Transportation System: Optimal use of road, traffic and travel data UsualContinuity of traffic and freight management ITS services ITS road safety and security applications Linking the vehicle with the transport infrastructure

4 Example: ecall Mandatory for all new cars, no choice Mandatory minimum set of data

5 Stakeholders Manufacturer Third Parties Dealer Public Bodies Connected Car Data Owner(s) Service Providers (e.g. Insurance Company) Driver(s) Repair Shop

6 IWGDPT s Point of View for the EDR: The data collected and registered in case of an accident does not simply reflect the technical status of the vehicle (fuel consumption, airbag functionality) and the time of the crash, but they will also register and describe (directly or indirectly) in a dynamic way the driver's behaviour (e.g., brake oil pressure at the beginning and end of braking, vehicle speed, including during braking, engine speed, percentage throttle, use or not of safety belts). They are, therefore, personal data related to the driver and, in some cases, passengers (e.g., the information concerning the use of seat belts). Personal or mere technical data? EC Data Protection Directive: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Result for Connected Cars: At least the data is linked to the owner => in most cases personal data (unless this is a corporate entity which is not an individual). Usually the data is also linked to the driver and other third parties.

7 Who owns the personal data? EC Data Protection Directive: No regulation of any ownership for personal data, instead definition of processing: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction Processing operations are determined by the controller and must be justified by a legitimate ground Result for Connected Cars: Legal system accepts exclusive ownership rights solely for tangible assets Instead of ownership a proccesing right is applicable Processing operations with personal data need a legal justification

8 What principles apply? Lawful processing Purpose limitation Necessity Data subjects beneficiary rights Data reduction and data economy Transparency Data security

9 What are the requirements of the German Council on Jurisdiction in Traffic? 1. The exchange of data and information from the vehicle must be subject to rules that guarantee informational self-determination via transparency and freedom of choice for data subjects (e.g. car owners and drivers). 2. Manufacturers and other service providers must inform buyers in the contract in a comprehensive and comprehensible documented manner about the data generated and processed, and what data in what ways and for what purposes will be transmitted. Changes to such a policy must be notified in good time. Drivers are to be informed adequately in the vehicle. 3 If a voluntary or contractual transfer of data to third parties takes place, vehicle owners and drivers should be enabled to technically and legally control these processing and to stop them if necessary. The principle of data minimization must be ensured. Accident data storage devices, event data recorders, etc. need to be subject to a regulatory standard. 4. For data that is collected, stored or transmitted for statutory purposes, procedural and technical safeguards need to be determined exactly. 5. Access rights of law enforcement agencies and courts are to be specifically defined under strict adherence to fundamental rights and criminal procedural protection objectives.

10 Contact THANK YOU! Scheja & Partner Attorneys at Law (Germany) Boris Reibach