(by Federica De Stefani, lawyer and head of Aidr Lombardy Region) On 9 March 2021, after the public consultation, the EDPB guidelines on connected vehicles were adopted, very interesting as regards the principles that are set out.
In a system where connected cars now populate our streets and autonomous driving represents the near future, identifying the principles for the processing of personal data that these cars process is the starting point for any study and development in the automotive sector.
The guidelines, in fact, clearly define their scope of application, providing for the express exclusion of the professional use of connected vehicles, ie public transport.
In other words, the guidelines only deal with the private transport of people.
What relationship can exist between driving a connected vehicle and the personal data of those using this vehicle? What data can a connected vehicle process?
The types of data that are considered by the guidelines are of three different categories, namely the data that is processed inside the vehicle, the data exchanged between the devices, therefore by smartphones, of driver and passengers and of the vehicle and, finally, the data collected inside the vehicle and exported to the outside, because, for example, communicated to the infrastructures.
Already this first identification makes us understand how the data are heterogeneous between them and, at least potentially, referable to different subjects.
Starting from the definition of personal data that is provided by art. 4 of the GDPR, which provides that any information that directly or indirectly allows the identification of the subject must be considered personal data, there seem to be no major problems with regard to direct identification. In fact, it is all those personal data, name, surname, residence, date of birth, which the subject communicates when signing the purchase or rental contract of the car. More complex appears to be the identification of data capable of identifying the subject indirectly.
In the context of the use of a connected vehicle, data is processed which, for example through localization, can lead to the deduction of personal data that even fall within the particular categories of data pursuant to art. 9 of the GDPR, such as data relating to the state of health, for which use is permitted only in exceptional cases indicated by the standard.
But how is it possible that a connected vehicle can reveal sensitive data, according to the wording of the old Privacy Code?
Think of geolocation. Through the analysis of the journeys and paths that the subject takes, having detected a certain frequency in going to a center specialized in the treatment of a particular pathology, it could be deduced that the subject in question is affected by this pathology.
The same goes for other categories of sensitive data, such as political orientation, religious belief or sexual orientation.
The risks that the EDPB identifies with reference to the processing of personal data are grouped into three broad categories that specifically concern the location, which as anticipated poses serious problems as regards the identification of the subject, the information that must be provided to the interested parties and which, at least potentially, can create problems with regard to the equal treatment of the subjects who use the connected vehicle and, finally, the collection of data.
The EDPB takes care to firmly underline how the localization process does not guarantee the privacy of the subject, but on the contrary, puts it in serious danger as being continuously and constantly geolocated on the one hand compresses the right to privacy, on the other hand, underlies a general danger that could lead to so-called mass surveillance.
As regards the information to be provided to the interested parties, the guidelines highlight the danger that there is an asymmetry of information given to the various subjects who can use the self-driving car. In fact, three different types of subjects are identified, namely the owner, the driver and the passenger who, although they can theoretically coincide and therefore be identified with the same subject, can, in practice, be represented by three different and distinct subjects.
The element from which the EDPB starts is the need to distinguish, in all cases, the information to be provided to the interested party from the purchase or rental contract, which is stipulated for the vehicle. This translates into the need to keep the documents separate, since the information cannot be inserted as an accessory clause to the contract which, in itself, will already be rather complex, with the risk, therefore, of getting confused between the various contractual provisions.
The guidelines also underline the need to provide clear and easily understandable information, also through the use of visible signs on the display.
The example of localization is given, which can be signaled as an active option also through a flashing arrow that appears on the car display, in such a way as to put the driver in the condition of being informed of the presence of the function and the possibility of choosing whether to keep this setting or to change it.
If there are no particular critical issues relating to the driver, who at the beginning of the journey will be able to express his preferences and then change the settings according to his own assessments, a different speech must be made for the passenger. The latter, in fact, could start the journey at a later time and, therefore, could find himself undergoing, to a certain extent, the choices that have been made by the driver. No particular information is provided in this regard, so it is desirable that the car manufacturers evaluate solutions that can solve these critical issues.
Finally, the guidelines emphasize the need to pay particular attention to data collection.
The default activation of the collection, in fact, could affect the user's awareness, who could, in this case, not be aware of the processing to which his data are subjected. It should also be added that if the default setting was not modifiable, the person concerned would be in the condition of having to undergo a process activated and set by others.
We can therefore see how the processing of personal data is now connected to any system, including guides, which uses technologies in constant evolution.
The data, as is known, must not be blocked, but must be circulated in full compliance with the protection principles set out in the GDPR.
A continuous challenge, which, by now, none of us can escape.