European Automotive and Telecom Alliance

Third High-Level Meeting on Connected and Automated Driving

Gothenburg, 18 June 2018

Regulatory briefing paper 

Topic: Data protection & privacy

Context: C-ITS (Cooperative Intelligent Transport Systems) and connected services.

Short description: Compliance with GDPR and future ePrivacy Regulation.

 Status:

• GDPR: adopted, applicable as from 25 May 2018.

• Draft ePrivacy Regulation: issued by the Commission in January 2017. Complements the GDPR. Still to be adopted by Council and EP (ordinary legislative procedure).

GDPR

Vehicles equipped with C-ITS constantly broadcast data, inter alia about their speed and location, to other vehicles and roadside units. Cooperative Awareness Messages (CAMs) are distributed within the communications network and provide information of presence, positions as well as basic status of communicating ITS stations to neighbouring ITS stations that are located within a single hop distance. All ITS stations shall be able to generate, send and receive CAMs to the extent that they participate in V2X networks. The same applies to Decentralized Environmental Notification Messages (DENM) such as hazardous location warning, stationary vehicle warning and road works warning.

Since CAM and DENM messages are considered to contain personal data, a legal basis for their processing must be found. So far, it has not been possible within the C-ITS platform (DG MOVE) to identify a suitable legal basis within the GDPR. “Public interest” would require the adoption of a law mandating (specific applications of) C-ITS.

On 4 October 2017, the Article 29 Data Protection Working Party issued Opinion 03/2017 on Processing personal data in the context of Cooperative Intelligent Transport Systems (C-ITS), in which it concluded that the best legal basis would be the enactment of an EU wide legal instrument. It therefore invited the European Commission to implement sector-specific Regulations for collecting and processing data in the field of ITS. The Working Party found that other legal bases that were being envisaged (consent, performance of a contract, legitimate interest) all presented “critical issues” that would need to be addressed before such other legal bases could be relied upon.

Industry, including EATA members, does not agree with this approach and considers that 'legitimate interest' and 'performance of a contract' could be the most adequate legal bases for the processing of personal data in a context with multiple data controllers using the data for diverging purposes, such as in the field of connected cars. Both legal bases are explicitly recognised in the GDPR (Art. 6.1.).

This implies that there is currently no legal certainty for vehicle manufacturers who would wish to equip their vehicles with C-ITS applications, nor for road operators who would want to use roadside units to relay C-ITS messages.

ePrivacy Regulation

Internet of Things services including those provided by connected vehicles that are based on machine-to-machine communications carrying personal data will be subject to the rules of the GDPR.

Moreover, to the extent that these services include 'electronic communications services' as defined in the draft European Electronic Communications Code, they will not only be covered by the GDPR but also by the draft ePrivacy Regulation. This is why it is so important to achieve a real alignment between the provisions of the GDPR and the provisions of the future ePrivacy Regulation. According to the Commission’s initial proposal for the ePrivacy Regulation, only consent would be a valid legal basis for processing personal data for the provision of such services. However, other legal bases (such as performance of a contract and legitimate interest) would appear more adequate than consent in the specific environment of connected cars.

So far, as stated above, both these legal bases are only recognised in the GDPR (Art. 6.1.), but not in the proposed ePrivacy Regulation. This raises several issues:

• It is still unclear whether vehicle manufacturers who provide connected services (such as emergency call, remote lock/unlock and stolen vehicle tracking) using a mobile communications network through a SIM card installed in the vehicle would be considered providers of electronic communications services and therefore be subject to the ePrivacy Regulation. If they were, they could no longer use the contracts which they have signed with their customers for these services as a legal basis. We believe this should not be the case since vehicle manufacturers in this case are just providers of services that incorporate connectivity services from a third-party provider and do not manage the network that is used for the transmission.

• Vehicle manufacturers who would want to process metadata to investigate technical issues with the data transmission when they receive complaints from users would need to obtain the consent of every single user of the vehicles. This appears impracticable and unnecessary.

• Article 8, which prohibits the use of processing and storage capabilities of terminal equipment and the collection of information from terminal equipment without end-user consent, would significantly hamper the deployment of connected vehicles and associated services.

- It would require vehicle manufacturers to obtain end-user consent for transmitting data from the vehicle to an off-board server to provide connected services, even though this could be done on the basis of a contract under the GDPR.

- By requiring consent, it would make it difficult for vehicle manufacturers to install software updates in vehicles, something that becomes increasingly important for cooperated, connected and automated driving.

In order to ensure that the ePrivacy Regulation will not hinder the development of cooperative, connected and automated mobility in the EU, it is of outmost importance that both legal bases are also explicitly recognised in the future ePrivacy rules. An additional provision could be introduced in art. 6.2 along the following lines:

“Network and service providers may process electronic communications metadata:

• if it is necessary, in accordance with Art. 6.1.f. of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the end-user, in particular where the end-user is a child.

• if it is necessary for the performance of a contract to which the data subject is directly or indirectly a party or the user of a service which the contract covers, or in order to take steps at the request of the data subject prior to entering into a contract.”

EATA Position

To facilitate the development of connected and automated driving, EU legislation should be practicable and enable responsible companies to provide innovative services that will enhance European competitiveness and improve the quality of life of European citizens.

The EU institutions should provide guidance to help the industry in finding an appropriate legal basis for implementing C-ITS in accordance with the GDPR.

The European institutions should further explain and justify whether and to what extent the ePrivacy Regulation should apply to connected vehicles and the associated services and why the GDPR would not provide a sufficient level of personal data protection.

In any case, it is important to achieve a real alignment between the GDPR and the future ePrivacy Regulation. The latter should therefore explicitly include legal bases that are more adequate in the environment of connected vehicles such as 'legitimate interest' and 'performance of a contract'.