On October 17, 2017, the French Data Protection Authority (“CNIL”), after a consultation with multiple industry participants that was launched on March 23, 2016, published its compliance pack on connected vehicles (the “Pack”) in line with its report of October 3, 2016. The Pack applies to connected vehicles for private use only (not to Intelligent Transport Systems), and describes the main principles data controllers must adhere to under both the current French legislation and the EU General Data Protection Regulation (“GDPR”).
The CNIL distinguishes between the following three scenarios:
1. “IN -> IN” scenario
The data collected in the vehicle remains in that vehicle and is not shared with a service provider (e.g., an eco-driving solution that processes data directly in the vehicle to display eco-driving tips in real time on the vehicle’s dashboard).
2. “IN -> OUT” scenario
The data collected in the vehicle is shared outside of the vehicle for the purposes of providing a specific service to the individual (e.g., when a pay-as-you-drive contract is purchased from an insurance company).
3. “IN -> OUT -> IN” scenario
The data collected in the vehicle is shared outside of the vehicle to trigger an automatic action by the vehicle (e.g., in the context of a traffic solution that calculates a new route following a car incident).
In addition to listing the provisions already included in its report of October 3, 2016, the CNIL analyzes in detail the three scenarios described above and provides recommendations on the:
- purposes for which the data can be processed;
- legal bases controllers can rely upon;
- types of data that can be collected;
- required retention period;
- recipients of the data and use of processors;
- content of the notice to data subjects;
- applicable rights of individuals with respect to the processing;
- security measures to adopt; and
- registration obligations that may arise under current law.
Beyond being a helpful guide for data controllers to refer to when implementing such tools in vehicles, the Pack might help preview how supervisory authorities will interpret various GDPR provisions.