GDPR

Adatvédelem mindenkinek / Data protection for everyone

Are cars already driven by data?

2023. szeptember 26. 11:00 - poklaszlo

In recent years, vehicles have been increasingly transformed into computers on four wheels. Connected or smart vehicles collect a lot of data in their operation and the data collection is not limited to their users, but also affects their immediate or wider environment. This data collection will only intensify, as technological solutions are currently being developed and tested (e.g. driving assistance systems, various self-driving functions, ) that collect and process a lot of data. 

The issue of connected vehicles and mobility-related data processing has also been brought under the attention of the European Data Protection Board (EDPB) and addressed in specific guidelines. The EDPB's guidelines illustrate the complex ecosystem in which data processing related to vehicles is embedded and the wide range of uses that the data collected can have. (Interesting insight on this topic can be found in the FIA's "MyCar MyData" project.) 

Such data processing is taking place in a complex ecosystem, which is not limited to the traditional players of the automotive industry, but is also shaped by the emergence of new players belonging to the digital economy. These new players may offer infotainment services such as online music, road condition and traffic information, or provide driving assistance systems and services, such as autopilot software, vehicle condition updates, usage-based insurance or dynamic mapping. Moreover, since vehicles are connected via electronic communication networks, road infrastructure managers and telecommunications operators involved in this process also play an important role with respect to the potential processing operations applied to the drivers’ and passengers’ personal data. (See Guidelines 01/2020, point 2, p. 4)

Given that a significant part of the data collected and processed is personal data, data protection rules also apply in this regard. A recent analysis conducted as part of Mozilla's "Privacy Not Included" project showed that compliance with data protection requirements is disappointingly low for all (!) of the 25 car brands surveyed.  

Some findings from the study: 

  • Each of the 25 car brands surveyed collects more data than is necessary to provide services or maintain a relationship with customers. The scope of data collection is increased by the fact that, because of the complexity of the ecosystem, manufacturers obtain data not only through direct interaction with the user, but also through built-in services and the integrated use of other smart devices. This also leads to the fact that sometimes very sensitive data that is not really related to the use of the vehicle can be processed by car manufacturers (e.g. data on sex life). 
  • The study found that 84% of manufacturers are allowed to share data with third parties and 76% say they can sell the data collected. (Based on the study, it is not clear what the basis for sharing and selling data can be, or to what extent they actually take place, but the proportion of such data transfer possibilities is certainly food for thought....)
  • According to the study, car users in the vast majority of cases (92%) have virtually no control over how their data is used. (It is difficult to determine whether this finding is based on strong foundations, as few details are revealed in the summaries published about the investigation, but it can certainly be a warning sign if it is not sufficiently obvious how data subjects can exercise their rights in relation to the data processed during the use of the vehicle.) 
  • The analyses show that car manufacturers do not excel in data security either, numerous data leaks and data thefts are linked to them, their suppliers and partners. (This statement seems to be supported by the fact that such cases often appear in the news, see, for example, here, here or here.)
  • The audit also found serious weaknesses in the management of consents. (Although it was not specified how other legal bases (e.g. performance of a contract, legitimate interest) are applied, so we have not received a complete picture as far as the legal bases of processing by car manufactures are concerned.)

The results of the study draw attention to the fact that extensive data collection and data processing has reached a sector, and even become very extensive in the past few years, where this was not really the case before. Although, there are some interesting related cases in the recent practice of the authorities (e.g. the case (2021) that resulted in a fine of EUR 1.1 million imposed on Volkswagen in connection with deficiencies in data processing related to activities to train and test of its driver assistance system). At the same time, we can also conclude that data processing in this segment has not yet received the level of attention they deserve. It is likely that in the future we will increasingly encounter the topic of data processing related to the connected vehicles in the framework of investigations by supervisory autorities and guidelines. (In connection with data processing affecting the environment of vehicles, it may be worth taking up previous official statements and guidelines that were issued e.g. in connection with Google Street View, because these can also be a good starting point for data processing during the development and testing of driver assistance or self-driving systems. See e.g. NAIH's 2013 statement in Hungarian.)

Szólj hozzá!
Címkék: EU EN GDPR European Data Protection Board connected vehicles

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr9618221455

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása