Guidelines on data use in connected vehicles

Unfortunately, a number of points within these guidelines have the potential to create practical difficulties for businesses that deal with connected assets. For example, most data related to a vehicle will be considered “personal data”, since this information is coupled with additional information (such as a vehicle registration number) and can therefore often be “traced” back to an individual driver. The notion that numerous users of the same vehicle (as is the case with a rented vehicle) reduces the possibility of this data being traceable to any individual, was rejected by the EDPB. They note that “[the] potential plurality of users does not affect the personal nature of the data”. In practice this denomination of all vehicle data as personal data could present numerous practical conundrums without clear solutions.

Some potential issues with the EDPB’s original plans have thankfully been resolved in the final publication. For instance, specific guidelines for ‘rented’ vehicles (where the user is not the owner) were initially envisioned, which included privacy advice/requirements, security settings for rental vehicles, as well as specific provisions on data retention and the rights of data subjects. Most notably, there was a section dealing exclusively with personal information on a rental car’s dashboard. Leaseurope pointed out that many of these proposals did not reflect the reality of how vehicle rental/leasing businesses function, what was possible from a technical perspective, or the different market characteristics for short-term and longer-term ‘rental’. In recognition of this, the final guidelines removed any specific recommendations for vehicle rental and instead rely on the general provisions applicable to all connected vehicles.

Read the full regulation

Leaseurope’s response to the original draft

Now that the final EDPB guidelines are published, a number of national data protection authorities have indicated that they will update their own guidance to align with the EDPB. In addition to the work of the EDPB, there is a broader regulatory workstream still in process within the EU institutions which will not only cover vehicle data sharing, but all connected assets. This regulatory work will therefore be relevant for an even broader range of lessors and will be followed closely by Leaseurope.