Published: October 24, 2014 | Hamburg
The 88th Conference of the German Data Protection Commissioners concluded in Hamburg on October 9, 2014 . German Federal and State Data Protection Authorities (DPAs), during the conference, issued a resolution on Connected Cars (‘the Resolution’). The Resolution imposes privacy obligations not only on car manufacturers, but also on all suppliers and industry associations.
The Resolution further states that any processing either must be contractually agreed upon, or must be based on an explicit consent. Considering the German Data Protection Act 2008, which allows data processing for legitimate purposes only if there is a contract or consent, the DPAs are not allowing the manufacturer to process the client’s data without a contract.
Privacy in Connected Cars
The German DPAs highlighted the risks of data processing in the context of “connected cars.” According to the DPAs, automobile manufacturers, distributors, retailers, repair shops and providers of communications and telemedia services must ensure the informational self-determination of drivers.To ensure the informational self-determination of drivers, these entities must:
- Consider the principles of privacy by design and privacy by default in the development phase of new vehicles and communications services for vehicles.
- Observe the principles of data avoidance and data minimization during data processing operations in and around the vehicle. According to the DPAs, the minimum amount of data should be collected and it should be immediately deleted when no longer needed.
- Ensure that data subjects (e.g., drivers and owners) are able to recognize, control and stop data transfers to service providers, such as the vehicle manufacturer, if the transfer is based on contract or consent. In addition, privacy-friendly system settings must provide data subjects with choices regarding processing and the ability to delete data.
- Ensure data security via appropriate technical and organizational measures, particularly with respect to data communications from cars.
“The DPAs realised there are a lot of risks in connected cars; the possibility of collecting data from automobiles such as location and speed, which are recorded on the hardware that is built within the car [can act] as a profile of driver behaviour.. DPAs have realised that data risks from the cars are higher than the buyer of the car expects. DPAs will check the compliance of the hardware and software built within the automobile.”
—Boris Reibach, senior associate at Scheja & Partner
The German DPAs agreed with the request of the German Monopolies Commission for stronger cooperation between data protection authorities and competition authorities.
Source: Data Guidance