On March 1st, 2023, Cnil launched the Connected Mobility Compliance Club, which aims to be a peer-to-peer venue bringing together players in the sector to discuss smart vehicle data collection challenges. It is expected to provide “concrete and appropriate responses” to achieve “alignment of innovation and privacy protection”.
More than 470 million connected cars are expected to be on the roads in Europe, the US and China by 2025. Whether it’s cars, scooters or scooters, they are equipped with numerous sensors that collect and provide the companies that sell them with thousands of data: vehicle status, geolocation, life on board, trips made, places you visit regularly, or driving style.
If manufacturers protect themselves by ensuring that they are only used for maintenance purposes or to enhance security and comfort, CNIL fears an invasion of users’ privacy.
An addition to the Compliance Pack released in 2017?
Hence the creation of this “compliance club” of the same order as for the insurance and banking sectors, which confirms the desire of the French authorities to support each sector separately in data protection. In 2016, a similar consultation was already underway, which resulted in the publication in 2017 of a “connected vehicle and personal data compliance package”.
He recalled that all data that can be linked to an identified or identifiable natural person (in particular through a license plate or vehicle serial number) is personal data protected by computer law and freedoms, as well as by the European General Data Protection. Regulation (GDPR).
The document also clarifies that the collected data must be protected and that their retention period must be limited in time. The collection itself must be for a specific purpose and the users of the vehicle must at least be informed of the collection or even give their consent so that the company can access this information.
This compliance package, together with the European Data Protection Board (EDPB) guidelines for connected vehicles and mobility-related applications published in 2020, in conjunction with the GDPR, constitute the reference documents in the industry, even if they do not prohibit some manufacturers from making derogations. .
Ubeeqo sued for excessive geolocation
Last July, a digital police officer fined car-sharing company Ubeeqo €175,000 for violating the privacy of its customers by geolocating them almost permanently. The startup claimed that this simply allows you to find a vehicle in case of theft or provide assistance to customers in the event of an accident, but the regulator considered that none of these goals justified such a subtle and intrusive geolocation.
In addition, the excessive duration of data storage (for the entire duration of the commercial relationship with the customer, as well as for three years after the end of the vehicle rental) constitutes a violation of Article 5.1.e of the GDPR. Cnil has voluntarily decided to make the decision public in order to send a message to all players in the sector.
Please note that between March 29 and June 21, 2022, the European Union has also opened consultations on accessing data from connected vehicles.
Selected for you