The European Data Protection Board has issued final guidelines on connected vehicles, making few changes from the draft it issued for public comment, and with a big to do list for OEMs and other stakeholders.
- Data collected by a connected car is personal data even if it is not directly linked to a name, but to technical aspects and features of the vehicle because it still concerns the driver or the passengers of the car.
- A car is terminal equipment and you need consent for collecting data under the ePrivacy directive unless an exception applies.
- You need a separate legal basis under GDPR for further processing, but in many cases that would be consent too.
- You need to operationalize transparency but it won’t be easy.
- You need to operationalize consent: that won’t be easy either.
- You must implement data protection by design and by default.
- A connected vehicle is a type of Internet of Things (IoT) device. As such, it is prone to the same information security concerns as IoT devices, but with potentially greater stakes.