With cars increasingly linked to the internet and 7% of the 8.5 million cars in the Netherlands currently connected, the Dutch Data Protection Authority has announced that it will lay down new rules on the ownership and use of travel data, including certain data collected and used by car manufacturers.
The Dutch data authority has cited the protection of car data as a priority for 2019. The practical implications of this are not clear, but regulatory action is likely to follow that will have an effect on car manufacturers, dealers and other parties in the distribution chain in the Netherlands.
The authority's determination to regulate the use of driver and car data is a response to gains made by car manufacturers in the collection and use of the personal data of car owners. This includes information, which makes it possible to directly identify individuals through their vehicles. New technology also allows driver behavior information and data relating to the performance of the car engine to be accessed. This information can be linked to individuals through cross-referencing and is therefore considered personal data. Under the GDPR, this means that car manufacturers must deal with privacy regulations, not only in the context of sales, but also during the use of the car as data is being generated.
Recent research by the University of Amsterdam shows that many owners of connected cars believe that dealers misinform them about the data being collected. Information about the processing of personal data is, according to the research, hard to find or only provided when requested by the buyer. Based on the GPDR, a data controller is required to actively inform a data subject when information is being collected. Since a car manufacturer can be considered a controller, auto makers must provide information to car buyers on all data collection systems prior to purchase.
Legal basis for the processing
In addition, buyers are not offered the option of saying 'no' to the processing of personal data without refraining from buying a car. The GPPR stipulates that the controller must have a legal basis for each processing activity and that this activity must be based on the consent of the buyer. In this case, consent must be given 'freely'. The question is whether this consent rule is valid when it is not possible for the consumer to buy the car without consenting to the processing activity. It is also possible that the controller is able to rely on another legal basis for processing data, such as the car manufacturers legal obligation to collect the data or its need to acquire data to meet contractual obligations with the car buyer. If there is a legal obligation to collect personal data, the car manufacturer must inform the buyer of this.
Research also shows that the privacy statements of car manufacturers do not always identify the parties with whom personal data is shared. The GDPR states that controllers must inform buyers about any recipients of their personal data. The controller can inform the buyer by mentioning the names of the receiving parties, but in some cases it may be sufficient to state the category of these recipients only. A 2018 poll conducted by the Royal Dutch Touring Club (ANWB) revealed that a majority of Dutch motorists are in favour of sharing vehicle data in certain situations. They want, however, to decide who their data will be shared with and have asked for specific regulations to protect the data generated by their vehicle.
The Dutch government announced in their 2017 coalition agreement that they will address data protection in the auto industry, and the Dutch Data Protection Authority is expected to spearhead this issue this year. But the form any new regulations will take remains to be seen.