Informed
Insurance
welcome to informed insurance
Informed
Insurance

Technology and AI

For further information about Technology click here

Technology and AI

Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications latest response

The European Data Protection Board (“EDPB”) published its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (which can be accessed here) for consultation on 7 February 2020. The consultation was due to close on 20 March but due to recent events, it has been extended to 1 May 2020. DACB have submitted a response.

Following our review of the guidelines, we were glad to see that the majority of areas we felt required guidance from the EDPB had been addressed. With that being said, there are areas that we would welcome more guidance on:

Joint controllers (data controllers who jointly determine the purposes and means of processing) Whilst the guidelines do acknowledge that there are likely to be joint controllers involved in the connected vehicles sphere, it does not provide any examples of when or who these might be. Joint controllers remains a complex and currently grey area because of the lack of guidance or clarity on the subject. We therefore await the EDPB’s separate guidance on joint controllers to provide greater certainty.

GDPR obligations – The guidelines do little to address how the GDPR information and transparency obligations can be complied with. In light of the challenge to adequately inform drivers and passengers about the processing of their personal data (when such information is generally only given to the vehicle owner who may not be the driver), the guidelines do not provide any practical solutions or guidance of how this can be overcome and how controllers can sufficiently meet their transparency requirements. We have raised this point within our response.

Consent - The EDPB recommends that data subjects should have the ability to activate and deactivate the data processing for each processing purpose. In practice, this would be particularly difficult to implement given that consent would be the only legal basis for processing. The key challenges with relying on consent is that the threshold for GDPR consent is high and individuals have the right to withdraw their consent. For these reasons, insurance industry participants generally seek to rely on alternative legal bases for processing activities where possible. We have asked for further guidance on this.

Access for Insurers - There are some aspects which we feel would be particularly detrimental and challenging to the insurance industry. The guidelines recommend that access for insurance companies to behavioural data should be limited to an aggregate score, rather than the underlying raw data. We recognise that insurers require this granular level of data to inform pricing models and to be able to offer discounts to policyholders. We have raised this as being a potential problem and barrier.

Data retention – The retention of data has always been a difficult area for the insurance industry which has historically held huge volumes of personal data indefinitely. The EDPB states that “the sale of a connected vehicle and change of ownership should trigger the deletion of any personal data”. It is not clear whether this trigger would apply to all data controllers (in particular which insurance industry participants) and how this would work practically. We have asked, in our response, for further guidance and examples to assist data controllers in ascertaining how they would align such deletion obligations with the mapping or auditing of any vehicle sales.

Data flows in the event of a collision: Additionally, there is little guidance around the practicalities following a collision. It is not clear when personal data should be transferred to insurers or manufacturers in the event of a collision or an accident and what the associated data flows would be. The following questions remain unanswered: (i) when should data be required to be sent to manufacturers or insurers following a collision?; (ii) what is the role of insurers when there is a collision arising from a fault in the vehicle?; and (iii) how will liability be apportioned where the vehicle software has not been updated to the latest version by the driver?

At this moment in time, it is difficult to say whether this is something that individual data protection regulators or the Government will legislate on and we hope that in the coming months these points will be picked up by either the EDPB or the ICO.

To see a copy of DACB’s response to the guidelines, please click here.  

The latest from Technology and AI

Technology and AI

Where is the UK's place in the future of the skies? The practical implications of a VTOL takeover

Vertical Take-Off and Landing aircraft (VTOL), and in particular electric-powered VTOL (eVTOL), have been described as a greener and cheaper mode of transportation that will revolutionise our skies. With a myriad of uses, they offer a level...

Read more >

Technology and AI

The AI revolution: The pace of change accelerates

The AI revolution is underway. We are already living through an era of profound change that will be talked about for generations to come.

Read more >

Technology and AI

Cyber Risks and the Digital Revolution:

Finally, it seems the cyber threat penny has dropped, with most businesses now working hard to protect their assets from hackers. For the shipping sector, where does that threat sit among the myriad of competing priorities?

Read more >
1 of 3Next page >>
Back to top