For further information or enquiries, please contact:

Global Head of Insurance
+44 (0) 117 918 2225
Chief Executive Officer - Claims Solutions Group
+44 (0) 121 698 5270

Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications latest response

The European Data Protection Board (“EDPB”) published its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (which can be accessed here) for consultation on 7 February 2020. The consultation was due to close on 20 March but due to recent events, it has been extended to 1 May 2020. DACB have submitted a response.

Following our review of the guidelines, we were glad to see that the majority of areas we felt required guidance from the EDPB had been addressed. With that being said, there are areas that we would welcome more guidance on:

Joint controllers (data controllers who jointly determine the purposes and means of processing) Whilst the guidelines do acknowledge that there are likely to be joint controllers involved in the connected vehicles sphere, it does not provide any examples of when or who these might be. Joint controllers remains a complex and currently grey area because of the lack of guidance or clarity on the subject. We therefore await the EDPB’s separate guidance on joint controllers to provide greater certainty.

GDPR obligations – The guidelines do little to address how the GDPR information and transparency obligations can be complied with. In light of the challenge to adequately inform drivers and passengers about the processing of their personal data (when such information is generally only given to the vehicle owner who may not be the driver), the guidelines do not provide any practical solutions or guidance of how this can be overcome and how controllers can sufficiently meet their transparency requirements. We have raised this point within our response.

Consent - The EDPB recommends that data subjects should have the ability to activate and deactivate the data processing for each processing purpose. In practice, this would be particularly difficult to implement given that consent would be the only legal basis for processing. The key challenges with relying on consent is that the threshold for GDPR consent is high and individuals have the right to withdraw their consent. For these reasons, insurance industry participants generally seek to rely on alternative legal bases for processing activities where possible. We have asked for further guidance on this.

Access for Insurers - There are some aspects which we feel would be particularly detrimental and challenging to the insurance industry. The guidelines recommend that access for insurance companies to behavioural data should be limited to an aggregate score, rather than the underlying raw data. We recognise that insurers require this granular level of data to inform pricing models and to be able to offer discounts to policyholders. We have raised this as being a potential problem and barrier.

Data retention – The retention of data has always been a difficult area for the insurance industry which has historically held huge volumes of personal data indefinitely. The EDPB states that “the sale of a connected vehicle and change of ownership should trigger the deletion of any personal data”. It is not clear whether this trigger would apply to all data controllers (in particular which insurance industry participants) and how this would work practically. We have asked, in our response, for further guidance and examples to assist data controllers in ascertaining how they would align such deletion obligations with the mapping or auditing of any vehicle sales.

Data flows in the event of a collision: Additionally, there is little guidance around the practicalities following a collision. It is not clear when personal data should be transferred to insurers or manufacturers in the event of a collision or an accident and what the associated data flows would be. The following questions remain unanswered: (i) when should data be required to be sent to manufacturers or insurers following a collision?; (ii) what is the role of insurers when there is a collision arising from a fault in the vehicle?; and (iii) how will liability be apportioned where the vehicle software has not been updated to the latest version by the driver?

At this moment in time, it is difficult to say whether this is something that individual data protection regulators or the Government will legislate on and we hope that in the coming months these points will be picked up by either the EDPB or the ICO.

To see a copy of DACB’s response to the guidelines, please click here.  

The latest from Technology

Technology Feb 21

DAC Beachcroft responds to latest Law Commission Automated Vehicles consultation

DAC Beachcroft has lodged its response to the second consultation paper in the Law Commission’s Automated Vehicles project, this consultation dealing with passenger services and public transport.

Read more >

Technology Sep 9

The Drive for Automation

International moves towards automated vehicles pose a number of challenges, particularly on liability, data...

Read more >
Back to top
Legalign Global Logo