Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

European Commission Outlines Data Sharing Strategy for Connected Vehicles

shutterstock_94246042Connected vehicles today are rolling computers able to exchange information wirelessly with manufacturers, other vehicles, and third party service providers to significantly improve safety, efficiency, and comfort for drivers.  Many entities are interested in the data these connected vehicles generate and transmit.  These entities include dealers and repair shops, vehicle fleet service providers, end-users, infrastructure operators, diagnostics providers, researchers, financial services companies and insurance companies.  The European Commission and industry actors in Europe, while recognizing the challenges of wide-spread deployment of these technologies, have taken further steps to develop a regime that facilitates information sharing for vehicle to vehicle, vehicle to infrastructure and other communications by delineating specific actions to take in the near future.

European Commission adopts strategy on Cooperative Intelligent Transport Systems

In 2014, the European Commission established a Cooperative Intelligent Transport Systems (C-ITS) multi-stakeholder platform, with an aim toward “cooperative, connected and automated mobility” and worked to identify remaining obstacles to C-ITS deployment in Europe. The first phase of the C-ITS platform resulted in an expert report in 2015, unanimously endorsed by participants in 2016.

C-ITS is based on a 2010 EU directive intended to facilitate the deployment of EU-wide interoperable smart transport systems. The directive has a broad scope, covering eCall emergency calling, and communication of dangerous road conditions, traffic conditions, and truck parking spaces.

On 30 November 2016, the Commission released a Communication providing detailed priorities in its strategy. The objective of the strategy is to allow for a wide-scale commercial deployment of C-ITS—a network of vehicles that can “talk” to each other and to EU transport infrastructure—by 2019.

The Communication focuses on vehicle data relevant for transport safety and the environment. But a leaked version of a future Commission Communication on free data flows makes it clear that the Commission is thinking beyond just road safety, to the broader issues surrounding the connected car ecosystem.  The leaked draft of the Commission’s “Building a European Data Economy” Communication focuses on issues such as whether a vehicle manufacture “owns” vehicle-generated data, and if so, whether certain access rules, such as FRAND licensing conditions, should apply.  The leaked version may not reflect the Commission’s final document, which is scheduled to be released in January, but it shows that connected vehicle data is high in the Commission’s agenda.

The Commission’s November 30, 2016 C-ITS Communication emphasizes that data sharing must comply with data protection rules.  Data broadcast from C-ITS vehicles will, in principle, qualify as personal data, related to an identified or identifiable person. The Commission refers to obtaining consent from end-users when processing data, but as practitioners know, consent is not always a practical or particularly robust way of proceeding, particularly when safety issues are at stake. Terms and conditions will be essential for end-users to be aware and consent to processing of their personal data. The Commission will publish guidance on this issue in 2018.

The Commission’s strategy includes developing a legal framework throughout the EU in order to provide legal certainty to public and private actors and to ensure that technical rules (regarding services, technologies, standards, security, etc.) contribute to the interoperability of C-ITS services at all levels. This includes cooperating with international partners, particularly in research, development, and innovation. The Commission plans to use the new C-Roads Platform to link C-ITS deployment and testing activities across the member states.

Automobile industry underlines security risks to in-vehicle data access

In addition to the European Commission’s Communication, at a recent conference, the trade associations for the European automobile manufacturer and automotive supplier sectors announced a joint commitment to work toward solutions for secure and safe access to vehicle data for interested market participants.  The European Automobile Manufacturer’s Association (ACEA) released on December 2, 2016 a position paper on sharing data with third party service providers.  Manufacturers want to avoid a regulatory framework that would force data sharing, and emphasize the need to allow individual B2B negotiations for third party data access outside of the ITS road safety context.

Manufacturers and suppliers are developing alternatives to direct in-vehicle access to data, citing concerns for road and product safety, data security, and liability issues. As an example, the groups propose having vehicles communicate relevant data securely to an off-board facility that market participants can access. This external server would decrease the risk for unauthorized access or cyber-attacks by reducing the number of potential targets and entry points. The groups also propose installing neutral servers, not owned, operated, or financed by the vehicle manufacturers, in order to protect customers’ data privacy rights and ensure service providers’ identities are not disclosed to the manufacturers. ACEA and CLEPA are working together on a “proof of concept” effort.