On 26th January 2016, the conference of the German data protection authorities and German Association of the Automotive Industry (VDA) agreed on a joint statement (PDF, in German) concerning aspects of data protection relating to the usage of smart cars.
According to the parties, smart cars and the proceeding digitalization in cars create advantages (safety and comfort) but also risks for the personal rights of individuals. The German authorities and car manufacturers agreed inter alia on the following aspects:
1. Personal data: During the use of modern cars, data is created permanently. Particularly by using additional information, this data created by smartcars can be attributed to the car owner or to the driver and be considered “personal data” in the sense of European data protection law. Data created during the usage of a vehicle is at least considered “personal data” within the meaning of the Federal Data Protection Act (Act), if it is linked to the vehicle identification number or the license plate.
2. The decisive factor is the moment of data collection by a data controller within the meaning of the Act. One has to distinguish whether it is a vehicle, in which a data storage within the car itself takes place (“offline”), or whether a transfer of data from the vehicle takes place (“online”), such as in case of a transfer and storage of vehicle data to back-end servers.
In case of “offline” cars, only a storage without prior collection of personal data takes place since the requirements of the definition of “collection” (Sec. 3 para 3 Act) are not met. However, as personal data will be stored within the system of the car, this data must be properly protected. Only when the vehicle data is accessed, e.g. by a car service station, a data collection in the sense of Sec. 3 para 3 Act by a data controller takes place.
In case of “online” cars, already at the moment of data communication out of the car a “collection” of personal data takes place.
3. Data controller: Also, for the identification of the data controller within the meaning of Sec. 3 para 7 Act, one has to distinguish between “offline” and “online” cars.
In “offline” cars, the entity extracting the vehicle data from the vehicle and subsequently processing this data will be considered to be the data controller. In general, this will apply to car service stations.
Even if the manufacturer is regularly not responsible for the collection of data and not the data controller during the “creation” of the data, it still is to some extent responsible in terms of data protection principles, especially with regard to the concept of “Privacy by Design”. This is especially true because as part of its technical design possibilities (nature and scope of interfaces, accessibility) the manufacturer can influence the subsequent collection and processing of personal data. For this reason, if it comes to the technical design options, the manufacturers are considered to serve as a contact for the data protection authorities also in this vehicle category.
In “online” cars, entities receiving personal data are considered to be data. This is usually the manufacturer and eventually third party service providers. Specifically, when manufacturers offer additional services for the car and store personal data in their back-end servers, they are the responsible entity for this data processing operation.
4. Lawfulness of data processing: The admissibility of the data collection and processing could in particular follow from Sec. 28 para 1 sentence 1 Nr. 1 or 2 Act and Sec. 11 et seq. German Telemedia Act or result from the consent of data subjects, meeting the requirements of Sec. 4a Act.
How the necessary information about data processing operations must be given in order to form part of a contract or to serve as the basis for the informed consent (detailed information in the sense of a list of processing operations or more structured, in an overview) has to be assessed in each individual case. The original purchaser can in any case receive the information from the seller (manufacturer or car dealer). Basically, the key information for data processing operations has to be available in an easily understandable form in the board documentation, provided by the manufacturer.
5. In terms of “data ownership”, the user should be able to determine themselves through various options upon the processing and use of personal data. Car manufacturers strive to display the current “connected status” of a vehicle through standardized symbols in the cockpit and to provide options to activate and deactivate this status at any time.