The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.
Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
The right to protection of personal data is not absolute
Already today, the car is a rolling system of sensors which creates, collects and stores data every inch on its way. But who is the “owner” of this data, created by the machine, saved in a black box in the car and analyzed by the car manufacturer? The driver? The car manufacturer? The car owner? Current European as well as German data protection laws don’t contain specific provisions to sufficiently reply to that question. In fact, one main difference between the fundamental right of property (Art. 17 of the Charter of Fundamental Rights of the European Union, PDF, ‘EU-Charter’) and the right to protection of personal data (Art. 8 EU-Charter) is that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society (see European Court of Justice, C-92/09 and C-93/09).
Position of the German government
In a written answer (PDF, in German) to a question by the opposition party BÜNDNIS 90/DIE GRÜNEN (The Green Party), the German government outlined its position with regard to the ownership of data in smart cars.
The government differentiates between two categories of data: on the one hand, the data for vehicle functions (data in the control units) and on the other hand data for service functions (data, which arise during the use of the infotainment system). According to the answer by the government, basically the car owner has the genuine power of disposition over data in the control units. He decides on the use of the vehicle and he is responsible for its safe condition. In fact, however, the problem arises that these data are useless for the car owner, because in general he does not have the equipment to read out the information stored in the black box. Furthermore, the car owner will in most cases hardly have the expertise to draw any conclusions from the said data. This task is regularly performed by car service stations (with appropriate technical capabilities) on behalf of the car owner. This observation might speak in favor of a situation similar to the one known from data processing agreements under European as well as German data protection law. If a car manufacturer offers additional service functions, not encompassed by the processing agreement concerncing the control units, the relevant data processing operations will often be based on a civil contract with the car owner.
In the words of the German government, the answer to the question of a possible data ownership is “highly complex”.
Legal responsibility and data sovereignty
First of all, because the German Federal Data Protection Act (the “BDSG”) does not recognize some kind of data property. It distinguishes between the data controller (and, acting on his behalf, the data processor), the data subject and third parties. The car owner as well as the driver can in general be considered as data subject. However, according to the government, it is also possible that the data subject himself is the data controller. This depends on his actual “data sovereignty” and whether he may exercise this power over the stored data. In the absence of such an effective power of data sovereignty (e.g. because he does not own the technical devices for reading out data or cannot analyze and understand the data), it is the government’s view that the entity which owns this equipment or knowledge must be considered the data controller (e.g. the car manufacturer or service station owner).
On the other hand, the respective entity will not be considered to be the data controller, if it carries out it tasks and data processing operations on behalf of the vehicle owner. Hence, if a data processing agreement is concluded between the car owner and the car manufacturer, the latter one shall be considered as the processor (in the sense of Art. 2 (e) directive 95/46/EC).
It’s interesting that the government is linking the legal responsibility and competence as data controller to the data sovereignty. This data sovereignty consists of two components: a technical component (accessing and reading out the data) and an element of knowledge to use and understand the data. In general, these requirements might not be fulfilled by the car owners. However, their responsibility (as data controllers) might be created by concluding data processing agreements with service station providers or car manufacturers, acting only on behalf of the car owners.
Ultimately, the assignment of responsibilities is always dependent on each individual case and cannot be determined per se. Due to the difficulty of the assignment of responsibility, the German government wants to foster discussions and further develop the current system of legal responsibilities in the context of the proposed Data Protection Regulation.