Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Connected cars can generate large volumes of data, including data on engine performance, location, and driver behaviour. The European Commission has convened multi-stakeholder groups to figure out how to organize access to that data in a safe, competitively neutral, and privacy-friendly way. Two recent reports shed light on the principles under consideration for data sharing infrastructures in the EU. And legislative and regulatory developments in the EU will likely have a substantial impact on connected car deployments.
In the EU, policy conversations about connected cars take place in five different contexts: in the data protection context (the forthcoming General Data Protection Regulation, Article 29 Working Party, EDPS, etc.); cyber security context (Network and Information Security Directive); intelligent transport systems context (ITS Directive 2010/40/EU); the eCall context (Directive 2007/46/EC, Regulation 758/2015); and the digital single market and Internet of Things context (DSM).
In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data.
eCall capabilities must be included in new cars sold from April 2018. The December 2015 report lists the working group’s five guiding principles for developing data sharing platforms for connected cars. The first principle is that user consent should be the cornerstone for any data sharing. Second, any platform should respect the need for fair and undistorted competition. Third, a platform must incorporate strong data protection. Fourth, the platform must be tamper-proof and secure. Finally, the platform should support the development of the “data economy,” meaning that the platform should favor data-centric innovation ecosystems.
Working Group 6 identified three technical solutions for data sharing platforms: the first is an on-board application platform that would permit third-party applications to operate within the vehicle’s system, much as a smart phone application operates within a smart phone’s operating system. The second technical solution is to develop a standard in-vehicle interface that would permit third-party external devices to be connected inside the car to the car’s system. Finally, the third measure, and the one that is the most feasible in the near-term, is to provide for an external data server platform. This is the model currently implemented by Original Equipment Manufacturers (OEMs), who are working to develop ISO standards for an “extended vehicle” platform model. In the OEM model, vehicle data is transferred from the vehicle to OEM servers and then made accessible to service providers through a standardized interface. Service providers argue that the external data server platform should be supported by shared servers that are managed by a neutral third party. The OEMs note that there may be substantial organizational difficulties in establishing a shared server platform that would satisfy the needs of all stakeholders. And OEMs argue that the platform should be controlled by the OEMs to enable the OEMs to better managesafety and liability risks.
The WG6’s December 2015 report will feed into an external study that the European Commission is in the process of ordering, and which will examine the liability and privacy risks associated with each technical solution, as well as examine whether data can be shared with third parties and, if so, under what conditions.
In addition to the C-ITS WG6 report, the Alliance for Internet of Things Innovation (AIOTI) Working Group 4 issued a report in October 2015 that argued for the need to develop privacy impact assessment methodologies for Internet of things applications, including connected cars. The WG4 report also recommended that organizations developing technologies for the Internet of Things should share knowledge on approaches to implementing privacy by design, citing Vodafone’s Automotive Usage-Based Insurance product as an example .
On the cyber security front, the NIS Directive will impose cyber security obligations, including data breach reporting, cyber security standards and audits on ITS-related infrastructure, including connected cars. Finally, on the data protection front, the GDPR will put considerable emphasis on developing national and European certification schemes, and such certification arrangements are likely to emerge for connected cars. The French CNIL is already in the process of developing a “compliance pack” for connected cars, and it is fair to assume that the European Commission and data protection authorities will seek to develop a European certification for connected car privacy standards. It will be critical that any certification standards developed under European data protection work streams are consistent with the standards that are emerging under the ITS, eCall and cyber security work streams so that there is a coherent compliance requirement for manufacturers and designers.
Authored by Winston Maxwell