Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.
The resolution outlines several obligations of car manufacturers, dealers, repair shops, and providers of communication services.
The most surprising element of these statements is that any processing either must be contractually agreed upon, or must be based on an explicit consent. This fails to consider the EU principle in Article 7(f) of the EU Data Protection Directive that legitimate purposes may justify the collection and processing of personal data. The use of legitimate interests has most recently been confirmed by the Article 29 Working Group in its Working Paper 223 (Opinion 8/2014 on the Recent Developments on the Internet of Things, adopted on 16 September 2014).
The other obligations restate principles that have frequently been quoted in the context of connected cars (but now for the first time by the German Data Protection Authorities):
Although the resolution recognises that these existing obligations, it states that the Data Protection Authorities will work with car manufacturers, suppliers and their industry associations to set uniform data protection standards on a high level.
The resolution follows the 2012 publication by the German Data Protection Authorities of a template notification for the collection and processing of personal data in cars, agreed upon between the German automotive industry and the Bavarian Data Protection Authority. The purpose was to inform consumers, in the user manual, about data collection and processing for technical and security purposes.
The new resolution has the potential to have a broad impact on the privacy afforded to connected car users in view of the global importance of the German automotive industry.
For “Data Protection in the Car”, click here (German only).
Authored by Dr. Stefan Schuppert