French Data Protection Authority Reveals the Scope of its Connected Car "Compliance Package"
On October 3, 2016, during a conference organized by the French Committee of Car Manufacturers (“CCFA”) during the Paris Motor Show, Mrs. Sophie Nerbonne, the Compliance Director of the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”), hosted a press conference in the ongoing fact-gathering for the CNIL’s “compliance package on connected vehicles” (link - in French) on the basis of the Act no. 78-17 dated January 6, 1978, relating to information technology, data files and civil liberties.
A global reflection for a responsible ecosystem
Work started on this compliance package, or guidance, the sixth one initiated by the CNIL, on March 23, with the intent to provide a stable and homogeneous environment for the various participants in the connected vehicles ecosystem.
This fact-gathering, led by the CNIL, aims at gathering numerous participants from the car manufacturing industry, outfitters, insurance companies, public authorities, telco operators and startups.
The CNIL expressed its wish that these participants address data protection issues from the very conception of the services or goods they could provide, the so-called “privacy by design” approach.
By March 2017, this guidance, will thus provide the specifics for the implementation of data protection regulation and orientation with regards to data retention periods, identification of the data recipient, as well as the implementation of data subjects’ rights, such as the right to information, opposition and, as the case may be, consent.
The various reflection categories
The CNIL recommendations in terms of data protection will be divided into three broad categories:
- Scenario #1 - personal data remaining within the vehicle, and not be transmitted outside to third parties (“in -> in”), e.g., navigation assistance system, providing driving analytics exclusively to the driver.
- Scenario #2 - personal data transmitted outside the vehicle (“in -> out”), e.g., a service implemented by an insurer in order to learn about the driver’s behavior (driving breaks, average vehicle speeds, etc.)
- Scenario #3 - personal data transmitted outside of the vehicle, prior to being reinjected as new information (“in -> out -> in”), e.g., a dynamic navigation system which may return live information relating to the surrounding traffic and amend the current itinerary.
While a study dated October 2015 (link - in French) revealed that 85% of the French population worried about the disclosure or commercial used without consent of their data, the CNIL reiterated during that press conference that Scenario #1 should be favored by the ecosystem.
The influence of the new European Regulation on Data Protection
The CNIL also stated that the European approach to “personal data” did not consider such data as goods which may be provided between the players of an ecosystem, but as the object of a fundamental right of natural persons. The compliance package as such will not address this commercial aspect.
Moreover, this compliance package is being drafted within the framework of the implementation, by May 25, 2018, of the European General Personal Data Regulation no. 2016/679 (“GDPR”), whose intended purpose is to unify applicable rules and interpretations across the European union.
The CNIL reminded that the GDPR notably implemented the key principle of the one-stop-shop, which would allow participants to liaise solely with the data protection authority of the jurisdiction in which they are established, and thereby, would simplify the compliance mechanism of companies of companies established on several Member states of the European Union.
In addition, the CNIL reminded that, further to the European Court of Justice decision no. C131/12 dated May 13, 2014 (the “Google Spain” case), and further to the GDPR, European data protection would be applicable not only to data controllers and data processors established within the territory of the European Union (regardless of whether the data processing actually occurred in the European Union), but also, and mainly, to data subjects located within the European Union, regardless of where the data controller or data processor is located, provided that the processing is performed in relation to the offering of goods or services to such data subjects, or if it allowed the tracking of their behavior.
This worldwide extension of the scope of application of European regulation also means that many players from the connected vehicle ecosystem, notably those in the Silicon Valley, should have a specific interest in the CNIL’s ongoing reflection, especially if they market vehicles or associates services in Europe.
The CNIL also highlighted its intention to promote the compliance package at the European level, in order to build a common core for the reflection within the European Data Protection Authority working group, the WP29.
Notable absentees
Several leaders in innovative services and the data-driven economy, such as Microsoft, Google and Apple, have not yet participated in the discussions of the compliance package. During the presentation, the CNIL indicated that these companies had not yet initiated any positive action to be included in the discussion, while reminding everyone that the group remained open to all interested parties.
Software publishers have also been missing from the ongoing effort to this point. However, while the CNIL considers that it is necessary to understand the connected vehicle environment in the first place, the strengthening of the relationship with such key players would come at a later time.
Next steps: finalize before March ‘17
The compliance package for connected vehicles should be finalized by March 2017 and presented by the CNIL to the public along with the participants to this collective effort.
The players that can get hold of this upcoming regulatory framework today will benefit from a lead. Car manufacturers or equipment providers, as the point of entry to the man-machine interface, would have a lot to lose if the CNIL recognized them responsible for everything. If they can unite and anticipate the risk to be subject to labilities tied to services they may not necessarily control, this compliance package may be an advantage in the ultra-competitive connected car industry.
The next six months represent a limited window for action and the mobilization of the players will need to focus on a concerted effort. Once adopted, this regulatory framework will set the conditions with which the French and, as the case may be, the European ecosystems will need to comply in order to strive.
The K&L Gates Paris team has the experience of inter-professional discussions with the CNIL for the past 20 years allowing anticipating the risks and opportunities of these exchanges, inherently unbalanced, where the regulatory power has the last word.
We can thus highlight the pitfall to avoid, the topics which will focus the attention of the regulator, the arguments to reinforce a point and the themes which will be better off left off the table.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.