An article written by Neil Evans, Account Director at MyLife Digital
Connected vehicles and even connected devices such as smart devices have now moved into the mainstream, which brings data processing to the forefront. Essentially, they are generating large amounts of data which has significant value to an organisation and especially third parties. This data relates to a natural person that is identified or identifiable, thus constitutes personal data under GDPR and therefore is a challenge to manage.
The Future of Smart Devices
Whilst this article focuses on connected vehicles, the premise also applies to other connected devices, be it smart speakers such as Alexa, most televisions are now smart TVs, and now home security cameras or camera doorbells such as Ring are also connected to Alexa and a mobile phone. And now, many other smart devices exist, such as a fridge or kettle; however, do people really care, or are they even aware that these devices capture personal data, and that it is potentially being shared to 3rd parties, without a user’s consent or even knowledge of what is happening with this data and for what purposes. Who knows in a few years, your vehicle will know that you are ready to start your journey as you have just put the kettle on, or you inform Alexa to turn off the lights and then to start your car to warm it up. Okay, probably not right now due to COVID, but there will become a time that this might become normal practice for some people. Who would have thought a few years back, that you could speak to a device to turn your house lights on, close the curtains or blinds, or even turn your kettle on, but this is now a reality.
Benefits of Connected Vehicles
There have been a few discussions about connected vehicles and the benefits of them (links below), but the same could be said of all connected devices and the benefits to the user themselves. There are obvious benefits for car dealerships, as they could understand if a component of the cars looks to be compromised and contact the owner to get them in for a service or to replace the part and increase revenue quicker. Insurance companies would benefit, as they understand how many miles the car does, whether the driver is a careful or erratic driver, and enable them to set insurance premiums appropriately.
What gets me is that there are so many connected devices that still share this personal data with 3rd parties without the true consent of the individual. The only way to really understand this is to read the manufactures T&C’s and who does that when they buy a new TV or Car. It also becomes much harder when you consider cross jurisdictions. Most connected vehicles or companies providing connected devices are focussed on a global market and will be required to manage different consent, depending on where the person is located. But right now, it seems to be a misuse of data, as per the ICO investigation into data brokers. So potentially this could lead to a further investigation by the ICO into manufactures of connected devices, or those that use telematic solutions.
I believe this imposes a huge challenge to capture consent, not only for marketing but also for other purposes. i.e eCall based systems, Vehicle/Device Management, Mobile Apps, etc. This is especially the case when sharing any such data with 3rd parties, be it entertainment offerings and when connecting the device to solutions such as Spotify or even to pass data to Insurance companies. If this data is being used for direct marketing, then the user should have control to manage the processing of such data.
As a controller, the organisation, be it the manufacturer or the company that uses telematics solutions, must inform the data subject about all the purposes of the processing. So, this is where a Consent and Preference solution from the likes of MyLife Digital can really assist an organisation. It enables an organisation to capture the relevant consent, ensure transparency, and ultimately inform the data subject of the purposes of the processing to which they are being asked to consent. It provides a single platform for both the organisation and the data subject to manage and control consent from the many touchpoints, which includes the connected vehicles. This makes it all so much harder around cross jurisdictions, especially as most connected vehicles or companies involved with connected devices are focussed on a global market and will be required to manage different consent, depending on where the person is located.
Looking at a post from Burges Salmon 1, it indicates again benefits to an organisation but does not even mention consent from the individual.
Another interesting post “Research shows data privacy concerns for telematics policies” 2 Telematics is the technology used to monitor a wide range of information relating to a vehicle and sometimes referred to as a Black box by insurance companies, who use the Black Box to monitor driver behaviour. This report goes into good detail about Telematics and the benefits, and it does highlight that Insurance companies are being transparent and obtaining consent, but my personal opinion is that they are only looking at consent for their own purposes, hence not being transparent as the data is sometimes shared with 3rd parties, to whom the individual has not provided consent.
So, understanding the lawful basis in holding of the personal data and making this clear, consistent and obvious is vital, hence Transparency and Consent are finely intertwined.
The European Data Protection Board (EDPB) 3 published guidelines around the processing of personal data in the context of connected vehicles and mobility-related applications. I would be curious to understand how many car manufacturers, car dealerships, Telematic solution providers or organisations using telematic devices, Insurance companies, or those that share 3rd party data from connected vehicles, have actually read it. However, it is worth a read.
Just to back up what is implied above, these are a couple of references within the European Data Protection Board (EDPB) guidelines that I have picked out. Additionally, to the GDPR, the “ePrivacy” directive (2002/58/EC, as revised by 2009/136/EC), sets a specific standard for all actors that wish to store or access information stored in the terminal equipment of a subscriber or user in the European Economic Area (EEA). As recently outlined by the EDPB in its Opinion 5/2019 on the interplay between the “ePrivacy” directive and the GDPR,13 art. 5(3) ePrivacy directive provides that, as a rule, prior consent is required for the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user. To the extent that the information stored in the end-user’s device constitutes personal data, art. 5(3) ePrivacy directive shall take precedence over art. 6 GDPR with regards to the activity of storing or gaining access to this information.14 Any processing operations of personal data following the aforementioned processing operations, including processing personal data obtained by accessing information in the terminal equipment, must additionally have a legal basis under Art. 6 GDPR is required in order to be lawful.
So, if concerned by this, then it is worth looking at the MyLife Digital Consent Preferences offering, as it can really help an organisation capture consent, transparently and compliantly and ultimately build trust with customers/prospects.
To request further information or book a demo, please get in touch.