French CNIL Reveals the Scope of its Connected Car “Compliance Package”

October 7th, 2016 | Posted by Claude-Etienne Armingaud in Connected Cars | Europe | France | Privacy

On 3 October 2016, during a conference organized by the French Comity of Car Manufacturers (“CCFA”) during the Paris Motor Show, Mrs. Sophie Nerbonne, the Compliance Director of the French Error! Post not found for word:data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”), hosted a press conference in the ongoing fact-gathering for the CNIL’s “compliance package on connected vehicles” (link – in French) on the basis of the Act no. 78-17 dated 6 January 1978, relating to information technology, Error! Post not found for word:data files and civil liberties.

A GLOBAL REFLECTION FOR A RESPONSIBLE ECOSYSTEM

Work started on this compliance package, or guidance, the sixth one initiated by the CNIL, on 23 March 2016, with the intent to provide a stable and homogeneous environment for the various participants in the connected vehicles ecosystem.

This fact-gathering, led by the CNIL, aims at gathering numerous participants from the car manufacturing industry, outfitters, insurance companies, public authorities, telco Error! Post not found for word:operators and startups.

The CNIL expressed its wish that these participantss address Error! Post not found for word:data protection issues from the very conception of the services or goods they could provide, the so-called “privacy by design” approach.

By March 2017, this guidance, will thus provide the specifics for the implementation of Error! Post not found for word:data protection regulation and orientation with regards to Error! Post not found for word:data retention periods, identification of the Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:recipient, as well as the implementation of Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:subjects’ rights, such as the right to information, opposition and, as the case may be, Error! Post not found for word:consent.

THE VARIOUS REFLECTION CATEGORIES

The CNIL recommendations in terms of Error! Post not found for word:data protection will be divided into three broad categories:

  • Scenario #1 – Error! Post not found for word:personal Error! Post not found for word:data remaining within the vehicle, and not be transmitted outside to third parties (“in => in”), e.g., navigation assistance system, providing driving analytics exclusively to the driver.
    Scenario #2 – Error! Post not found for word:personal Error! Post not found for word:data transmitted outside the vehicle (“in => out”), e.g., a service implemented by an insurer in order to learn about the driver’s behavior (driving breaks, average vehicle speeds, etc.)
    Scenario #3 – Error! Post not found for word:personal Error! Post not found for word:data transmitted outside of the vehicle, prior to being reinjected as new information (“in => out => in”), e.g., a dynamic navigation system which may return live information relating to the surrounding traffic and amend the current itinerary.

While a study dated October 2015 (link – in French) revealed that 85% of the French population worried about the disclosure or commercial used without Error! Post not found for word:consent of their Error! Post not found for word:data, the CNIL reiterated during that press conference that Scenario #1 should be favored by the ecosystem.

THE INFLUENCE OF THE NEW EUROPEAN REGULATION ON DATA PROTECTION

The CNIL also stated that the European approach to “Error! Post not found for word:personal Error! Post not found for word:data” did not consider such Error! Post not found for word:data as goods which may be provided between the players of an ecosystem, but as the object of a fundamental right of natural persons. The compliance package as such will not address this commercial aspect.

Moreover, this compliance package is being drafted within the framework of the implementation, by 25 May 2018, of the European General Personal Data Regulation no. 2016/679 (“Error! Post not found for word:gdprexternal source”), whose Error! Post not found for word:intended purpose is to unify applicable rules and interpretations across the European union.

The CNIL reminded that the Error! Post not found for word:gdpr notably implemented the key principle of the one-stop-shop, which would allow participants to liaise solely with the Error! Post not found for word:data protection authority of the jurisdiction in which they are established, and thereby, would simplify the compliance mechanism of companies of companies established on several Member states of the European Union.

In addition, the CNIL reminded that, further to the European Court of Justice decision no. C131/12 dated 13 May 2014 (the “Google Spain” case), and further to the Error! Post not found for word:gdpr, European Error! Post not found for word:data protection would be applicable not only to Error! Post not found for word:data Error! Post not found for word:controllers and Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:processors established within the territory of the European Union (regardless of whether the Error! Post not found for word:data Error! Post not found for word:processing actually occurred in the European Union), but also, and mainly, to Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:subjects located within the European Union, regardless of where the Error! Post not found for word:data Error! Post not found for word:controller or Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:processor is located, provided that the Error! Post not found for word:processing is performed in relation to the offering of goods or services to such Error! Post not found for word:Error! Post not found for word:data Error! Post not found for word:subjects, or if it allowed the tracking of their behavior.

This worldwide extension of the scope of application of European regulation also means that many players from the connected vehicle ecosystem, notably those in the Silicon Valley, should have a specific interest in the CNIL’s ongoing reflection, especially if they market vehicles or associates services in Europe.

The CNIL also highlighted its intention to promote the compliance package at the European level, in order to build a common core for the reflection within the European Error! Post not found for word:data Protection Authority working group, the WP29.

NOTABLE ABSENTEES

Several leaders in innovative services and the Error! Post not found for word:data-driven economy, such as Microsoft, Google and Apple, have not yet participated in the discussions of the compliance package. During the presentation, the CNIL indicated that these companies had not yet initiated any positive action to be included in the discussion, while reminding everyone that the group remained open to all interested parties.

Error! Post not found for word:software publishers have also been missing from the ongoing effort to this point. However, while the CNIL considers that it is necessary to understand the connected vehicle environment in the first place, the strengthening of the relationship with such key players would come at a later time.

NEXT STEPS: FINALIZE BEFORE MARCH ‘17

The compliance package for connected vehicles should be finalized by March 2017 and presented by the CNIL to the public along with the participants to this collective effort.

The players that can get hold of this upcoming regulatory framework today will benefit from a lead. Car manufacturers or equipment Error! Post not found for word:providers, as the point of entry to the man-machine interface, would have a lot to lose if the CNIL recognized them responsible for everything. If they can unite and anticipate the Error! Post not found for word:risk to be Error! Post not found for word:subject to labilities tied to services they may not necessarily control, this compliance package may be an advantage in the ultra-competitive connected car industry.

The next six months represent a limited window for action and the mobilization of the players will need to focus on a concerted effort. Once adopted, this regulatory framework will set the conditions with which the French and, as the case may be, the European ecosystems will need to comply in order to strive.

First published on K&L Gates Hub with Clémence Marolla

To Go Further:

  1. The French Connected Cars “Compliance Package” in EU Pole Position On 17 October 2017, after about 18 months of waiting, a consultation involving more than 20 players, and two intermediate...
  2. GDPR – French Data Protection Authority Pronounced Its First Fine Under GDPR (And Biggest So Far) On January 21, 2019, the French Error! Post not found for word:data Protection Authority (Commission Nationale de l’Information et des Libertés, or “CNIL”) published its...
  3. Regulating Connected and Autonomous Vehicles – A Blueprint for an AI Legal Framework A French Revolution, at last? Despite optimistic statements in 2016 on both sides of the Atlantic (in between the European...
  4. Adequacy Agreements, Legislation and Compliance in a GDPR World While Capitol Hill is inundated with proposed privacy legislations from the Error! Post not found for word:data Breach Prevention and Compensation Act (DBPCA), the CLOUD...

You can follow any responses to this entry through the RSS 2.0 Responses are currently closed, but you can trackback.