On October 17, after about 18 months of waiting, a consultation involving more than 20 players, and two intermediate versions, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) has released the final version of its “compliance package” on Connected Cars (“Compliance Package”).
The Scope of the Compliance Package
The Compliance Package (available in English here) is designed to help the various participants in this sector comply with personal data protection obligations, regardless of the services provided, as well as inform users of connected services about the expected conditions of the processing of their data.
As announced by the CNIL on October 3, 2017, during an intermediary update organized by the French Committee of Car Manufacturers (“CCFA”) during the Paris Motor Show (see our previous alert from October 7, 2016), the Compliance Package considers three possible scenarios:
- #1 In-In Scenario: Vehicle’s data is not transmitted to the service provider. This scenario concerns data remaining within the vehicle or data transferred between the vehicle and a smartphone through the network of a telecom provider, as long as only the concerned individual has access to such data.
- #2 In-Out Scenario: Vehicle’s data is transmitted to the service provider without any remote automatic action triggered in the vehicle. In this case, only the service provider processes the data collected from the vehicle. For instance, this applies to a service implemented by an insurer in order to understand the driver’s behavior: number of breaks, average vehicle speeds, etc.
- #3 In-Out-In Scenario: Vehicle’s data is transmitted to the service provider to remotely trigger an automatic action in the vehicle. For instance, this applies to a maintenance app that reminds the driver he/she should take his/her vehicle to the garage to carry out necessary maintenance work in the case of worn tires. This may also apply to a dynamic navigation system that returns live information relating to the surrounding traffic and amends the current itinerary.
Two criteria are therefore used to determine which scenario should apply: the potential transmission of data outside the physical vehicle and the conditions of the data processing (only for the concerned individuals, the service provider’s needs, or to influence the vehicle user’s behavior).
The concerned stakeholders will need to consider which scenario suits them the best with their type of product and service. Following this assessment, the Compliance Package will allow them to understand the practical conditions under which they should implement data protection regulation, particularly with regard to the data subject’s information, provision of individual rights, or right to data portability.
The Major Innovations of Compliance Package’s Final Version
Compared to its first version, the CNIL has significantly broadened the scope of application of the Compliance Package.
While the first version only targeted data directly collected from the vehicle, the final version also encompasses smartphone apps that communicate with the vehicle’s data.
Likewise, the Compliance Package initially distinguished car manufacturers from service providers, which may have created an ambiguity regarding the specific status of a car manufacturer. This distinction is no longer made in the Compliance Package, and all stakeholders are treated similarly and designated as “service providers.” This is consistent with the solely relevant concepts: data processor and data controller.
A Consensus That Was Difficult to Reach
This is the first time in the Compliance Package’s drafting history (smart grids, social housing, and insurance) that the CNIL has decided to involve participants from different sectors of the same industry. The CNIL has therefore heard, and sometimes taken into account, the comments of stakeholders with occasionally divergent positions, from car manufacturers to telecom operators as well as insurers and the after-market industry.
While the diversity of the participants could not lead to the satisfaction of all the parties, the consensus reached allowed for the adoption of the Compliance Package, which was already delayed by more than six months, and the refining of its content thanks to the feedback from its first users, as the case may be.
The Adoption of a Compliance Package as Part of a Global Strategy
The adoption of this Compliance Package is made at the dawning of the adoption of the General Data Protection Regulation (“GDPR”), which is scheduled to enter into effect on May 25, 2018, and aims at reforming and harmonizing data protection law within the European Union.
The Compliance Package has therefore been designed to be consistent with the obligations set forth in the GDPR. Indeed, the CNIL’s ambition is to take advantage of the French presidency of the Article 29 Working Party until February 2018 by the CNIL’s chairwoman, Mrs. Isabelle Falque-Pierrotin, and push the Compliance Package at a European level.
All eyes should now be on the discussions to intervene in the next few months at a European level, when the EU data protection authorities’ representatives will brainstorm with the participants in the connected vehicle and technical ecosystems on the Compliance Package and the potential adoption of an equivalent at a European level.
In any case, France wants to be at the forefront of the autonomous and connected cars industry. Indeed, in a press release dated September 15, 2017 (available here in French), the government has announced the launch of a consultation between the autonomous car industry’s players in order to determine France’s strategy by the end of 2017, with the aim of introducing a new orientation law on mobility by early 2018.
The upcoming year 2018, which already seems crucial, is therefore full of promises for the players of the connected and autonomous cars sector, whether or not they were able to participate in the adoption of the Compliance Package.
First publication on K&L Gates Website