In-vehicle data

Article

In-vehicle data: how to determine one’s strategic (legal) position to capitalize on opportunities? 

An analysis from a privacy and data protection, security and fair competition perspective 

In the Netherlands seven percent of the 8.5 million cars are “connected”. The coming years more than 200.000 new connected vehicles will yearly hit the roads. These modern sensor-equipped cars generate and collect large amounts of data on, for example, traffic and road conditions, engine performance, driver behavior and the speed and location of the vehicle. This so-called in-vehicle data potentially has enormous value that parties within and outside of the Automotive Industry can benefit from. Data does not, however, have a legal owner so the question is: who can exert influence on this data? Who has the right to access this data and which laws and regulations apply or should apply to the exchange of in-vehicle data?

In-vehicle data

These questions will be analyzed from a privacy and data protection, security and fair competition perspective. In addition, the smart searchable legal and regulatory framework on in-vehicle data that Deloitte Legal has developed together with Automotive Industry branch associations and the Dutch government can help all parties with an interest in in-vehicle data to determine their strategic (legal) position and can help in facilitating qualitative discussions and negotiations regarding access to and the exchange of in-vehicle data.

In-vehicle data can be used for a multitude of aims, e.g. the development of self-driving vehicles and to increase efficiency in the transport sector. It can also be an enabler for the creation of new business models with parties that have an interest in in-vehicle data, such as insurers who can tailor their insurances to the vehicle owner’s driving behavior. Furthermore, governments have an interest in in-vehicle data in light of the development of smart cities, to improve traffic conditions, enable traffic management and to secure road safety. In the context thereof, the European Commission has proposed to install a ‘black box’ in vehicles as of 2022, which is a data recorder that can be read out in case of an accident. 

Besides all the opportunities in-vehicle data has to offer, the large amounts of data that vehicles generate and collect may have implications on privacy & data protection and security that may not be overlooked. It can also lead to discussions in the field of fair competition and raises important questions, such as: who can exert influence on this data? Who has the right to access this data and what requirements apply to the exchange of in-vehicle data? These questions are especially relevant since data ownership as a legal concept does not exist and data monopolies should be prevented in order to safeguard a market with fair competition. The legal and regulatory framework on in-vehicle data provides a searchable and comparable overview of all applicable European and Dutch legislation in relation to in-vehicle data and can be used by all parties with an interest in in-vehicle data as a structured and neutral source ‘a central point of truth’ to discuss the aforementioned questions.  

Smart searchable legal and regulatory framework on in-vehicle data

Privacy and data protection

In-vehicle data can be divided between non-personal data that is collected by sensors with regard to e.g. weather- and roadside conditions or repair and maintenance information and personal data that can be traced back to the vehicle driver, such as location history, driving behavior or even contact details from the vehicle driver’s phone. 

In order to protect the vehicle driver’s fundamental rights, such as the right to privacy and data protection, car manufacturers should ensure there is a high degree of transparency by informing the driver about the data processing that takes place and whether any third parties, and if so, which third parties have access to the data. Moreover, the driver must be able to exercise its rights as a data subject and must be able to manage provided consent. 

The Dutch government, European Commission and European Data Protection Board have acknowledged the importance of the protection of privacy as a fundamental condition for a responsible use and exchange of in-vehicle data. Moreover, they will take an active role where necessary to further develop the existing privacy framework and to initiate discussions and conclude agreements with parties with an interest in in-vehicle data. To set an example, the European Data Protection Board has announced to publish guidelines on connected vehicles in its yearly program of 2019/2020.  

Security

Connected vehicles could be at risk of being hacked, which results in access to the driver’s personal information and even more worrisome, the hacker may take actual control of the connected vehicle, ultimately leading to loss of brake-,engine- and steering control. Besides this, uncertainty remains as to what will happen to the in-vehicle data once a vehicle is sold or stolen or after you have made use of a rental car? 

The Deloitte Global Automotive Consumer Study 2019 shows that Dutch consumers are indeed concerned about the security of connected vehicles, since 60 percent fears someone hacking into their car and putting their personal safety at risk. 

Fair competition

Currently, OEM’s are collecting and processing most of the in-vehicle data, which allows them to exclusively provide access to and take control of this data for which they use – amongst other things – the driver’s protection of privacy as a supporting argument. Since there are many other parties with a legitimate interest in this in-vehicle data, such as car dealers and garage keepers, the question is: how do we create a level playing field, while at the same time ensuring the protection of the driver’s privacy and security?

Rijkswaterstaat has announced that it will collect in-vehicle data of 250.000 vehicles from a multitude of car manufacturers this year in order to increase road safety by making use of strictly anonymous ‘real-time data’. In a later stage the in-vehicle data will also be used to measure road conditions and predict future necessary road maintenance. Not only the Netherlands, but also Germany, Luxembourg, Spain and Finland will be involved in this project along with 4 major car manufacturers and two location technology companies. Rijkswaterstaat states that vehicle owners may withdraw their consent, for this specific project, at any given time and emphasizes that the real-time in-vehicle data will solely be used to increase road safety and not to identify the vehicle owner or draw any conclusions from his or her driving behavior. 

In a recent letter to parliament, Dutch minister of Infrastructure and Water Management Cora van Nieuwenhuizen announced that the Dutch government and the Dutch Authority for Consumers and Markets will be alert to situations that could possibly lead to a data monopoly. The minister specifically said the government would intervene to prevent market dominance if parties with exclusive access to in-vehicle data are not willing to share this data with other parties that have an interest in in-vehicle data. 

Responsibilities

To comply with privacy and security obligations, car manufacturers need to find new ways to give vehicle owners and users insight into collected and processed data. And they are already taking action. Recently, a German car manufacturer launched a new service, providing vehicle owners with an overview of their personal data that is being processed, of third parties that have access to this data and a way to manage consent. 

If companies fail to comply with privacy and data protection legislation, they may face reputational and financial consequences, such as fines for General Data Protection Regulation (GDPR) breaches that can run up to four percent of annual global turnover. Therefore, it is important to take privacy and data protection and security aspects into account by applying privacy and security by design and default at the start of the development process of a connected vehicle.

If companies hinder or restrict fair competition by establishing a market monopoly, on for example in-vehicle data, the European Commission may impose a fine of ten percent of annual global turnover. Therefore, car manufacturers  that collect and process large amounts of in-vehicle data should proactively consider ways of allowing other parties to obtain access to this in-vehicle data to ensure a level playing field. 

Until now there was no single source consisting of a structured overview of applicable laws and regulations in relation to in-vehicle data in the Netherlands and the EU.  This regularly led to misunderstanding and semantic discussions, which the legal and regulatory framework on in-vehicle data wants to overcome by facilitating qualitative discussions and negotiations regarding access to and the exchange of in-vehicle data

Smart searchable legal and regulatory framework on in-vehicle data

In 2019 Deloitte Legal together with stakeholders, such as Automotive Industry branch associations and the Dutch government, have formed a focus group to discuss questions, such as: who may have access to in-vehicle data, under what conditions may different actors in the Automotive Industry exchange in-vehicle data and how can a level playing field be achieved? This has led to the development of a legal and regulatory framework on in-vehicle data. The smart searchable legal and regulatory framework has been validated by independent research experts. It consists of a searchable and comparable overview of all applicable European and Dutch legislation; i.e. public laws (regulations), (intellectual) property laws (including trade secret legislation) and contract laws in relation to in-vehicle data. 

All parties with an interest in in-vehicle data can use the framework as a structured and neutral source – a central point of truth - to determine their strategic (legal) position, stimulate collaborations, engage in collaborative (IoT) projects and set up new ecosystems. The framework may also help in facilitating qualitative discussions and negotiations regarding access to and the exchange of in-vehicle data to achieve a level playing field.  The framework is accompanied by a Thesaurus that provides insights into the layered structure of all the definitions as used in the framework and how these definitions relate to each other, so all parties with an interest in in-vehicle data can engage in discussions on the basis of the same terminology. 

The framework may be obtained by all parties with an interest in in-vehicle data via an open source license, upon payment of the distribution costs. The legal and regulatory framework and specific licensing conditions will simultaneously be available at the beginning of 2020.

Legal and Regulatory Framework on in-vehicle data

More information

Determine your strategic (legal) position regarding access to and the exchange of in-vehicle data. The legal and regulatory framework on in-vehicle data will be available soon. You can pre-register here, and be one of the first to get more information on our framework.

Or visit our website for more information or approach us via below contact details: