In-vehicle data: how to determine one’s strategic (legal) position to capitalize on opportunities?


In-vehicle data: how to determine one’s strategic (legal) position to capitalize on opportunities?

An analysis from a privacy and data protection, security and fair competition perspective

In the Netherlands seven percent of the 8.5 million cars are “connected”. The coming years more than 200.000 new connected vehicles will yearly hit the roads. These modern sensor-equipped cars generate and collect large amounts of data on, for example, traffic and road conditions, engine performance, driver behavior and the speed and location of the vehicle. This so-called in-vehicle data potentially has enormous value that parties within and outside of the Automotive Industry can benefit from. But with data not having a legal owner, the questions are: who can exert influence on this data? Who has the right to access and (re-)use this data? Which laws and regulations apply or should apply to the exchange of in-vehicle data?

In-vehicle data

In-vehicle data can be used for a multitude of aims, such as the development of self-driving vehicles and to increase efficiency in the transport sector. It can also be an enabler for the creation of new business models with parties that have an interest in in-vehicle data, such as insurers who can tailor their insurances to the vehicle owner’s driving behavior. Furthermore, governments have an interest in in-vehicle data in light of the development of smart cities, to improve traffic conditions, enable traffic management and to secure road safety. In the context thereof, the European Commission has proposed to install a ‘black box’ in vehicles as of 2022, which is a data recorder that can be read out in case of an accident.

Besides all the opportunities in-vehicle data has to offer, the large amounts of data that vehicles generate and collect may have implications on privacy & data protection and security that may not be overlooked. It can also lead to discussions in the field of fair competition, as data monopolies should be prevented in order to safeguard a market with fair competition. The smart searchable legal and regulatory framework on in-vehicle data that Deloitte Legal has developed together with Automotive Industry branch associations and the Dutch government consists of a comparable overview of all applicable EU legislation and Dutch legislation in relation to in-vehicle data and is accompanied by a thesaurus to safeguard uniform use of terms and definitions. It can be used by all parties with an interest in in-vehicle data as a structured and neutral source to determine their strategic (legal) position and to facilitate qualitative discussions and negotiations regarding access to and the exchange of in-vehicle data

Smart searchable legal and regulatory framework on in-vehicle data

Privacy and data protection

In-vehicle data can be divided between non-personal data that is collected by sensors with regard to e.g. weather- and roadside conditions or repair and maintenance information and personal data that can be traced back to or associated with the vehicle driver (see inserted footnote), such as details of journeys made, driving style and data from the vehicle driver’s phone. Both the General Data Protection Regulation (GDPR) and ePrivacy directive are relevant in the context of connected vehicles.

In order to protect the vehicle driver’s right to privacy, car manufacturers (see inserted footnote) should ensure there is a high degree of transparency by providing all of the necessary information regarding the processing in a clear and concise manner. Moreover, the driver must be able to exercise its rights. When the data processing is based on consent, it will only be valid if it meets all the required elements for valid consent and should be obtained from different data subjects separately, such as car owners or car users. Consent may not be bundled with, for example, the contract to buy or lease a new car.

The Dutch government, European Commission and European Data Protection Board (EDPB) have acknowledged the importance of the protection of privacy as a fundamental condition for a responsible use and exchange of in-vehicle data. Moreover, they will take an active role where necessary to further develop the existing privacy framework and to initiate discussions and conclude agreements with parties with an interest in in-vehicle data. As an example, the EDPB has recently published guidelines on connected vehicles for public consultation. These guidelines include, amongst others, recommendations regarding the collection and processing of certain types of data, such as geolocation data, biometric data and ‘traffic offence-related data’, because of their sensitive nature and/or potential impact on the rights and interests of data subjects. The EDBP also emphasized the importance of applying the principles of privacy by design and default to technologies deployed in the context of connect vehicles.


Connected vehicles could be at risk of being hacked, which results in access to the driver’s personal information and even more worrisome, the hacker may take actual control of the connected vehicle, ultimately leading to loss of brake-,engine- and steering control. The EDPB stressed the importance of taking precautions and has listed several recommendations for the implementation of appropriate security measures in its recently published guidelines. When applying security measures, special consideration should also be given to what will happen to the in-vehicle data once a vehicle is sold, or stolen or after an individual has made use of a rental car.

The 2019 Deloitte Global Automotive Consumer Study shows that Dutch consumers are indeed concerned about the security of connected vehicles, since 60 percent fears someone hacking into their car and putting their personal safety at risk.

Fair competition

Currently, parties with significant market shares are collecting and processing most of the in-vehicle data, which allows them to exclusively provide access to and take control of this data for which they use – amongst other things – the driver’s protection of privacy as a supporting argument. Since there are many other parties with a legitimate interest in this in-vehicle data, such as car dealers and garage keepers, the question is: how can a level playing field be realized, while at the same time ensuring the protection of the driver’s privacy?

Four major car manufacturers and two location technology companies are collaborating to assist Rijkswaterstaat with regard to a road safety project. Rijkswaterstaat has announced that it will collect in-vehicle data of 250.000 vehicles from a multitude of car manufacturers this year in order to increase road safety by making use of strictly anonymous ‘real-time data’. In a later stage the in-vehicle data will also be used to measure road conditions and predict future necessary road maintenance.

In a letter to parliament, Dutch minister of Infrastructure and Water Management Cora van Nieuwenhuizen has also announced that the Dutch government and the Dutch Authority for Consumers and Markets will be alert to situations that could possibly lead to data monopolies. The minister specifically said the government would intervene to prevent market dominance if parties with exclusive access to in-vehicle data are not willing to share this data with other parties that have an interest in in-vehicle data.


To comply with privacy and security obligations, car manufacturers need to find new ways to give vehicle owners and users insight into and control over collected and processed data. And they are already taking action. Recently, a German car manufacturer launched a new service, providing vehicle owners with an overview of their personal data that is being processed, of third parties that have access to this data and allowing them to manage consent.

If companies fail to comply with privacy and data protection legislation, they may face reputational and financial consequences, such as fines for GDPR breaches that can run up to four percent of annual global turnover. Therefore, it is important to take privacy and data protection and security aspects into account by applying privacy and security by design and default at the start of the development process of a connected vehicle.

If companies hinder or restrict fair competition by establishing a market monopoly, on for example in-vehicle data, the European Commission may impose a fine of ten percent of annual global turnover. Therefore, car manufacturers that collect and process large amounts of in-vehicle data should proactively consider ways of allowing other parties to obtain access to this in-vehicle data to ensure a level playing field.

Smart searchable legal and regulatory framework on in-vehicle data

Until now there was no structured overview of applicable laws and regulations in relation to in-vehicle data, the relevant actors and interests. This regularly led to misunderstanding and semantic discussions. Deloitte Legal together with stakeholders, such as Automotive Industry branch associations and the Dutch government therefor created a smart searchable legal and regulatory framework on in-vehicle data.

The framework enables anyone with an interest in in-vehicle data to navigate the legal and regulatory landscape, while uniform use of terms and definitions is safeguarded by the accompanying thesaurus.

All relevant actors can use the framework as a structured and neutral source to determine their strategic (legal) position. It can be used to facilitate qualitative discussions and negotiations regarding access to and the exchange of in-vehicle data, engage in collaborative (IoT) projects and set up new ecosystems. The framework will be made available in due course via an open source license.

Learn more about the smart searchable legal and regulatory framework on in-vehicle data by visiting our website. Fill in the contact form to receive updates on the availability of the framework and to pre-register to obtain the framework.

Or reach out to:


Legal and Regulatory Framework on in-vehicle data

More information

Determine your strategic (legal) position regarding access to and the exchange of in-vehicle data. The legal and regulatory framework on in-vehicle data will be available soon. You can pre-register here, and be one of the first to get more information on our framework.

Or visit our website for more information or approach us via below contact details: