Connected cars will generate large volumes of data, including data on engine performance, location and driver behaviour. The European Commission has convened multi-stakeholder groups to figure out how to organize access to that data in a safe, competitively neutral and privacy-friendly way. Two recent reports shed light on the principles that should apply to any data sharing infrastructure.
Policy conversations about connected cars take place in five different contexts in the EU: in the data protection context (the forthcoming General Data Protection Regulation, Article 29 Working Party, EDPS, etc.); cyber security context (Network and Information Security Directive); intelligent transport systems context (ITS Directive 2010/40/EU); the eCall context (Directive 2007/46/EC, Regulation 758/2015); and the digital single market and Internet of Things context (DSM).
Report on Access to in-vehicle resources and data
In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on how connected cars should share data with third-party service providers. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure and open access platforms in the broader context of connected car data, including sharing of telematics data.
eCall capabilities must be included in new cars sold from April 2018. The December 2015 report lists five principles that should guide the development of any data sharing platform for connected cars. The first principle is that user consent should be the cornerstone for any data sharing. Second, any platform should respect the need for open and undistorted competition. Third, a platform must incorporate strong data protection. Fourth, the platform must be tamper-proof and secure. Finally, the platform should support the development of the “data economy“, meaning that the platform should favor data-centric innovation ecosystems.
Working Group 6 identified three technical solutions for data sharing platforms: the first is an on-board application platform that would permit third-party applications to operate within the vehicle’s system, much as a smart phone application operates within a smart phone’s operating system. The second technical solution is to develop a standard in-vehicle interface that would permit third-party external devices to be connected inside the car to the car’s system. Finally, the third measure, and the one that is the most feasible in the near-term, is to provide for an external data server platform. This is the model currently implemented by Original Equipment Manufacturers (OEMs), who are working to develop ISO standards for an “extended vehicle” platform model. Competitive service providers argue that the external data server platform should be managed by a neutral third party in order to ensure fair competition. The OEMs argue that the data server must be controlled by the OEMs, to ensure safety and manage liability risks.
The WG6’s December 2015 report will feed into an external study that the European Commission is in the process of ordering, and which will examine the liability and privacy risks associated with each technical solution, as well as examine whether data can be shared with third parties and, if so, under what conditions.
Report by the Alliance for Internet of Things Innovation
In addition to the C-ITS WG6 report, the Alliance for Internet of Things Innovation (AIOTI) Working Group 4 issued a report in October 2015 that highlighted the need to develop privacy impact assessment methodologies for Internet of things applications, including connected cars. The WG4 report also recommended knowledge sharing on privacy by design approaches for connected cars, citing Vodafone’s Usage-Based Insurance product for connected vehicles as an example.
On the cyber security front, the NIS Directive will impose cyber security obligations, including data breach reporting, cyber security standards and audits on ITS-related infrastructure, including connected cars. Finally, on the data protection front, the GDPR will put considerable emphasis on developing national and European certification schemes, and such certification arrangements are likely to emerge for connected cars. The French CNIL is already in the process of developing a “compliance pack” for connected cars, and it is fair to assume that the European Commission and data protection authorities will seek to develop a European certification for connected car privacy standards. It will be critical that any certification standards developed under European data protection work streams are consistent with the standards that are emerging under the ITS, eCall and cyber security work streams so that there is a coherent compliance requirement for manufacturers and designers.