At the Paris Motor Show earlier this month, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “ CNIL”) provided an update on the progress of its development of a “compliance package on connected vehicles.” The work began on March 23, 2016, and the finalized “compliance package” is expected to be delivered next spring.

The CNIL undertook this task to provide the auto-industry, the insurance and telecommunications sector, and the public authorities with guidance on the treatment of personal data collected by connected vehicles about their drivers and the interaction of the vehicle with the road environment. The guidance is expected to bring companies in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018.

The CNIL noted that the challenge is to weave “data protection” into the product design “to ensure transparency and control by individuals of their data.” Doing so would address the Privacy by Design principle codified in the GDPR.

In preparing its guidance, the CNIL is using the following scenarios as its analytical framework.

  1. “IN  ⇒ IN”: the data collected in the vehicle remain in the vehicle without the transmission to a service provider (e.g., an eco-driving application that processes data in the vehicle and displays eco-driving advice to the driver in real time).
  2. “IN  ⇒ OUT”: the data collected in the vehicle are transmitted for processing to a service provider (e.g., where a driver has a “pay as you drive” contract with an insurance company).
  3. “IN  ⇒ OUT ⇒ IN”: the data collected in the vehicle are transmitted for processing to a service provider to trigger an automatic response in the vehicle (e.g., an application that calculates a new route due to an incident on the road along the original route).

The CNIL expressed its preference for the first scenario, which involves processing data locally in the vehicle without transmitting the data to a service provider, as this would help guarantee user privacy. Although the final “compliance package” will not be released for several months, the various stakeholders in the industry should heed the CNIL’s strong preference for honoring the Privacy by Design principle, as they prepare for the GDPR.