Connected Cars - Uniform Rules for the Handling of Vehicle Data for the sake of Consumer Protection and Welfare
Modern cars are not merely means of transport, but increasingly data producers and data carriers. Even before the engine starts to buzz, the manufacturers already receive a multitude of data from countless sensors installed by them in the vehicle, all of which are generated by the car drivers. The car’s data architecture remains at the manufacturers’ discretion, which means that thanks to the exclusive technical control of the data they come de facto into their possession, and they are therefore being able to determine about the collection, storage, processing, use and transfer of the vehicle data. This often happens without the own intervention or even knowledge of the consumers, who usually do not even have access to their own data – despite car ownership. The establishment and expansion of the automotive aftermarket and services sector are also subject to the manufacturers’ conditions that regulate within the realm of their own brand the access and delivery channels, above all prioritising their own product optimisation based on the data available to them.
The present treatment of vehicle data in favour of the car manufacturers inevitably harms consumer welfare. This imbalance needs to be redressed, namely by setting appropriate uniform rules for handling vehicle data.
Since its inception in 2008 the not-for profit consumer association European Automobile Clubs asbl (EAC), currently comprising six member clubs from Austria, Germany, Slovakia as well as Bosnia and Herzegovina, is fully dedicated to the concerns of the car drivers in Europe. At the heart of its policy work is the bundled interest of now above 3 million drivers according to the motto: Making them experience Europe across borders in a simple and safe manner.
The principle consequently applying to EAC as concerns all issues related to data in connected cars is:
The driver is the measure of all vehicle data.
Signaling the urgent need for action concerning the handling of vehicle data, EAC appeals to the European policy makers in charge of the transport sector advocating for following key demands for the benefit and protection of car drivers in Europe:
1. Transparency about the Processing of Vehicle Data
Vehicle data is basically considered personal data as long as and to the extent that it has not been anonymised. This applies as long as – in GDPR terms – the data controller “has the legal means which enable it to identify the data subject with additional data”, which is the case of mere "pseudonymisation", particularly clarified in the ECJ ruling Patrick Breyer. This implies that the processing of said data must be thoroughly transparent and fair. The average consumer who is attentive and reasonably well-informed using the car (incl. car keeper, driver and passenger) must be clearly and comprehensively informed about the scope and the extent of the data processing. The driver's consent to the collection and use of data must be voluntary without inducing any path dependency (e.g. links to any promises or making it irrevocable). It is also important that, in the case of data transfer, consumers are given prior access to the data subject to dissemination (e.g. state seizure). The technical and legal framework must be such that as autonomous and mature car users the consumers have their profile, personalisation and usage data at their full command.
2. Effective Guarantee of the Right to Freedom of Choice and Right to Data Portability
Only one in five drivers uses the data-based services that are already available in the car. The majority however fails to use them, since they are unwilling to pay the (monopoly) price or find the service offered utterly uninteresting. Often consumers are tied to the preset data architecture of their cars, so they cannot fully enjoy the offers of external service providers. However, embedded in the necessary technical and legal framework conditions, consumers’ right to freedom of choice must be ensured at all times. Article 12 of Regulation 2015/758 (‘eCall’) has already given such a mandate to the EU policy-maker requiring to establish the “requirements for an interoperable, standardised, secure and open-access platform”. The recent General Data Protection Regulation (GDPR – Reg. 2016/679) even enshrines the right to data portability. As a consequence, consumers have to be able to transmit their data “in a structured, commonly used and machine-readable format" "to another controller without hindrance" (Article 20 I GDPR). In addition, car users “shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.” (Article 20 II GDPR). The existing rules and regulations that promote the motorists’ right to freedom of choice must now be effectively implemented.
3. Access to Vehicle Data on the basis of the FRAND-Principle
Monopoly prices of the manufacturers incisively diminish the variety of services offered to users. Stating security grounds, in particular related to product liability and safety, they keep the range of access and delivery channels in their brands’ cars steadily limited to themselves. So their own product optimisation is unilaterally driven forward and all the other competitors in the automotive aftermarket and service sectors fall aside, especially as the readable information is not provided at all or delivered delayed (and possibly attenuated) for a fee based on a non-standardised charging system. Unmistakably this practice is able to distort fair competition in the derived market.
Access to vehicle data must therefore be structured in a comprehensive manner according to the FRAND principle, whereby all operators with a legitimate interest in vehicle data have equal access to existing data, in terms of quantity (e.g. number of available access channels) and qualitaty (e.g. latency) – namely fair, reasonable and non-discriminatory. It is also important that access to unprocessed, raw vehicle data, which is a by-product of car use itself, is available free of charge.
The decisive factor for data handling (collection, storage, processing, use, transfer and subsequent processing) remains the car users’ consent whose freedom of choice requires implementation and effective enforcement.
4. Maintaining Security and Promoting Innovation
Maintaining the diversity of existing business models and promoting new, trendsetting, data-driven business models should not be mutually exclusive, thus requiring clearly applicable technical and legal conditions. In this sense, EAC is in the long run committed to the establishment of an open and interoperable telematics platform in the vehicle. This vision goes hand in hand with the demand for a binding standardisation of data transmission protocols across Europe set in an inclusive manner involving all market participants. It remains to be clarified how the bidirectional access to the vehicle should be organised, taking into account how on the one hand the data generated in the vehicle to prepare the service is obtained, and how on the other hand the service can be delivered in the car via the Human-Machine Interface (HMI). This way consumers do not need to divide their attention between the HMI and the alternative hardware such as a smartphone in order to use the service offered by an external provider, minimising the hazardous risk potential for other road users as well. In order to exclude unauthorised access to the vehicle or the data thereof, the criteria must meet the highest possible security requirements as matter of course.
In view of the time needed for this meaningful development compared to the urgency resulting from the present anti-competitive situation, EAC advocates, in the short term, for the launch of an independently operated data platform based on the "shared-server" principle, above all in order to remedy without delay the current imbalance in favour of the manufacturers and to reap the benefits of the telematics technology to independent third-party service providers. The car users’ consent and approval remain pivotal when deciding about the handling of their profile, personalisation and usage data with the objective to be transmitted via the data platform to the service provider of their own choice.
 C-582/14 Patrick Breyer v Germany, Judgment of 19 October 2016.
 McKinsey, Car Data: Paving the way to value-creating mobility – Perspectives on a new automotive business model, Mc Kinsey & Company, Advanced Industries, March 2016; Bertin Martens und Frank Mueller Langer, Access to digital car data and competition in aftersales services, Digital Economy Working Paper – JRC Technical Reports, June 2018.
 FRAND (Fair Reasonable and Non-Discriminatory) Principle, see C-ITS Working Group 6 final report, European Commission, 2016.
Last update: November 2019.