New data protection rules have been adopted by the European Parliament with the aim of protecting the privacy of drivers as the connectivity of company cars and vans increases.
There will be a much higher standard for consent, the definition of what constitutes personal data will change and there will be tougher sanctions for anybody falling foul of the rules.
Businesses have been given two years to comply with the new, stricter regime, which has been explicitly designed to deal with issues arising from connected products and services, including vehicles.
“Individuals must be empowered; they must know what their rights are and know how to defend their rights if they feel they are not respected,” said Frans Timmermans, first vice-president of the European Commission.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all.”
Connectivity in cars and vans is becoming more common-place and the majority of drivers already use apps like Google Maps and sat-navs to plan journeys.
But with experts predicting 90% of new cars will be connected by 2020, sharing real-time information on a massive scale will soon become the norm.
Vehicle manufacturers say it has the potential to offer huge economic, environmental and societal benefits.
However, with technology developing at a rapid pace, Erik Jonnaert, secretary general of the European Automobile Manufacturers’ Association (ACEA), warned: “There are many challenges on the road ahead.”
The new rules now enshrined under the General Data Protection Regulation (GDPR) only apply to personal data. But with the definition of personal data also changing, legal expert Stephan Appt says much of what will be produced will fall under the new regulation.
GDPR makes it clear that information is treated as personal data whenever individuals can be identified by online identifiers, including GPS information.
Appt, a partner at Pinsent Masons, said: “Data that identifies drivers indirectly would be considered personal data.”
And if the UK votes to leave the European Union following the referendum on June 23, British fleets should not expect the new rules to be watered down for them. Appt said: “This legal framework will not only apply to data in the EU, it will apply to everybody supplying goods and services to the EU.”
Driver consent for data-sharing services will therefore be crucial, with the new rules making it clear that it must be “unambiguous” and communicated by “a statement or clear affirmative action”, he added.
“Pre-ticked boxes will not constitute consent,” said Appt. “It must be freely given and informed. The relationship between fleet – the employer – and the driver is going to be important.”
The ACEA said in a strategy paper on connected vehicles released last week that manufacturers aim to design their vehicles and services so that “where possible” drivers can choose whether to share personal data.
Furthermore, it said: “Customers will be able to deactivate the geolocation functionality of their connected vehicles and in the connected services that are offered except where geolocation data must be processed to comply with contractual or legal obligations, for example emergency call.”
For fleet operators, location-based data for example would be restricted to business use, much as it is today with telematics. However, Appt says the new rules will require “a balance of interest test” between the interests of the driver and the interests of the business.
Caroline Sandall, deputy chairman of fleet representative body ACFO and fleet manager at Barclays, told Fleet News: “Most drivers will give their consent, provided it’s made clear to them what is collected, how it may be used, who can access it and that it’s stored securely.”
However, while she believes explaining to drivers what is collected will be fairly straightforward, explaining the potential outcomes will be more challenging.
“Information gathered could signal behaviours or inform the employer about events which could be deemed gross misconduct and lead to dismissal,” said Sandall. “Trying to describe all scenarios is impossible and would lead to lengthy data protection clauses.
“Employers are going to have to think carefully about what data will be truly useful and meaningful. If that message is not clearly delivered, employees will struggle to understand what they are consenting to, which could lead to grievances or being challenged when any punitive action is taken.”
Debbie Floyde, group fleet and risk manager at Bauer Media, said that, ideally, consent will be written into contracts between the leasing company and end-users.
However, she added: “I would definitely make it part of policy that they would have to share data if they want to drive on company business.
“Potentially, this would be limited to data concerning just business trips, unless it was in their interest to access data on a private trip such as in the event of an accident.”
Appt told delegates at the Connected Fleets Europe conference in Amsterdam: “Original equipment manufacturers talk about ‘my fleet’, while fleet managers talk about ‘my fleet, which also implies it’s ‘my data’. But, from a legal perspective, there is no ownership of data.”
Legally, it is a question of consent and, while many are calling for an open platform so that data can be easily shared between third-party suppliers, carmakers are reluctant to give it away for free.
In its connected vehicles strategy paper, the ACEA says the EU should establish a regulatory framework for access to vehicle data that “takes account of the fact that vehicle manufacturers invest heavily in the ability of vehicles to generate data and are ultimately responsible for ensuring the vehicle’s safety and integrity as well as the protection of the user’s personal data and privacy”.
But, Sandall said: “Drivers will view their employer as the prime custodian, regardless of who actually supplies the car, as for the most part the contractual relationship is between the driver and their employer and that’s where they will go with problems and concerns.”
Chevin Fleet Solutions holds operational data on more than 850,000 vehicles that are managed using its FleetWave software, so understands the complexities that connected vehicle data can bring.
Managing director Ashley Sowerby told Fleet News: “It is right that companies running vehicles, along with their drivers, should have a high degree of control and the new legislation appears to deliver a general improvement on the previous situation.”
However, he has previously warned that manufacturers can gain some key benefits from connected cars, especially when it comes to influencing driver behaviour.
For example, they could flag-up servicing requirements and book the vehicle in with the nearest franchise dealer,” said Sowerby.
“It is a question of creating the best balance between benefits, privacy and choice. This is why fleets should be fighting to retain overall ownership and control of their vehicle data, bearing in mind a whole range of issues from employee right to privacy through to operational policies.”
For its part, the ACEA recently adopted a statement setting out five principles of data protection to which it says the industry will adhere.
These principles include transparency, customer choice, ‘privacy by design’, data security and the proportionate use of data.
Jonnaert said: “We are committed to providing customers with a high level of protection and maintaining their trust.
“This is essential if intelligent transport systems and the connected car are to fulfil their potential to contribute towards societal goals such as facilitating traffic management, improving road safety, reducing fuel consumption and bringing down CO2 emissions.”