by Patrick Van Eecke and Julie De Bruyn
Last week proved to be an important week for privacy and data protection in the US: while representatives of the European Commission were negotiating with US representatives on government surveillance and the extension of the US Privacy Act to EU citizens, the US Alliance of Automobile Manufacturers (‘Alliance’) together with the US Association of Global Automakers (‘Association’) published their ‘Consumer Privacy Protection Principles’ (‘Principles’) on 12 November 2014.
Although smart vehicle technologies and services offer numerous benefits to owners and users, the Alliance and the Association are conscious that consumer trust is essential to the success thereof that should therefore not be overlooked. The Privacy Principles aim to provide a framework for US automobile manufacturers when processing information obtained through vehicle technologies and services, which may assist in for instance enhancing safety, diagnosing vehicle malfunctions, reducing traffic congestion, calling for emergency assistance, etc.
Each member of the Alliance and/or Association may upon its own discretion decide whether to adopt the Principles, and other companies – who are not a member – may also decide to adopt them. Examples of participating members who so far have committed themselves to respecting the Principles include the North American affiliates of inter alia BMW, Chrysler, Ford, General Motors, Hyundai, Kia, Toyota and Volkswagen. The accountability principle as foreseen in the Principles requires that each participating member takes reasonable steps to ensure that it and its other entities that receive covered information adhere to the Principles.
The Principles apply to the collection, use and sharing of information obtained through vehicle technologies and services available on cars and light trucks sold or leased to individual consumers for personal use in the United States. Within the Principles, the term ‘personal data’ or ‘personal information’ appears to be deliberately avoided and instead the legally neutral term ‘covered information’ is used. The data subjects concerned are the vehicle owners or registered users.
The Principles appear to be influenced by the European data protection framework, albeit with a US flavour. Similarly as under the European Data Protection Directive, the principles do not apply to information that has been altered or combined so that the information can no longer reasonably be linked to the vehicle from which the information was retrieved, the owner of that vehicle or any other individual (data anonymisation). The key principles include:
- Transparency – Clear, meaningful notice about the collection, use and sharing of covered information must be provided to the owner or user, for instance by including a notice in the vehicle owner’s manual, on paper or electronic registration forms and user agreements, or on in-vehicle displays. The participating automobile manufacturers commit to, at a minimum, making this information available via online web portals.
- Choice – Under the Principles, if a participating member provides notice in consistence with the transparency principle, the acceptance and use by the owner or user will be deemed to constitute consent to the processing of the information obtained. For the use of geolocation information, biometrics and driver behaviour information, the sharing and use of such information may raise concerns in some situations and therefore participating members undertake to obtain an affirmative consent of the owner or user concerned, except in certain circumstances set forth in the Principles where an implied consent will suffice.
- Respect for context – Participating members undertake to use and share covered information in ways that are consistent with the context in which the covered information was collected, taking into account the likely impact on the owner or user. Factors which may determine the context of the collecting include the notices offered by the participating member, the permissions obtained from and the reasonable expectations of the owner or user, etc.
The Principles contain an enlightening (non-exhaustive) list of examples to illustrate some of the reasonable and responsible ways in which covered information may be used or shared. Among typical examples which are deemed to be consistent with the context of collecting the information, are some atypical examples for which – at least from a European data protection perspective – it can be argued that these purposes may be considered as incompatible with the original purpose of the vehicle technologies and services, such as using or sharing the information as reasonably necessary to facilitate a corporate merger, acquisition or sale involving a participating member’s business, or using covered information to provide owners or users with information about goods and services that may be of interest to them.
- Other principles included in the Principles are data minimization, data de-identification, data retention, data integrity and access (albeit a right of access for the owner or user limited to ‘personal subscription information’, rather than to all covered information held about them), and data security.
Although the scope of the Principles is limited to the automotive industry in terms of material application, and limited to consumers using the vehicles for personal use in the United States in terms of geographical application, it is expected that similar principles and guidelines will follow shortly for larger geographical and material (other sectors).