The recent approval by New Jersey of a law on the ownership of data generated by connected cars might have an impact on the future of the Internet of Things (IoT) providing an interesting approach also for European privacy regulators.
The Connected Car Law
The NJ law provides that no person other than the owner a vehicle containing a recording device may retrieve, obtain or use data recorded, stored or transmitted from a recording device (i.e. an electronic system recording data collected by sensors installed in the vehicle) unless, among others,:
- The owner of the vehicle consents to the duration and scope of the data retrieval, retention and use, prior to or at the time when the data are retrieved, obtained or used;
- The recorded data is retrieved or obtained by means of an order by the competent authorities;
- The recorded data is used for the purpose of improving vehicle safety, security, performance, operation, compliance with traffic laws provided that the identity of the owner of the vehicle is not disclosed. And for the purposes of this exception the disclosure of a vehicle identification number with the last 6 numbers deleted is not meant to be a disclosure of the owner’s identity;
- The recorded data is obtained by the dealer for the sole purpose of diagnosing, servicing or repairing the vehicle and
- The recorded data is accessed for mere emergency purposes.
Making the US closer to Europe on the IoT?
The principles set forth by the New Jersey law are very interesting since they stress a concept of data ownership which is in line with the principles of European data protection law that are meant to grant full control of personal data to the individual to which it pertains.
The list of exceptions to the full control of processed data is also interesting since it means that the consent of the data owner can be by-passed in relation to some services to be provided to the vehicle which are meant to be of public interest. And this represents a major improvement for the future of the IoT since the possibility to access to a larger database of data might speed up the development of new technologies for connected cars and for any type of IoT device. Such view seems more “open” than the one recently taken by the European privacy regulators in the opinion on the IoT.
Also, the position taken by New Jersey on undisclosed data seems more flexible than the one recently followed by the European privacy regulators in its recent opinion on anonymous data. Under European law it might be possible to argue that a processing of personal data requiring the individual’s prior consent occurs even if the last 6 figures of the vehicle identification number are deleted since the data controller deleting such figures might indirectly connect the vehicle to an individual.
The New Jersey law provides interesting food for thought and I wonder whether any privacy regulator will follow their good example.