By Lipu Lee, Managing Partner, & Meng Chin Tsai,  Senior Associate of Formosan Brothers, Attorneys-at-Law

Lately, automobile functionalities have been improving by leaps and bounds. Now a vehicle can detect tire pressure, signal maintenance reminders, detect the location of a stolen vehicle, and even provide instantaneous weather reports and traffic conditions in an app through reports from other vehicles. These convenient functionalities all come from the concept of “connected vehicles,” that is, using GPS, sensors, electronic labeling, wireless network communication, data processing to process and transmit vehicle and road condition information collected by vehicles, which affords drivers and the public the instantaneous information and application. However, behind the convenience lies the concerns of privacy invasion by real-time Internet connection and road safety.      

With respect to the legal compliance of privacy laws, currently, the EU’s GDPR garnered the most attention. EU personal privacy institutions have enacted “Guidelines 1/2020” regarding privacy protection for connected vehicles. With respect to safety and design structure, the International Organization for Standardization (“ISO”) has issued ISO 15638 for the industry. With limited length, this article will focus on privacy first and analyze some important compliance opinions of the EU.

‍

1. Protect three major categories of personal data: geolocation, biometrics, and data revealing traffic offenses or other infractions:

The EU specifically notes that vehicles collect many types of data (e.g. tire pressure, speed, wear and tear of brakes, etc.). Although such data may seem technical at first, but since these data have to do with the way a driver uses the vehicle, specific drivers might be identified using such data, and such data should be considered personal data. Among the myriad data collected, EU specifically mentioned three major categories: geolocation data, biometric data, and data revealing traffic offenses or other infractions. These three types of data may be deduced to reveal a person’s life style, driving habits, and biometrics. Application of such data might increase the driver’s auto insurance, affect the driver’s traffic ticket, or expose their personal life. Hence the EU specifically calls for the protection of these three categories of data.

‍

2. Data protection impact assessment shall be part of the product design phase.

The data collected by connected vehicles are very diverse, and not every type of data requires a personal data impact assessment. However, in order to reach the goals of “collecting only data that are necessary,” “giving the data subject as much control as possible over his/her own data,” and “anonymizing/pseudonymizing data during transmission,” it would really help to reduce legal compliance risks if the technical and design personnel are informed of the data protection requirements from the very beginning of the product design process.

‍

3. Using the vehicle’s own data processing equipment as much as possible

Although cloud computing is very powerful, there comes an additional layer of risk with each data transmission. As such, the EU suggests using the vehicle’s own central processing unit to process data and adding data security and encryption technologies, as well as, as much as possible, providing users with the option to delete their data. In addition, the EU also reminds that the data collected by a vehicle may be fed to a corresponding application through the transmission by software fitted for the vehicle. At this time, auto manufacturers should pay attention to whether the personal data provided to the application meets the principle of proportionality. For example, for a weather app, it is not appropriate for the vehicle to transmit data every minute and should configure a more reasonable transmission interval.

‍

4. Transmitting personal data to third parties

Prior to transmitting data to a third party, it is recommended that the connected vehicle first inform the data subject, such as the driver or passenger, and obtain their consent. As to the method of informing, due to the diversity of content, the EU recommends informing first regarding the identity of the collector, collection purpose, identity of the receiver, data subject’s rights, and other possible ways of data usage that might be used against the data subject. Such important information should be made known to the driver and passengers. During data transmission, anonymization or pseudonymization are recommended to reduce privacy breaches. The EU also reminds that if personal data is transmitted outside of the EU, the data controller needs to make sure the recipient meets the requirements for cross-border transmission.

‍

Currently, competent authorities in Taiwan have yet to promulgate regulations similar to those of the EU. However, amid this export-oriented trend in Taiwan, if businesses in Taiwan playing important roles in the electronics and vehicle parts supply chain can first consider the legal compliance requirements in the countries where their products are used when they design their equipment and services, they may be able to enhance the competitiveness of their products. Moreover, based on the legislative progression of privacy laws in Taiwan, EU regulations have been important references for Taiwan competent authorities. Therefore, if Taiwanese businesses in the connected vehicles-related industries can reference the EU regulations and prepare in advance, they will not only increase the level of privacy protection for consumers, earn the consumers’ trust in their products but will also reduce the impact the privacy protection laws have on the connected vehicles once the government introduces so in the future.  

(This article was published in the Expert’s Commentary Column of the Commercial Times. https://view.ctee.com.tw/legal/26867.html )

‍