Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Section 1.2 Applicable law
9. The relevant EU legal framework is the General data protection regulation (2016/679). It applies in any case where data processing in the context of connected vehicles involves processing personal data of individuals.
10. Additionally to the GDPR, the “ePrivacy” directive (2002/58/EC, as revised by 2009/136/EC), sets a specific standard for all actors that wish to store or access information stored in the terminal equipment of a subscriber or user in the European Economic Area (EEA).
11. Indeed, if most of the “ePrivacy” directive provisions (art.6, art. 9, etc.) only applies to providers of publicly available electronic communication services and providers of public communication networks, art. 5 (3) ePrivacy directive is a general provision. It does not only apply to electronic communication services but also to every entity that places on or reads information from a terminal equipment without regard to the nature of the data being stored or accessed.
12. Regarding the notion of “terminal equipment”, the definition is given by directive 2008/63/CE. Art. 1 (a) define the terminal equipment as an “equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal and the interface of the network; (b) satellite earth station equipment”.
13. As a result, the connected vehicle and every device connected to it shall be considered as a “terminal equipment” (just like a computer, a smartphone or a smart TV) and provisions of art. 5 (3) ePrivacy directive must apply where relevant.
14. As recently outlined by the EDPB in its opinion 5/2019 on the interplay between the “ePrivacy” directive and the GDPR, art. 5 (3) ePrivacy directive provides that, as a rule, prior consent is required for the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user. To the extent that the information stored in the end-user’s device constitutes personal data, art. 5 (3) ePrivacy directive shall take precedence over art.6 GDPR with regards to the activity of storing or gaining access to this information. Any processing operations of personal data following the aforementioned processing operations, including processing personal data obtained by accessing information in the terminal equipment, must additionally have a legal basis under art. 6 GDPR in order to be lawful.
15. Since the controller will have to inform the data subject about all the purposes of the processing – including any processing following the aforementioned operations – when seeking consent for the storing or gaining of access to information pursuant to art. 5 (3) ePrivacy directive, the consent will normally also cover such processing operations. Consent will likely constitute the legal basis both for the storing and gaining of access to information already stored and the processing of personal data following the aforementioned processing operations. Indeed, when assessing compliance with art. 6 GDPR, one should take into account that the processing as a whole involves specific activities for which the EU legislature has sought to provide additional protection. Moreover, controllers must take into account the impact on data subjects’ rights when identifying the appropriate lawful basis in order to respect the principle of fairness. The bottom line is that art.6 GDPR cannot be relied upon by controllers in order to lower the additional protection provided by art. 5 (3) ePrivacy directive.
16. The EDPB recalls that the notion of consent in the ePrivacy directive remains the notion of consent in the GDPR and must meet all the requirements of the consent as provided by art. 4 (11) and 7 GDPR.
17. However, if consent is the principle, art. 5 (3) ePrivacy directive allows the storing of information or the gaining of access to information that is already stored in the terminal equipment to be exempted from the requirement of informed consent, if it satisfy one of the following criteria:
Exemption 1: for the sole purpose of carrying out the transmission of a communication over an electronic communications network ;
Exemption 2: when it is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.