What happens to vehicle data? Who has access to such data and who controls it? Vehicle manufacturers are being approached by advertisers. What should they do? According to Louise de Gier and Joost Gerritsen, companies active within the automotive sector should identify their possibilities. Should they fail to do so, it is highly likely that the automotive industry will be overtaken by Silicon Valley businesses. More than anyone else, they know how to market data and hence also vehicle data.

by: Louise de Gier & Joost Gerritsen image: ANP

In the meantime vehicles have become mobile computers. The data which vehicles generate can provide an extensive insight into their owners and the way they drive. During the Consumer Electronics Show (CES) in Las Vegas in the United States of America last year a senior Ford official announced that, thanks to satellite navigation, it was possible to ascertain precisely who was exceeding the speed limit in the case of every Ford owner. “But,” he added, “we do not provide that information to anyone.” In recent times both vehicle manufacturers and private individuals have come to be particularly concerned about what happens to their data. Manufacturers complain about the fact that they are approached by Silicon Valley businesses or advertisers to make their vehicle data available. They are not keen on doing so.

They do not wish to see their reputation harmed, because their make of vehicle is hacked, with the result that “their” vehicle data is released into the public domain. To whom does such vehicle data belong? The manufacturer? The vehicle owner? An American history teacher paid a visit to his garage, because the engine pilot light started to burn. He wanted to know what that meant and took his car to the garage. A mechanic told him that he could not gain access to his engine data, unless he paid Toyota USD 135.00. The teacher found this incomprehensible. After all, it was his data, wasn’t it?

Control Many parties claim ownership of vehicle data or wish to own it. Consider, for instance, manufacturers, public authorities, importers,

dealers, industrial associations, new businesses and vehicle owners. “Ownership” is not the appropriate word, because it applies to “property”, such as a vehicle. One can own a vehicle but not vehicle data, because in legal terms such data does not constitute “property” (with the exception of intellectual property rights, as mentioned in the boxes on the side). It is more logical to determine who may control such data. Multiple parties may control vehicle data based on different legal grounds. Where such vehicle data is deemed to be “personal”, the relevant person – the vehicle owner or driver in the case of a leased vehicle, and so forth – controls it. Where vehicle data is protected under database law, the rights holder of that data may allow others to use it or prohibit them from doing so.

What do businesses need to be alert to in the vehicle data industry? The German Verband der Automobilindustrie [Automotive Industry Association] has published “Data Protection Principles for Connected Vehicles”. Through them the affiliated parties, such as Audi, Fiat and Volkswagen, seek to provide transparency in relation to the processing of vehicle data and to grant vehicle owners control over that data. The German privacy regulator refers to those privacy principles as a start and feels that there are still questions that have not yet been answered, for example, concerning who is responsible for processing vehicle data. In the meantime other organisations have adopted a position in relation to vehicle data. The British Automobile Association (AA) is of the opinion that consumers should always receive comprehensive information with regard to what happens to vehicle data. The AA contends that drivers should own such data. They must be able to exercise control over such data as long as they own the vehicle concerned. Vehicle owners not only wish to control their vehicle but also its data. The General Data Protection Regulation – issued by the European Commission – can help them in this respect. This impending legislation will impose stiff requirements on the business sector as soon as it processes personal data. As such, the regulation will apply as soon as vehicle data is deemed to be personal in legal terms. Information concerning the location of a vehicle will readily be deemed to constitute data that is protected by the regulation. If this is the case, a system will need to be created for consumers to allow them to manage their “privacy settings”

for the relevant vehicle. The regulation is expected to come into force in mid-2016. Any business which fails to comply with those regulations may be fined EUR 100 million or 5% of its annual global turnover.

Agreements No one will be deemed to be the owner of the vehicle data and data managers will be required to consider consumer privacy rights. Will the vehicle industry then remain empty-handed? No, on the contrary, more alternatives are available to parties active in the vehicle supply chain to regulate their legal position in the data market. What is important is to determine whether there are any intellectual property rights which can afford protection, such as database rights or copyright. A party holding database rights may prohibit anyone else from using the relevant data without their consent to a considerable extent. It is also important to make proper arrangements throughout the entire vehicle supply chain. In this way it is possible for contracting parties to require that each complies with the agreed use of vehicle data. Businesses active in the automotive industry would do well to identify such alternatives. Should they fail to do so, it is highly likely that the automotive industry will be overtaken by Silicon Valley businesses. More than anyone else, they know how to market data and hence also vehicle data. Whoever wishes to win this “vehicle data battle”, will need to

exhibit a competitive advantage. The protection of privacy could constitute such a competitive advantage. Research conducted by McKinsey reveals that 51% of respondents in Germany are reluctant to avail themselves of “connected car” services due to privacy concerns. For this reason it is essential that any party active in the vehicle supply chain respect privacy rights (to protect privacy), make arrangements with partners in that supply chain (to avoid liability for any loss, amongst other things) and secure intellectual property rights (to protect vehicle data). See the boxes on the side for concrete guidelines. Any business that manages to do this successfully will have an advantage.

The protection of privacy • Where data – for example, vehicle data – can be traced back to a person, it

is deemed to be personal. In such a case the Personal Data Protection Act [Wet bescherming persoonsgegevens] (Wbp) applies. Under the Wbp a person is entitled to arrange for their personal data to be corrected, deleted or secured. This means that, where personal data is processed, any person, such as a leased or other vehicle driver or passenger, may submit a request to have their data deleted.

• Other obligations also apply. There must be transparency concerning the use of data in relation to a leased vehicle driver or vehicle owner and so forth. Ask such people for permission to use their data as envisaged. “Cookie legislation” – pursuant to which websites display pop-up windows concerning the use of cookies – also apply in a vehicle. This means that any passenger must first be informed of the use of such data, so that they may consent to it. Should processing of location details, for example, commence in the absence of the requisite information or consent, this would constitute non-compliance, for which the regulatory authority, the ACM (Dutch Authority for Consumers and Markets), could impose a fine.

• Provide adequate security measures to prevent the improper use of vehicle data, such as hacking or data leaks. It has recently emerged that millions of vehicles, such as BMWs, Minis and Rolls Royces, are vulnerable to hackers because of a software bug in the vehicle’s system.

• The impending General Data Protection Regulation stresses the importance of privacy by design: technological and organisational measures to ensure that privacy is taken into account at the earliest stage when designing an information system.

• It is often more difficult and expensive to add privacy protection to a system or service subsequently than to include it in the design process. For this reason privacy by design is essential for data companies active within the automotive sector.

Arrangements with supply chain partners • It is conceivable that no one in a vehicle supply chain holds any intellectual

property rights (“IE rights”, in this case copyright or database rights) to one or more data sets. As far as possible such a situation may be overcome by

making contractual arrangements concerning the use of such data. • Unlike in the case of an IE right, not everyone can be called to account

for the use of data, only the party with whom the relevant contract has been concluded. Should such a party use any data contrary to the relevant agreement, they may be called to account for it.

• It is important that contracts take into account the fact that data may include personal information or may become personal. The parties’ rights and duties must be stipulated in separate agreements providing for technical and organisational security measures, for example, to safeguard personal data.

Ascertaining the existence of intellectual property rights • Where a data set is encumbered with an IE right, the holder of that

right may prohibit anyone else from using that data or may permit them to do so. A database may be protected by copyright or under database law.

• Copyright may be used to protect a database where the selection or order of the data contained in it constitutes an original expression of the creative freedom of its author. A court of law has ruled that the detailed categorisation of a telephone directory enjoys copyright protection. Sufficient personal, creative choices had been made for that purpose.

• In addition, a database may also be protected under database law. Database rights are available to anyone who has made a substantial investment in a database. Here “substantial investment” means that not every database qualifies for legal protection. For example, if a database containing vehicle data is a by-product of a braking system or diagnostic equipment, it would be readily apparent that no substantial investment would have occurred, because it would not have been directed towards the creation of the database as such. What is therefore important for the purposes of protection under database law, is that it can be shown with the aid of administrative records what has been invested in the relevant database and that those investments did indeed concern that database.

Louise de Gier is a lawyer and co-owner of the firm, De Gier | Stam & Advocaten. (louisedegier@degierstam.nl) Joost Gerritsen is a “big data” and privacy lawyer with the same firm. (www.degierstam.nl) (Tw: @JBAGerritsen)

The dashboard of the Model X, the fully electric SUV by the American car brand Tesla.

W H O C O N T R O L S T H E V E H I C L E D A T A ? This article originally appeared in Automatisering Gids, March 2015