Pro­tec­tion of mobi­li­ty data: he who hesi­ta­tes is lost!

Auto­mo­ti­ve manu­fac­tu­r­ers and sup­pli­ers are not the only ones which rely on the pro­ces­sing of per­so­nal data: fleet ope­ra­tors, logi­stics com­pa­nies and shared mobi­li­ty ope­ra­tors do as well. But it is evi­dent from mul­ti­ple ongo­ing pro­cee­dings that com­ply­ing with the asso­cia­ted obli­ga­ti­ons poses a chall­enge for com­pa­nies. In a time when data pro­tec­tion aut­ho­ri­ties are focu­sing more and more on the pro­ces­sing of mobi­li­ty data, com­pli­ance with the GDPR is more important than ever for com­pa­nies in the industry.

Over­view of cur­rent data pro­tec­tion proceedings

• Lower Saxony’s data pro­tec­tion aut­ho­ri­ty has impo­sed a fine in the amount of EUR 1.1 mil­li­on against Volks­wa­gen based on a few rather tri­vi­al vio­la­ti­ons of the GDPR in con­nec­tion with test dri­ves. For exam­p­le, one ser­vice pro­vi­der for­got to place a magne­tic board with data pro­tec­tion infor­ma­ti­on in the vehic­le pri­or to a test drive.
• Ano­ther fine was impo­sed in France, whe­re the French data pro­tec­tion aut­ho­ri­ty, CNIL, impo­sed a fine in in the amount of EUR 175,000 against a car sha­ring pro­vi­der. The aut­ho­ri­ty found that the com­pa­ny had coll­ec­ted data from cus­to­mers which was not neces­sa­ry to accom­plish the pur­po­se of the pro­ces­sing. The com­pa­ny had recor­ded not only the vehic­les’ loca­ti­on but also each time the engi­ne was tur­ned on and off, and each time the doors were ope­ned. CNIL also char­ged that the com­pa­ny had fai­led to dele­te the data.
• In a Judgment of 17 Janu­ary 2022 (Case No. 6 K 1164/21.WI), the Admi­nis­tra­ti­ve Court of Wies­ba­den impo­sed strict requi­re­ments in data pro­tec­tion law for the pro­ces­sing of vehic­le loca­ti­on data  and appro­ved the exten­si­ve mea­su­res being taken by the Hes­si­an data pro­tec­tion authority.
• The Fede­ra­ti­on of Ger­man Con­su­mer Orga­niza­ti­ons [Ver­brau­cher­zen­tra­le Bun­des­ver­band] has filed suit against Tes­la befo­re the Dis­trict Court of Ber­lin, asser­ting in its com­plaint e.g. that the vehicle’s sen­try mode can­not be used in con­for­mance in data pro­tec­tion law in public spaces.
• The data pro­tec­tion aut­ho­ri­ties in the Bal­tic Sta­tes have announ­ced a coor­di­na­ted inspec­tion of com­pli­ance with data pro­tec­tion law in con­nec­tion with short-term vehic­le ren­tals, par­ti­cu­lar­ly e‑scooters.

Out­look and recom­men­ded actions

Given the­se deve­lo­p­ments, as well as the fact that, in its Coali­ti­on Agree­ment, the Ger­man govern­ment pro­po­ses to enact a mobi­li­ty data law which ensu­res com­pe­ti­tively neu­tral use of vehic­le data as well as data sove­reig­n­ty for data sub­jects, it is to be expec­ted that data pro­tec­tion in con­nec­tion with mobi­li­ty data will con­ti­nue to be an area of focus for super­vi­so­ry aut­ho­ri­ties. Com­pa­nies which would like to avo­id fines, pro­hi­bi­ti­on orders or other mea­su­res by the data pro­tec­tion aut­ho­ri­ties should the­r­e­fo­re exami­ne whe­ther and to what ext­ent they are pro­ces­sing mobi­li­ty data and whe­ther the data they are pro­ces­sing includes per­so­nal data. Doing so will allow them to take the neces­sa­ry data pro­tec­tion mea­su­res and docu­ment them.