Automotive manufacturers and suppliers are not the only ones which rely on the processing of personal data: fleet operators, logistics companies and shared mobility operators do as well. But it is evident from multiple ongoing proceedings that complying with the associated obligations poses a challenge for companies. In a time when data protection authorities are focusing more and more on the processing of mobility data, compliance with the GDPR is more important than ever for companies in the industry.
Overview of current data protection proceedings
- Lower Saxony’s data protection authority has imposed a fine in the amount of EUR 1.1 million against Volkswagen based on a few rather trivial violations of the GDPR in connection with test drives. For example, one service provider forgot to place a magnetic board with data protection information in the vehicle prior to a test drive.
- Another fine was imposed in France, where the French data protection authority, CNIL, imposed a fine in in the amount of EUR 175,000 against a car sharing provider. The authority found that the company had collected data from customers which was not necessary to accomplish the purpose of the processing. The company had recorded not only the vehicles’ location but also each time the engine was turned on and off, and each time the doors were opened. CNIL also charged that the company had failed to delete the data.
- In a Judgment of 17 January 2022 (Case No. 6 K 1164/21.WI), the Administrative Court of Wiesbaden imposed strict requirements in data protection law for the processing of vehicle location data and approved the extensive measures being taken by the Hessian data protection authority.
- The Federation of German Consumer Organizations [Verbraucherzentrale Bundesverband] has filed suit against Tesla before the District Court of Berlin, asserting in its complaint e.g. that the vehicle’s sentry mode cannot be used in conformance in data protection law in public spaces.
- The data protection authorities in the Baltic States have announced a coördinated inspection of compliance with data protection law in connection with short-term vehicle rentals, particularly e‑scooters.
Outlook and recommended actions
Given these developments, as well as the fact that, in its Coalition Agreement, the German government proposes to enact a mobility data law which ensures competitively neutral use of vehicle data as well as data sovereignty for data subjects, it is to be expected that data protection in connection with mobility data will continue to be an area of focus for supervisory authorities. Companies which would like to avoid fines, prohibition orders or other measures by the data protection authorities should therefore examine whether and to what extent they are processing mobility data and whether the data they are processing includes personal data. Doing so will allow them to take the necessary data protection measures and document them.back