European Data Regulation to give motorists final say over their own data
The new European Data Regulation should allow data to flow freely within the EU and make the most of it. The law - which will apply across the economy - takes data control out of the hands of manufacturers and service providers and emphatically gives it to consumers. Although additional legislation for the automotive industry is still being negotiated, it is already clear that the impact on this sector in particular will be significant.
This piece in five points:
With the Data Regulation, new European legislation that will be important for everyone's privacy is imminent. Based on it, data should be able to flow freely within all sectors of the economy and be used and reused in the best possible way. Such a single data market aims to give the EU a global competitive advantage in an increasingly data-driven economy.
A key premise of the Data Regulation is that, with regard to devices connected to the internet (including connected cars), consumers will have access to their own data, and they will also be able - much more explicitly than is the case under the General Data Protection Regulation - to decide which third parties they do and do not want to share that data with.
For some sectors, the Data Regulation falls short on its own. These require specific, additional legislation. This also applies to the automotive industry. Discussions on sectoral legislation for that industry are ongoing and difficult. Opposing each other are car manufacturers on the one hand and parties from the aftermarket. At issue in particular is how to regulate access to vehicle data and a number of related issues.
Car manufacturers do not want to simply surrender their data sovereignty while the aftermarket wants to be assured of fair access to vehicle data and not be left out. A compromise will have to be found as the proposals from both camps are far apart.
While the Data Regulation may be formally adopted soon (introduction deadline: 20 months), the corresponding sectoral legislation is likely to take some time anyway. The current European Parliament is unlikely to consider it again. There are European elections next June and before vehicle data will be voted on by the new parliament, it could as soon be 2025 or later.
Laws and regulations inevitably hobble behind digital technologies. Only when society is long and wide aware of the undesirable consequences of certain developments can they be curbed, adjusted or banned. Or, on the contrary, invest even more in things deemed valuable.
Whether it is about search engines or algorithms, smart devices or cloud computing - the Brussels policy machine has been working overtime in recent years. With legislation on artificial intelligence in the making and earlier laws on data protection (around electronic communication), cybersecurity, digital markets and digital services, recently took the next step in achieving the European data strategy. This major policy plan seeks to give the EU a global competitive advantage in an increasingly data-driven economy.
A single market for data should start ensuring that (anonymised) personal and non-personal data can flow freely across the EU and through all sectors of the economy. That data should be able to be optimally used and re-used. Some sectors - such as transport and mobility that largely rely on vehicle data - are earmarked as prioritised data spaces and get extra emphasis.
The data strategy has two main pillars: the 2021 agreed Data governance regulation and the Data Regulation, on which agreement was reached at the end of June this year. Where the Data Governance Regulation creates the processes and structures to facilitate data sharing by companies, individuals and governments, clarifies the Data Regulation Who is allowed to create value from that data under what conditions.
Typically, only service providers and manufacturers have control over access to and use of the data generated by their services or products. That control will soon lie with consumers. With regard to devices connected to the internet (including connected cars), consumers will have access to their own data and also the right to move data from one service provider or manufacturer to another (data controller). Moreover, consumers can decide which third parties they do and do not want to share their data with. Third parties who gain access to data will have to pay a fee to the manufacturer to do so.
In these respects, the Data Regulation not only complies with the General Data Protection Regulation (GDPR), but also complements it. See these question-and-answer page from the European Commission for more information on the Data Regulation. On paper, it looks nice, but the extent to which this legislation will actually be a success from a consumer perspective will partly depend on the supervision of the European personal data authorities. The fact is that, due to a shortage of staff and funding, those watchdogs are already barely up to the task and have their hands full with violations of the AVG.
The Data Regulation is horizontal legislation: it covers all sectors of the economy. But for the (technical) complexity of certain sectors, the regulation is not sufficiently tailored. Those sectors, including the medical, energy and banking sectors, require specific, complementary legislation that comes under the regulation. Such vertical legislation should prevent stakeholders from constantly taking each other to court for lack of clarity.
In our previous article on connected cars, we addressed the question of who is in charge of vehicle data. At the moment, that is predominantly the car manufacturers. Despite the AVG, motorists are largely left behind for a number of specific reasons. With the arrival of the Data Regulation, that will change and motorists will take a much more central role in the ecosystem of players around connected cars. They will soon have to give explicit permission to the parties with whom they want to share their data. It should also not (anymore) be the case that a car will not work if permission is not granted for everything. Getting this and other issues right does require additional sectoral legislation for the car industry.
That sectoral legislation covers different topics but mainly revolves around how access to vehicle data, functions and tools is regulated, and all that this involves for different stakeholders. Think of vehicle functions, for example, the ability to remotely unlock or lock a car.
Legislation on access to vehicle data has been years in the making, but is struggling to get off the ground. In 2018, the European Commission published a very voluminous research from the Transport Research Laboratory (TRL) on all the technological options for third-party access to vehicle data. The stumbling blocks and competing interests here are numerous.
In short, two extremes face each other: on the one hand, there is the so-called extended vehicle concept (ISO 20077-1 standard) in which manufacturers allow third parties to access data and functions from the vehicle using external software and hardware. The development, deployment and management are here entirely in the hands of the manufacturer. Partly with a view to cyber security, intellectual property and legal liability in case something goes wrong (especially as vehicles become increasingly autonomous), car manufacturers are reluctant to give others access to the car's network, which they want to protect as much as possible from outside manipulation.
Allowing motorists and third parties to read out data ('read access') is one thing, giving them the ability to modify systems ('read-write access') is an absolute no go for manufacturers. However, interfering with the CAN bus (the main system that controls the overall operation of the vehicle, from the brakes to the driver assistance systems) seems out of the question anyway: at most, it will probably be access to the infotainment system to provide additional services.
On the other hand, there is the Secure Onboard Telematics Platform (S-OTP), a solution of the major European lobbying club AFCAR, which is the entire aftermarket represents and in the Netherlands consists of seven parties, including BOVAG. With S-OTP, drivers are in control of the data direction, there is a separation of duties, manufacturers do not stand between drivers and service providers, and there is, for example, secure, standardised access to the vehicle's network for all service providers (including the manufacturer itself) who get the green light from the driver.
Under S-OTP, if car manufacturers do not receive data directly from the car, or ensure that others can access that data, who will ensure that they do? How can service providers with whom consumers want to engage receive data from the car and send it back there? Who will ensure that, among other things, data streams and apps in cars are validated and authorised using a standard, secure protocol? That one party is not favoured at the expense of another? The idea is to have one or more independent gatekeepers (data guardians) come to represent all stakeholders.
Sectoral legislation will not choose one solution or the other, but a compromise that everyone can live with. The danger, however, is that if manufacturers now each continue to develop their software, IT systems and data management as they see fit, in a few years' time there will be sectoral legislation on the table that requires all sorts of things on a technical level that are still difficult to incorporate. The sooner sectoral legislation arrives, the easier it will be to include certain functions in systems that are not yet set in stone.
Personal Information Management System
As an example, take the laudable principle that nothing is done with data without the consent of the owner or driver of the vehicle. If he or she does not give permission, no data can be shared, neither with the manufacturer nor with third parties. But how exactly are you going to arrange it if that person has extensive preferences: this data may be shared, but not this one, and with parties A, B and C, but not with parties D, E and F. (Incidentally, it is interesting what this development will mean for the market of vehicle data hubs, which we will discuss in a previous article discussed. It is quite conceivable that many motorists do not want to share data with such companies at all).
This will require the rigging of a personal information management system in the dashboard. But what should that system comply with? How do you best enable people to express their preferences? How extensive will it be and how do you keep it manageable? Conversations in Brussels are also about this. The fact is that if your IT architecture is already fully in place and you still need to retroactively build in all kinds of features around consent, it can be a tricky story.
Part of the European Commission's proposals to regulate access to vehicle data is a minimum list of data, functions and devices that the manufacturer of a model must disclose. Such a list would more or less amount to a listing of all sensors included in a car, something that is currently not part of a vehicle's type approval. Aftermarket parties are in favour of this in principle, but are also somewhat sceptical because a fixed list of data points may already be outdated due to advancing technology just after it is compiled. They argue for an independent party (the aforementioned gatekeeper?) to keep track and test what data can come out of a car.
Incidentally, electric vehicles do not generate nearly as much technical data as fuel-powered cars, and repair and maintenance costs are also much lower by comparison. For part of the aftermarket, plug-in cars are a lot less interesting.
Another thorny issue in the negotiations on sectoral legislation relates to the fact that third parties who get access to vehicle data must pay the car manufacturer a "fair, reasonable and non-discriminatory" fee for doing so. But what exactly is such a fee? Opinions are divided on that elastic concept. As it stands, manufacturers determine fees independently by looking at their own costs and how relevant and lucrative vehicle data is to a third party's business case. Aftermarket parties advocate taking into account the bargaining power that third parties have with car manufacturers when setting fees. Equivalence often does not exist. Thus, a local SME can easily be trounced in negotiations with a multinational car manufacturer.
In this discussion, manufacturers mainly point to the complexity and, for them, high costs involved in two (likely) requirements: the vehicle data must be available to motorists and third parties continuously and in real time; and throughout a car's lifetime (10-15 years), that facility (in terms of volume, type, functionality, etc.) must be kept up to date. Especially the latter, with so many models and also so many differences between them, manufacturers say this is not a doable task.
On a internet consultation from the European Commission on sectoral legislation (specifically on four different ways of accessing vehicle data, functions and tools) received 154 responses last year. Interestingly, in more than half of the cases they were concerned citizens who made their voices heard. Furthermore, it was the usual suspects: besides some governments, mainly industry associations, alliances and individual companies. From the French Connected Mobility For All Alliance, which eight principles promotes for a balanced connected cars system, to Fastned, the Dutch operator of electric car charging stations.
Most responses to the consultation came from Germany, where the debate over access to vehicle data is likely to be the fiercest, partly because a related national mobility data law is forthcoming there. Driving the debate there was the German Automotive Industry Federation, which came up with a proposal came to shape sector-specific legislation (Automotive Data Access, Extended and Open - ADAXO). Both the ADAC (the German ANWB) as the Federation of German Consumer Organisations made short shrift of this in counter-proposals on the grounds that ADAXO would hardly change the current situation and car manufacturers would simply remain the non-transparent gatekeepers of data.
Although negotiations on sectoral legislation appear to be heading towards the choice of one particular proposal welcomed by the aftermarket (option 3), they are proceeding with difficulty. The auto industry knows it has more to lose than to gain and is betting on damage control. Initially she was already not very keen on the Data Regulation, could subsequently live with that anyway but then tried to shelve the sectoral legislation with the messageThe regulation alone will do for now, let's see how it works out and, above all, not rush into more rules that will be disastrous for innovation. Evidently, car manufacturers do not want to give up their data sovereignty just like that.
European Parliament's consent
Until at least fairly recently, EU Internal Market Commissioner Thierry Breton was also reportedly obstructive for unclear reasons. And all this while senior officials directly under him believe that sectoral legislation is indeed desirable and the European Commission will come up with a proposal in the third quarter of this year on the basis of which the tug-of-war between stakeholders will continue.
The Data Regulation may be formally adopted soon (introduction deadline: 20 months), but the corresponding sectoral legislation is likely to take quite some time anyway. After all, it is questionable whether the current European Parliament will still be able to take care of it. There are European elections next June and before vehicle data will be voted on by the new parliament, it could as soon be 2025. Or even later.
In any case, the Dutch position is clear: there must be sectoral legislation. There, lobbying club AFCAR and others both politics The Hague as the Ministry of Infrastructure and Water Management in recent years.
The ministry is currently working on a position paper to strengthen the Dutch position in Brussels. In the committee debate 'Car' last June, the now outgoing minister Mark Harbers pledged to inform the House this autumn of Inform on the Dutch commitment on the vehicle data file at EU level (as well as on the state of privacy and data in non-European cars).