Connected vehicles: CNIL’s consultation promotes driver’s consent over fraud and car theft

The increasing connectivity of transportation modes – cars, bikes, scooters, and more—has led to a growing volume of data generated by both vehicles and their users. This data can originate directly from built-in vehicle systems, onboard devices such as telematics boxes, or the connected devices of drivers and passengers, including smartphones and tablets. 

While leveraging this data enables contactless and innovative services that enhance safety, improve travel experiences (infotainment, comfort, maintenance), and optimize mobility, it also raises obvious privacy concerns. Among these, location data stands out as particularly sensitive, as it reveals an individual's movements, driving, frequented places, and personal habits. Recognizing its intrusive nature, the European Data Protection Board (EDPB), in its Guidelines 01/2020, emphasized the need for specific safeguards when processing such data under the General Data Protection Regulation (GDPR). 

To translate these challenges into practical rules, the CNIL launched a "compliance club" dedicated to connected vehicles in 2023, bringing together industry stakeholders to anticipate regulatory developments. As part of this initiative, it has developed a draft recommendation in collaboration with key players in the connected vehicle ecosystem – raising concerns towards after-market players. This document aims to clarify the applicable legal framework for processing location data in connected vehicles, focusing on private users, whether owners or renters. It also provides practical guidance to ensure compliance with data protection regulations. 

To refine this draft recommendation, the CNIL has opened a public consultation, allowing industry players to contribute their insights and shape the final framework. Automobile manufacturers, fleet managers (short- and long-term rental), telematics service providers, data aggregators, and integrators will be directly impacted by these draft recommendations. 

The draft recommendation goes all around the general GDPR compliance framework: qualification of stakeholders, legal basis, data minimization, security measures etc. It also provides for some focus topics, such as data anonymization, or the use of location technologies. The draft recommendation highlights the importance of user’s consent, and emphasizes the link between collecting location data and the consent requirement under the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act, which was initially designed for cookie regulations, without referring to any of the six alternative legal basis provided by the GDPR. 

The debate around individuals’ discretionary consent intensifies, especially regarding the draft requirement for consent in preventing vehicle theft (!). The CNIL questions the application of Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive's provisions on consent for accessing location information. The need for driver consent, as described by the CNIL, presents challenges because a refusal would deprive fleet managers of an effective anti-theft measure. However, making vehicle rental contingent on consent to access location data for anti-theft purposes risks undermining the freedom of consent. 

To address this, the CNIL has identified two possible interpretations and seeks public consultation to gather insights and inform the debate. The draft recommendation also provides practical guidelines for complying with these regulations, ensuring that location data processing respects privacy and data protection principles. In a nutshell, consent resulting from the ePrivacy Directive amended in 2009, would take over the GDPR legal bases adopted in 2016. An interesting debate to come, since this old ePrivacy Directive will not be replaced by any further ePrivacy Regulation, as a result of the new digital regulation program adopted by the newly appointed European Commission. The CNIL invites all public and private actors concerned by these two standards to provide their comments and observations. 

Given the importance of personal data processing in innovative mobility business models, this opportunity to comment the draft recommendation is not to be missed. Our Data, Privacy & Cybersecurity team in France is available to articulate business and practical concerns with legal arguments to nurture a state-of-the-art debate. The public consultation is open until May 20, 2025. 

All details to be found here (in French only for now).

Authored by Etienne Drouard, Rémy Schlich, Charlotte Le Roux, and Augustin Lacroix.