The GDPR and EU Data Act: is the number up for vehicle manufacturers?
So what effect will it have? A recent CJEU ruling illustrates some of the problems it is likely to cause.
Time to share
First up – do manufacturers really have to comply with obligations to share data with competitors? The answer here is a resounding ‘yes’. The court looked at enforced sharing of vehicle information by an HGV manufacturer with independent operators such as repairers, spare parts distributors and publishers of technical information. These sharing rules already apply in the motor vehicle industry (here, under (EU) 2018/858, the “Motor Regulation”) and are designed to create exactly the sort of level playing field which EU legislators are hoping to foster for connected products by means of the Data Act. Producers may understandably resist, but the court has given them short shrift: it’s time to share.
It's all getting personal
Second, with enforced sharing, we can expect a huge expansion in the amount of data that has to be treated as personal data. To understand why this is, we have to go back to GDPR basics about the nature of personal data.
Looking at the question of whether data about a vehicle could be used to identify an individual, the relevant test can be found in Recital 26 of GDPR. This says that identifiability depends on “all the means reasonably likely to be used, either by the controller or by another person to identify [a] natural person”.
As data passes into different hands, new players in the information chain may be able to link the data to other information they have access to, sometimes in such a way that even data that started as just a string of numbers ends up being personal data.
This is so with IP addresses, and with VINs (vehicle identification numbers) which are numerical identification numbers linked to a vehicle, held by manufacturers. Under the Motor Regulation, manufacturers have to share VINs and vehicle information with third party operators. The difficulty is that operators also hold information about ownership history, including named individual owners, as well as other data linked to VINs. So suddenly the VIN-linked data is potentially enriched with a new dataset which contains personal data.
Quick detour to Finland
It's worth mentioning that in 2019, courtesy of the Finnish data protection regulator, it was confirmed that vehicle service histories are the personal data of the individual that owned the vehicle at the time (but not a new owner) because they could directly or indirectly describe the activities of that individual. But the focus of the Finnish decision was whether historical service information could “relate to”, and therefore be personal data of, a subsequent owner. The regulator held that it could not, and commentators already noted a possible collision course with the Data Act.
What did the court say about VINs?
In the recent CJEU case, the manufacturer wanted to know about the effect of personal data in the chain of information. What did the court say about this?
First, it confirmed that strings of numbers like VINs are capable of being personal data where a party (here, the operator) has a means reasonably at their disposal to link it to a person (para 49). This is clear from the Recital 26 test. The “means” here, we might say, is the access to the data on the registration certificates.
Second, the court said that VINs will not always be personal data, for example where they refer to a vehicle not owned by a person (para 49). Again, not a surprising conclusion – numbers are sometimes just numbers.
Third, it found that not all the relevant “means” of identification need to be in the hands of a single entity for the Recital 26 test to be met (para 45). The fact that different players in the chain hold different pieces of the puzzle doesn’t stop data being personal data. It’s confirmation of what we already know from IP addresses (in a previous court ruling called Breyer) and there’s a hint in Recital 26 which says that information may be held by a controller or “by another person”.
Finally, the court confirmed that there must be a means “reasonably likely to be used” to bring the elements together. In the Breyer case, this was a legal mechanism by which a government could compel internet service providers to disclose information. In this case we have the requirements of the Motor Regulation providing a likely mechanism for identification with a person.
So VINs, at least ones for vehicles in personal ownership, are personal data (strictly speaking the court has left this for a national court to determine, but the logic is inescapable).
A triple threat for manufacturers
Does this mean that manufacturers - who don’t hold registration certificates - now have to treat all the VINs they have as personal data, with all the requirements relating to transfer, transparency and processing that this entails?
Current EDPB guidance would suggest so, at least for vehicles yet to be sold (though for practical reasons that distinction may be little comfort for manufacturers). Here the court seems to say the same thing although it seems to leave the door open regarding VINs for unsold cars:
“where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, which it is for the referring court to determine, that VIN constitutes personal data for them, within the meaning of Article 4(1) of the GDPR, and, indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person.”
We might call this a kind of reverse engineering: once a player in the chain (even the final link) can attach the personal data to an individual, some, if not all, of the holders back up the chain of data sources are also holding personal data.
Under the GDPR alone, the writing has been on the wall for quite a while that manufacturer-held VINs are personal data (especially given the signals from the EDPB). However, when applying these principles more broadly across data held by manufacturers, whether in the automotive sector or beyond, the CJEU case is a healthy reminder that the GDPR’s ‘identifiability’ test could have some pretty big implications. Put together with the Data Act, this will place a considerable extra compliance burden on parties compelled to start sharing data. Data holders may be hit with a double whammy – not only could they be made to share information that is potentially damaging to their commercial interests, but the new requirement that they must do so will mean that the very possibility that they could be called on to share it may require them to put in place new protections for the data to meet the requirements of the GDPR. In other words, the Data Act makes data that was previously less linkable, more so, and so converts it into personal data at its source.
Actually, it’s a triple whammy: the court also said that in presenting the data, manufacturers must set up databases of information to help users further down the chain.
Really?
The UK data protection regulator, the ICO, no doubt sensing unreasonable additional burdens, says something different. For it, the UK GDPR can be interpreted as saying that the same data can clearly be personal, or not, in different hands. Changes proposed in the upcoming Data Protection and Digital Information Bill will reinforce this position, should that come into force. And of course there’s no UK Data Act in prospect, at least for now.
Going back to the court ruling, the sharp-eyed may have spotted that it says “that VIN constitutes personal data for them, within the meaning of Article 4(1) of the GDPR”. The phrase “for them” is repeated twice more. Does this open the door to the idea that data may (in some as yet unspecified way) have different identities in the hands of different people? This potential door to sanity may have to be opened more widely once the practical application of the Data Act becomes clear.
But for now, it looks as if vehicle manufacturers and others caught by the Data Act’s sharing obligations may be carrying a heavier GDPR load when navigating the road ahead.
Link to article