19.05.2016

Car Sharing: Privacy Issues under current European law and under the GDPR

Portrait von Niko Härting
Niko Härting

(Speech, ITechLaw World Technology Conference, Miami, May 19th, 2016)

  1. The rise of car sharing services

Car sharing is becoming more and more popular since big auto maufacturers like BMW and Mercedes have entered the market offering brandnew cars and the opportunity to locate and book the cars via user-friendly smartphone apps.

  1. Car sharing services rely on data

Car sharing services like Car2Go (Mercedes/Smart) and DriveNow (BMW/Mini) heavily rely on data. The cars are located by GPS and every movement of the cars is tracked. Car2Go and DriveNow cars are truly smart.

  1. Usage and location data are constantly collected and stored

On a continuous basis, car sharing services collect and store:

  • usage data: the start time and the end time of each use;
  • location data: the location is constantly monitored via GPS.

The usage data is essential for payment as payment would normally be based on time rather than on distance. Because the customer usually pays by the minute, information about the time used needs to be collected and stored.

In general, the customers would only be allowed to use the cars within a designated area. In particular, customers would normally not be allowed to leave the city in which the car is located. Location data gives the service provider the opportunity of controlling the exact location of the cars and the compliance with the rules of their use.

  1. Location data is widely regarded as highly sensitive PII

Location data as well as usage data clearly constitute personal identifiable information (PII). Many privacy advocates would argue that data on the movements of a person are highly sensitive information requiring a high standard of protection.

According to the German Data Protection Act, the processing of such personal information requires

  • either customer's consent or
  • a statutory provision permitting such processing.
  1. Consent is tricky now

In an ideal world, the car sharing service providers would ask their customers for consent, and the customers’ consent would be a sound and reliable basis for processing the data.

However, in the real world things are not quite that simple as consent needs to be both

  • voluntarily given and
  • informed.

Moreover, under the German Data Protection Act, consent would normally need to be

  • in writing.

Therefore, the hurdles are high:

  • Insufficient click of a box:  It would be too late to let the customer give consent by clicking a box on the entertainment system. It would be debatable if this would be voluntary and informed, let alone written.
  • Initial contract requirements:  Consent would need to be given when the first contract with the customer is signed. The consent would need to be in writing, and the service provider would need to provide the customer with detailed information on the type of data that is processed and on the purposes of the processing.
  1. Consent will not get any easier with the GDPR

Once the GDPR comes into effect, obtaining valid consent will not become any easier:

  • Validity:  According to the GDPR, consent needs to be “unambiguous” but not in writing. It will, therefore, be easier to argue that click-box consent is valid.
  • Market power:  However, the GDPR regards consent – as a rule - as invalid when there is a “clear imbalance” between the controller and the data subject. And it is hard to argue that the obvious imbalance between a customer and BMW or Mercedes is not “clear”.
  • Necessity for performance:  Moreover, the GDPR regards consent – as a rule – as invalid when it is obtained in connection with a contract but not limited to data “necessary” for the performance of the contract. In connection with contracts, consent will, therefore, not be a realistic option any more.
  • Right of Withdrawal:  Last but not least: Under the GDPR, the customer may withdraw consent at any time with immediate effect. Consent will, therefore, not be a reliable basis for the processing of data any more.
  1. Contract data processing

Both under existing European data protection laws and under the GDPR, data may be processed if the processing is necessary for the performance of the contract.

The usage data needs to be collected in order to work out the price of the journey. Without information on the time the journey has taken, it would be impossible to calculate the per-minute-price. Therefore, the usage data may be processed, see Art. 6 (1) lit. b GDPR.

However, usage data needs to be deleted as soon as the customer has – irrevocably - paid the bill.

  1. Legitimate interests

Both under existing European data protection laws and under the GDPR, the collection and processing of location data can be justified by “legitimate interests” of the service provider:

  • Locating:  There clearly is a “legitimate interest” to be able to monitor – by GPS – the exact location of a car.
  • Monitoring:  As the cars may only be used in a “designated area” (e.g. city of Berlin), the service Provider has a “legitimate interest” to be informed immediately when a cars is moved outside that area.
  • Storing location data:  There is also a “legitimate interest” to store location data for a short period of time in case there was an accident or the car was damaged. Location data may help the service provider to etablish legal claims or defend himself against such claims,
  • Deleting Location data:  Once it is clear that there was neither an accident nor damage, the location data must be deleted (advice in Germany: deletion within 7 days as this is the period held to be reasonable in similar cases).
  1. GDPR: The “right to object” may make life harder

When data is processed on the basis of “legitimate interests” (Art. 6 (1) lit. f GDPR), the data subject has the right to object (Art. 21 GDPR). After the right to object is exerted, data may only continue to be processed when

  • Nature of controller's interest:  the “legitimate interest” of the controller is “compelling” or
  • Procedural necessity:  processing is necessary for the establishment, exercise or defence of legal claims.

While the “right to object” will generally not make the life of controllers easier under the GDPR, car sharing service providers will be able to argue that they have to have location data in connection with possible “legal claims”.

Zurück