The European Data Protection Board (“EDPB”), an EU body of national supervisory authorities and the EU Commission, released today the text of draft guidelines on processing personal data in the context of connected vehicles and mobility-related applications (the “Draft Guidelines”), which it had adopted at its January 28–29 meeting. The Draft Guidelines provide examples of data processing activities and related compliance steps, including in relation to legal basis, retention, security and information requirements. Given the Draft Guidelines’ interplay with the ePrivacy Directive, the EDPB emphasizes consent as a relevant legal basis for processing. The level of granularity of the Draft Guidelines and actual relevance for privacy professionals might fall short compared to the cybersecurity best practices developed for smart cars by the European Agency for Cybersecurity (“ENISA”). (See ENISA’s latest report, “Good Practices for Security of Smart Cars,” released in November 2019.)
The Draft Guidelines are open to public consultation until March 20 and can be found on the EDPB website.