On March 25, 2025, the French knowledge safety authority (“CNIL”) revealed a draft suggestion on the usage of location knowledge from related automobiles (the “Advice” – see right here in French). The Advice is open for public session till Might 20, 2025.
- Scope
The Advice is supposed to assist stakeholders of the car business (e.g., producers, fleet managers providing automobiles for brief or long-term rental, suppliers of telematics instruments put in within the automobiles, knowledge aggregators and integrators) adjust to French privateness guidelines. It covers a number of the most frequent makes use of of location knowledge in relation to related automobiles pushed by shoppers.[1] Functions of processing coated by the Advice embrace:
- fleet administration by car rental corporations (administration of rental contract execution and repair efficiency);
- private help and car restoration;
- private help within the occasion of an accident;
- theft prevention; and
- optimization and enchancment of services and products (identification of areas for enchancment in tools or companies provided).
- Common Suggestions
The CNIL first units out suggestions relevant to all in-scope processing actions. Key matters coated in these normal suggestions embrace:
- Understanding when French knowledge safety and privateness guidelines apply – particularly, the CNIL highlights that the French cookie guidelines will apply in case of entry to location knowledge from a related car;
- Figuring out an relevant authorized foundation – the CNIL gives just a few examples through which varied authorized bases (e.g., consent, contractual necessity, official pursuits) might or is probably not relied on. Apparently, when contemplating the official curiosity authorized foundation, the CNIL solely gives examples excluding this authorized foundation;
- Informing knowledge topics and facilitating the train of their rights – the CNIL recommends as an illustration that info be supplied to knowledge topics in a layered method and doubtlessly utilizing varied codecs (e.g., digitally by way of the system integrated within the car, by way of a QR code, in paper, and so on.). It additionally recommends that producers add a easy operate to the car enabling knowledge topics to shortly and simply delete their private knowledge (e.g., a delete button inside the car or in an app utilized in reference to the car);
- Implementing acceptable safety measures – on this level, the CNIL not solely refers to numerous technical requirements that could be useful to handle cybersecurity dangers (e.g., UN Regulation No 155 and ISO/SAE 21434), but additionally recommends quite a lot of safety measures (reminiscent of encryption, authentication and entry logs).
- Particular Suggestions
The Advice then addresses some extra particular use instances, which we’ve got summarized beneath.
- Anonymization of location knowledge
After reiterating that the anonymization course of itself is a processing exercise that is still topic to the GDPR, the CNIL gives some sensible and technical suggestions for corporations looking for to anonymize location knowledge and lists some concerns to keep in mind when assessing the danger of reidentification.
- Suggestions particular to sure processing actions
The CNIL units out extra detailed suggestions for sure processing actions within the context of the administration of a business fleet or private use of a related car. Such actions embrace as an illustration utilizing location knowledge to fight theft, to offer help within the occasion of an accident, or to enhance services and products. In every case, the CNIL presents some perception on the function of assorted stakeholders and situations for lawfully processing the situation knowledge (together with by contemplating adjust to the French cookie guidelines relying on the use case and figuring out an acceptable authorized foundation).
- Localization strategies: telematic bins and knowledge aggregators
The CNIL highlights extra particular safety concerns with regard to the usage of telematic bins or options supplied by knowledge aggregators in related automobiles. The place private knowledge are shared by way of an software programming interface (“API”), it refers back to the suggestions and pointers supplied in its 2023 steerage on APIs (see right here in French). The CNIL additionally flags some safety considerations for suppliers of telematic bins and knowledge aggregators to think about when designing their services and products.
- Subsequent steps
Stakeholders (whether or not from the general public or personal sector), residents and civil society might submit their feedback on the Advice till Might 20, 2025. Following this session interval, the CNIL will study the obtained feedback and undertake a closing model of the Advice – though it has not but supplied any estimated timeline for such adoption.
* * *
The Covington staff will proceed to watch developments on this matter, and we’re completely happy to help purchasers if they’ve any queries.
[1] The Advice thus doesn’t cowl makes use of of location knowledge linked to related automobiles pushed by workers, which the CNIL already addressed in a earlier steerage from Might 2023 – see right here in French.
