C-ITS Platform WG: Data Protection & Privacy 3 rd Meeting: Phase II: 19 October 2016, 09:00 13:00 Meeting Minutes

Transcription

1 C-ITS Platform WG: Data Protection & Privacy 3 rd Meeting: Phase II: 19 October 2016, 09:00 13:00 Meeting Minutes Venue: INEA Agency, 910 Chaussée de Wavre, 1040 Etterbeek, Meeting room 00/41 Summary A representative of Art29 Working Party joined the WG as a member to advise the group in the preparation of the conclusions of Phase II to be submitted to the Art29 Working Party for opinion. He made a general overview on how the European legislation was changing at the light of the introduction of the new GDPR. The WG Chair made a presentation of the WG conclusions of Phase I, as a reminder for the WG, and to recap the Phase I results to the representative of Art29 Working Party The sub-wg established in the previous meeting presented a paper classifying applications according to various criteria: communication protocol, legal basis justifying processing of personal data, etc. Seeking for a consistent approach in the analysis of the applications, it was agreed to focus it using the ETSI ITS classification structure. Next meeting will be organised on 25 November in Brussels. Action List Nr Action Responsible 1 Editing sub-wg to prepare a revised version of the paper, focusing the analysis on a limited number of ETSI applications Editing sub-wg 1

2 1. Introduction Review of minutes from previous meeting and approval/comments Minutes were approved. Adoption of the agenda of the meeting Agenda was adopted. 2. Review of the conclusions of Phase I summary, enriched with GDPR new aspects See document attached. 3. Presentation of summary conclusions of Phase I to the Article 29 Technical Subgroup representative (Vincent Mahieu) See set of slides attached 4. Review of first draft produced by sub-wg on legal basis aspects for national/public authorities (representative of sub-wg) As planned, the sub-wg started working on a classification of the applications, according to various criteria: on the basis of the communication protocol (cellular, ITS-G5 or hybrid), since the implications in terms of privacy may result being different according the protocol(s) in use on the legal basis justifying the processing of personal data on the possibility for certain applications and scenarios to operate without processing personal data (no more specific legal background according GDPR is required) on the typical actors, roles and chain of responsibilities involved in the processes (data controller, processor, subject) Considering the need to harmonise the discussions with those taking place at the other WGs such as the Security WG, it was felt that the classification according to the communication protocol could not be the most suitable one. Hence it was agreed that the sub-wg will further develop the analysis of the applications using the ETSI ITS classification structure. The WG also concluded that to process personal data according 'public interest' legal basis, an additional "piece of legislation" (e.g. delegated act in ITS directive context) would be necessary. The Art.29 representative underlined that the WG proposal to offer the full control to the data subject with the possibility to shut down the broadcast corresponds to the 'Privacy by default' concept. He also underlined that the definition of personal data processing has been subject to various opinions from Art.29, and either in an opinion of 2007 and the another one of 2014, it was clearly reminded that "processing data potentially impacting a data subject in his behaviour or subsequent move or reaction is considered as processing personal data". 2

3 The Art29 representative proposed to explore the "legitimate interest" as a possible legal basis (also for classification purposes), since there is already an opinion available from Art 29, on the basis on what this legal basis seems to be recognized and be efficient in similar contexts. It is recommended as well to establish appropriate links to relevant Art29 opinions in the Phase II report. In particular, the following ones are recommended for consideration: Opinion 4/2007 on the concept of personal data From < Opinion 05/2014 on Anonymisation Techniques From < Opinion 13/2011 on Geolocation services on smart mobile devices From < Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC From < Next Meeting is scheduled the 25 th of November, 14:30 to 17:30. 3

4 Annex 1: C-ITS Platform WG: Data Protection & Privacy 3 rd Meeting / Phase II: 19 October 2016, 09:00 13:00 Venue: INEA Agency, 910 Chaussée de Wavre, 1040 Etterbeek, Meeting room 00/41 Draft Agenda 1. Introduction: Review of 2 nd meeting minutes and approval/comments Adoption of the agenda of the meeting 2. Review of the conclusions of Phase I summary, enriched with GDPR new aspects (Vincent Mahieu) 3. Presentation of summary conclusions of Phase I to the Article 29 Technical Subgroup representative (Vincent Mahieu) 4. Review of first draft produced by sub-wg on legal basis aspects for national/public authorities (representative of sub-wg) 5. Start of work, and set up of a sub-wg on C-ITS applications categorization: criteria, processes, maintenance 6. Discussion of next steps: For each of these families of C-ITS applications "Who will do what?" Actors versus processes 7. Conclusions, planned actions and AOB 4

5 Annex 2: Attendance List Antoine Bon Mikael Johansson Merel Wrackwitz Henri Kujala Martina Schollmeyer Maria Marton Hanhela-Lappeteläinen Sevvy Palmer Marc Greven Sebastian Gress Richard Lax Steffen Kroschwald Susanne Eisenmann Jorgen Wählund Daniela Bohn Wouter Van Haaften Marcel Otto Giuseppe D'Acquisto Maxime Flament Jean Michel Henchoz Claudius Morath Lamprini Gyftokosta Gerhard Kunnert Jan Michael Schüngeler Stefano Fantin Maria Alfayate Vincent Mahieu EDPS Volvo Group IBM HERE BMW Swedish Transport Agency Finish Transport Safety Agency UK Department for Transport ACEA Daimler AG Kapsch Porsche AG Robert Bosch GmbH VOLVO AUDI AG Min. NM in NL Min. NM in NL Italian DPA ERTICO ITS Europe DENSO Continental Insurance Europe Federal Chancellery of the Republic of Austria Federal Ministry of Transport & Digital Infrastrructure EDPS DG MOVE DG JRC 5

6 Annex 3: Review of the conclusions of Phase I summary, enriched with GDPR new aspects Working Group 4 Data protection and Privacy - PHASE II 1 Introduction and Objectives of Phase II effort For Phase I, the objective of the C-ITS Platform Working Group on Data Protection & Privacy (WG4) was to provide an analysis of the issues related to the Privacy and Data Protection landscape in the context of C-ITS and elaborate recommendations to efficiently address them. To test and develop solutions, WG4 will continue focusing on a family of standardized messages relevant for the purpose of analysing the privacy and data protection challenges faced by C-ITS: the Cooperative Awareness Messages (CAM) and the Decentralized Environmental Notification Messages (DENM). C-ITS equipped vehicles making use of these messages are constantly broadcasting data, including e.g. their speed and location. This broadcasting is an inherent part of the system and hence raises potential concern as how to guarantee privacy and data protection. After an in-depth analysis, WG4 concluded that those messages are considered as personal data because of the potential of indirect identification of users. The European legislation on Data Protection, the recently adopted GDPR 1, is therefore considered applicable and, consequently, WG4 will continue examining the different legal basis to process legally these personal data in the context of the GDPR. As a reminder, the GDPR was adopted on 27 April 2016 and published in the Official Journal on 4 May While the Regulation entered into force on 24 May 2016, it shall apply from 25 May Starting from the results and recommendations of Phase I, the WG4 will further develop the following aspects during the Phase II: To analyse and update the conclusions and recommendations of Phase I against the GDPR To further analyze the legal background and basis to legally process the personal data in the C-ITS context. In that section, it is expected to develop a first classification of Day 1 and Day 1 1/2 applications according different legal basis. Then representative use cases will be selected to support and illustrate the challenges and the possible solutions. To involve and take stock of the expertise from EDPS, Art.29 Technology Sub-group and national DPA specialists, to confront and possibly validate the proposed solutions. To better identify, according use cases, and classes/categories of C-ITS applications what should be the processes and the actors (data controller, data processor and data subject). 1 REGULATION (EU) 2016/679: Protection of natural persons with regard to the processing of personal data 6

7 To consider and select the most adapted new tools offered by the new GDPR legislation, and describe the necessary means for a fruitful implementation of: - Certification/qualification scheme (privacy compliance or privacy seals), - DPIA template, - Data minimization, - Data breach notifications to DPA/Individuals. To investigate how to perform a full risk assessment To verify and confront possible alternatives to processing data To verify and confront possible alternatives to reach similar results of the C-ITS deployment using other techniques or paradigms 2 Analysis of the Phase I conclusions and recommendations against the GDPR When the report of Phase I was edited, end 2015, the new GDPR EU legislation was not finalized and not yet entered into force. Therefore, a little updating effort is presented in this section, recollecting conclusions and recommendations in the light of changes and GDPR extensions impacting the Phase I results. 1.1 GDPR principles The GDPR lays down rules relating to the protection of individuals with regard to the processing and the free movement of personal data and would provide the necessary legal framework for processing data in the context of Cooperative Intelligent Transport Systems in the EU. As the Directive, the GDPR broadly defines personal data as any information that can directly or indirectly identify a person. This means that data in the C-ITS context such as location data, fall under this definition and data protection rules apply. In contrast with recent US discussions on data protection, the GDPR upholds the need for robust notice and consent prior to the collection as one of the legal basis to process of personal data. The EU approach also stresses the need to limit data processing to the original purpose at the time of collecting the data, to ensure restrictions on automated processing and the need for independent regulatory oversight and robust enforcement mechanisms for transgressions regarding personal data rules (as inscribed in national laws). 7

8 Annex 4: 8

9 9

10 10

11 11

12 12