Faculteit Rechtsgeleerdheid Faculteit Natuurkunde, Wiskunde en Informatica Leibniz Center for Law C-ITS and GDPR

Transcription

1 Faculteit Rechtsgeleerdheid Faculteit Natuurkunde, Wiskunde en Informatica Leibniz Center for Law C-ITS and GDPR Wouter van Haaften, Tom van Engers

2 What does traffic with C-ITS look like?

3 How does Cooperative ITS work

4 C-ITS technology and planning Technical Standard Wifi-p Protocol, Standard ETSI ITS-G5 and IEEE p (WLANp) CAM=Cooperative Awareness Message DENM=Distributed Environment Notification Message Planning EU implementation foreseen in 2019 France: Renault have implemented small scale in SKOOP Germany: VW will implement from model 2019 Other OEMs more reluctant.

5 C-ITS and Personal Data Two issues: 1. Location data, Art 4 (1) GDPR 1. Art 4(1) personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2. Singling out, Recital 26 GDPR 1. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

6 Who is the controller? Controller, Art 4 (7) GDPR controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Two plausible Legal basis, Art 6 GDPR 1. Art 6 (a) Informed consent, given to the controller 2. Art 6 (c) Legal obligation of the controller (public interest)

7 Issues Opinion 3/2017 by WP 29 Issues: Personal data/identification of data subjects, singling out, Subjects rights to information, short lived CAM data, otherwise? CAM Broadcasting, unencrypted, readable, range 500m, Data minimization, less in CAM, size of vehicle, CAM frequency

8 Privacy risks Opinion 3/2017 Privacy risks detected by WP29 Disclosure of how and where the subject drives Lack of transparency/awareness as vehicles will broadcast constantly Messages can be received and read by anyone, losing control over the data Kinetic and location data will be valuable to various interested parties Data will also be appealing to law and traffic enforcement Function creep will be hard to prevent in an open system like C- ITS

9 What is next? Mitigating Privacy risks: Some redesign seems inevitable, Default setting recommended: switched off Privacy by Design: selection of tracking options Lower CAM frequency whenever possible Retention periods should be short and known.

10 Conclusions First step on two unexplored pathways: GDPR and C-ITS GDPR need not be a showstopper for C-ITS Certain re-design will be inevitable (Privacy by Design) Shaky balance between high data quality and low visibility Long term with automated vehicles, full quality C-ITS must be available.

11 Questions

12 Faculteit Rechtsgeleerdheid Faculteit Natuurkunde, Wiskunde en Informatica Leibniz Center for Law Thank you Wouter van Haaften, Tom van Engers