C-ITS Platform WG: Data Protection & Privacy 7 th Meeting: Phase II: 29 March 2017, 09:00-13:00 Meeting Minutes

Transcription

1 C-ITS Platform WG: Data Protection & Privacy 7 th Meeting: Phase II: 29 March 2017, 09:00-13:00 Meeting Minutes Venue: 24 Rue Demot Room 03/58, (Metro Schuman) Summary Art 29 representative provide the feedback of the Art 29 Technology Subgroup (TS) on the document submitted. Views were positive regarding the approach taken of considering data in the context of C-ITS as personal data. However, the document should be improved in terms of how processing of data is described. Detailed comments were provided in relation to possible legal basis identified, in particular to contract as a legal basis and joint controllership according to Art 26 of the GDPR, as well as to security issues and other elements to be further improved. Opinions were expressed within the WG that contract as the legal basis might be too complicated, and that an alternative EU-level regulation could be a more viable option to proceed. Discussions on the joint controllership led to the conclusion that a governance structure for the system had to be defined. There was a first exchange of views on how this governance body should look like, what could be its structure, who should be leading it, etc. Two WG members volunteered to prepare a first draft for discussion at the next meeting. The document for Art 29 will be reviewed by the Editing Team following feedback received, to be resubmitted for Art 29 upcoming meeting in May. Next meeting will be organised on 25 April in Brussels. Action List Nr Action Responsible 1 Preparation of a revised version of the document for Art 29 Editing Team "Processing data in the context of C-ITS" 2 Preparation of first draft paper on "Governance in the context of C-ITS" Volunteer WG members 1

2 Minutes: Feedback from Art 29 representative on the document submitted to the Technology Subgroup The Art 29 representative provided feedback concerning the document that was sent on the 1st of March. He stressed in his intervention that the TS had expressed positive views about the approach taken that data in the context of C-ITS is considered to be personal data. Furthermore, options concerning the legal basis presented in the document were approved to be a suitable way forward. In particular, contract being the applicable legal basis and joint controllership according to the Article 26 of the GDPR. It was also pointed out that there very few, if none, previous cases of using these new instruments in other fields. The document was however weak, he informed, in terms of how processing of data was described, a better description of possibilities of tracking people, including granularity is needed. More attention needs to be paid as well towards privacy by design measures in the context of C-ITS, looking at data flows and options for the drivers. In relation to security, several issues are not covered or should be addressed more in detail. For instance, it is essential that frequency of certificates as well as physical security of the machine, are being examined in the document. The possible additional consequences to the C-ITS of the e-privacy directive that is at the moment negotiated by the co-legislators, concerning the principle of confidentiality needs to be strengthened. Art 29 representative explained that Art 29 would react to the document in relation to Day 1 and Day 1'5 services, as these are those addressed in the document. But, they would aim at continuing the work together the C-ITS platform in the future, as further generations of C-ITS services are being developed. A round of questions/clarifications from WG members followed this presentation. In particular aspects to be clarified included the need to get into details of a contract or arrangement at the light of the proposed joint controllership; the potential implications that the proposed e-privacy directive could have in relation to integrity and confidentiality aspects, etc. Several WG members underlined during the discussions that contract as the legal basis might be too complicated to be fulfilled and therefore EU-level regulation was argued to be a viable option in order to proceed. Different stakeholder representatives, both private and public, called that the Commission should play stronger role. Discussion on the data controller Related to the joint controllership and governance body, a governance structure needs to be defined, including views if public body should be leading the structure. Questions were posed on how standards can be maintained and how trusts to the system can be established. 2

3 Furthermore, questions related to enforcement, and the type of contracts or arrangements to be established between the parties, have to be addressed in order to be lawfull. Some WG members proposed to take an architecture approach with a definition of layers of responsibilities at different levels. Two WG members volunteered to prepare a first draft paper on the governance body, to be discussed via telco, or at the upcoming meeting. Since the question of the governance is already being addressed in the context of the security and the compliance assessment WGs, EC representatives will liaise with the other two WG chairs to address this topic in a coordinated manner from the three different angles. Next steps The Editing Team will redraft the Art 29 paper along the lines of the feedback provided by his representative. The document will be circulated to WG members for discussion on 25 April, in order to be submitted in due time for the next TS meeting scheduled mid-may. The discussion of the paper on the governance model will provide the basis for the future work on the governing body, as well as elements to revise the section "Analysis of C-ITS and the principles of data processing" of the Art 29 document. Next meeting will be organised on 25 April in Brussels. 3

4 Annex 1: C-ITS Platform WG: Data Protection & Privacy 7 th Meeting / Phase II: 29 March 2017, 09:00 13:00 Venue: 24 Rue Demot Room 03/58, (Metro Schuman) Draft Agenda 1. Introduction: Review of the minutes of the meeting from previous meeting and approval/comments Adoption of the agenda of the meeting 2. Feedback from Art 29 representative on the document "Personal data in the context of C-ITS" submitted on 01/03/2017 and discussion based on the received feedback 3. Next steps in the preparation of a revised document 4. Further work to be done in the group 5. Conclusions, planned actions and AOB 4

5 Annex 2: Attendance List Simon Hania Anna Rossi Maria Chiara Meneghetti Leila Hanhela Lappeteläinen Angelos Amditis Sevvy Palmer Marc Greven Richard Lax Jorgen Wählund Henri Kujala Maria Marton Giuseppe D'Acquisto Marko Jandritsis Niels Andersen Steffen Kraschwald Martina Schollmeyer Peter Lewyllie Jan Michael Schüngeler Marcel Otto Markus Riederer Maxime Flament Heidi Kiveras Niccolo Panozzo Paivi Wood Maria Alfayate TomTom EDPS EDPS Finnish Transport Safety Agency ICCS - GREECE UK Department for Transport ACEA Kapsch VOLVO HERE Swedish Transport Agency Italian DPA ASFINAG C2C Porsche BMW AG Belgium/Flanders, Agentschap Wegen en Verkeer Federal Ministry of Transport & Digital Infrastructure /DE Rijkswaterstaat / NL FEDRO /CH ERTICO FICORA /NCSC-FI ECF DG MOVE DG MOVE 5