GDPR third anniversary: data privacy still an issue for fleets
The third anniversary of the introduction of the EU-wide General Data Protection Regulation (GDPR) on 25 May serves as a timely reminder to fleet managers about the importance of data privacy as an increasing number of vehicles become connected.
The GDPR is focused on protecting personal data, defined by the regulation as ‘any information relating to an identified or identifiable natural person’. The rules are highly relevant to fleets given the exponential rise in data generated by company cars and vans from aftermarket telematics devices and OEM-fit connectivity solutions.
This data holds the key to running safer, more efficient fleet operations, but how it is collected, analysed and stored is subject to tight controls under the GDPR. The European Data Protection Board (EDPB), which oversees the GDPR, brought 200,000 cases against companies in 31 countries during the first nine months of the regulation coming into force, and issued nearly €56 million in fines. For serious breaches of data privacy it has the power to impose sanctions of up to €20 million euros or 4% of annual global turnover, whichever is higher.
|The EDPB can impose sanctions of up to €20m or 4% of annual global turnover.
Fresh data protection guidelines
Last month, the EDPB issued a new set of guidelines in relation to the processing of personal data generated by connected vehicles. The guidelines highlight how data that relates to a vehicle, such as location, distance covered and wear and tear, may also be used to identify, directly or indirectly, the driver. Location data, for instance, can be particularly revealing about the life habits of data subjects, warned the EDPB, with a driver’s centres of leisure interest possibly exposing sensitive information such as religion through a place of worship, or sexual orientation through the places visited.
As a result, the EDPB’s guidelines say: “vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities” should secure prior consent from drivers for collecting data.
The EDPB cited as an example the case of telemetry data collected for maintenance purposes. This information, it said: “May not be disclosed to motor insurance companies without the user’s consent for the purpose of creating driver profiles to offer driving behaviour-based insurance policies.”
Fleets treated differently
However, the EDPB’s guidelines also stipulate that: “Employers providing company cars to members of their staff might want to monitor their employee’s actions (e.g., in order to ensure the safety of the employee, goods or vehicles, to allocate resources, to track and bill a service or to check working time). Data processing carried out by employers in this context raises specific considerations to the employment context, which might be regulated by labour laws at the national level that cannot be detailed in these guidelines.”
Fleets will generally have a ‘legitimate interest’ for processing personal data from a telematics system such as tracking fuel use to combat fraud, monitoring mileages to comply with lease contracts, and analysing driver behaviour (such as speed, harsh acceleration and braking) as part of a health and safety programme.
A European Commission opinion, issued in 2017, directly addressed the issue of data processing from fleet vehicles, recommending that where the private use of company cars or vans is allowed, the driver should be able to turn off location tracking. The opinion also drew a subtle but clear distinction that telematics technology should be used to track vehicles, not individuals, and added that employers must clearly inform their staff that tracking devices have been installed and their movements are being recorded.
|If the private use of company cars is allowed, the driver should be able to turn off location tracking.
Explain telematics to drivers
This remains best practice, according to Jim Noble, senior vice president, risk engineering, eDriving, who said the benefits of telematics in supporting driver safety strategies should be explained to employees. Telematics should not be used, he said, as a ‘gotcha’ – a means to catch out drivers.
“You have to think about addressing the privacy concerns that come along with gathering this data,” said Noble. “Just the word telematics is enough to trigger privacy alarm bells not only from the driver but also from different company teams like HR and legal. Depending where you are in the world, privacy concerns may also extend beyond the company – it might go to unions or work councils. We have learned that addressing this upfront is the only way to take care of this. If it’s one of the last things in the project of implementing telematics you are going to have an extremely hard time.”
This fear of the unknown is one of the principal data privacy challenges, said Glen Mitchell, head of product management, MiX Telematics.
“If drivers don’t have any visibility as to how their data is being used it creates a bit of uncertainty and fear,” he said. “While telematics solutions providers generally operate within the GDPR constructs, and are managing everything as required, that does not give any visibility to the drivers as to how their data is being used. Telematics solutions providers need to be more proactive and make data something that’s more visible to drivers on a more regular basis.”
Breaches of the GDPR by fleets using telematics have so far been few and far between. The closest case to a core fleet application occurred in Germany in 2019, where a cleaning company was found to be in breach of the GDPR for its installation of a telematics system in the vans of its employees. The court ruled that there was no lawful basis for processing data on vehicle location (although this could be switched on to find a stolen vehicle), and that the drivers had not given valid consent (being informed is not the same as agreeing consent). Importantly, the company did not use the data to plan routes or coordinate employee and vehicle deployment.
Referring to the German case, Simon Assion, legal counsel at Bird & Bird, said companies using telematics must be able to prove a clear need for the systems. He added that, if possible, drivers should be able to switch off tracking systems; that fleets should ideally be able to ‘see’ vehicles without identifying the assigned drivers; and that the data should not be stored for long – the German cleaning company kept its data for 150 days, which the court considered to be excessive.
And, he added, “Consent would only have been valid if the cleaning company had offered an alternative to the employees, which would have been the option to answer ‘no’ to the agreements and then to use a vehicle without tracking, without any hindrance or discrimination.”