Always connected - Excellent idea or Risky business under the GDPR?

May 11, 2020 | Blog

In a recent article, Dutch broadcaster NOS reported that an increasing number of municipalities near busy junctions are having issues with cut-through traffic trying to avoid tailbacks. According to the Delft University of Technology, making sat-nav apps smarter may be the solution.

Navigation giants TomTom and Google Maps are reportedly working on setting up platforms that will connect data to enable road authorities to monitor the flow of (excess) traffic. Teaming up with Rijkswaterstaat [Directorate General for Public Works and Water Management], the province of Noord-Holland, TomTom, Flitsmeister and BMW in the Socrates 2.0 project, the Municipality of Amsterdam is also building a platform that will integrate data streams to predict busy traffic before it gets busy.

These platforms are built on Big Data, which can be captured and collected easily as more and more devices are constantly connected. However, the use of Big Data also affects the protection of personal data, as is clear from this recently announced investigation that the Dutch Data Protection Authority (“DPA”) will conduct in collaboration with car manufacturers.

What is Big Data?

Big Data is a wide-ranging term, often defined in terms of the five V's:

  • Volume: The quantity of information and the number of sources from which it can be captured are constantly increasing, such sources encompassing primary sources and connected sources or secondary sources
  • Variety: The growing number of sources allowing for data-mining also increases the variety of information that can be collected or connected
  • Velocity: The speed at which the data is generated and processed
  • Veracity: Connecting the various data sources available facilitates monitoring the reliability and quality of the data, which should improve its veracity
  • Value: Large quantities of data can be of great value to organisations as it enables them to offer targeted, individual treatment and/or marketing. Datasets are also money makers or money savers

Another feature often linked to Big Data is that it can be deployed for commercial purposes rather than just statistical or historical purposes, including the use of profiling for marketing purposes and algorithms that can detect diseases.

Big Data and the GDPR

Big Data and the GDPR is not a happy marriage at first sight. Where Big Data is concerned with the collection of information - as much as possible and as fast as possible - the GDPR actually compels organisation to contemplate the following:

  • Appropriate grounds
  • Purposes
  • Data minimisation
  • Storage periods
  • Transparency

The GDPR also frowns on automated decision-making by means of algorithms, as data subjects have the right, subject to conditions, to obtain human intervention. This would in fact hamper the rapid processing of information - and consequently the processing of a credit application, for example.

Big Data and Connected Cars

Ideas such as now materialising in the Socrates 2.0 project are far from novel, as these DPA Guidelines on Connected Vehicles and the draft Guidelines of the EDPB demonstrate. An increasing number of vehicles are interconnected through a wide range of sensors. Convenient, yes, but the authorities also sense risks.

Car manufacturers, dealers and external parties such as providers of satellite navigation systems collect more and more data, from the settings of your seat to locations visited. Even if parties are interested in gathering anonymised data only, combining data from various sources still means they are capturing indirectly identifiable data.  After all, even if one uses location data from a satnav system without an identifier, cross-referencing with other data sources increases the likelihood of relating the data to a specific individual, as the car would invariably return to the same address. If this car is used to drive to the local mosque several times during the week, one might conclude that the driver is of the Muslim faith. And if the car is picked up by cameras along the motorway, it is even possible to find out who drove it. It follows that it is possible to collect vast amounts of data, which renders the issue of anonymisation a huge but important task, requiring transparent communication to the data subjects concerned.

In addition, the data collected from connected cars will not relate to their owners or renters but may extend to other passengers or co-drivers. The plurality of data controllers involved increases the attack surface and thus the number of potential vulnerabilities and potential damage in the event of a data breach, when large amounts of data are compromised. The data protection agencies also raise the question as to whether these controllers have regulated their mutual responsibilities to a satisfactory degree.

In summary, they have identified the following concerns:

  • Location data are highly sensitive - measures must be taken to offer a sufficient degree of protection against loss or abuse. External parties involved must be obliged to adhere to these measures
  • As there are so many data subjects involved - e.g. car owners, drivers and passengers - it is important that all of them rather than just the owners are adequately informed about the processing of their personal data
  • The same applies to requesting consent - consent must be obtained from all data subjects involved, not just from the car owner on behalf of all passengers

If you want to know  more about the safe and lawful use of Big Data and smart devices, then feel free to contact Martin Hemmer or Sophie Hendriks.

Sign up for our newsletters