The CNIL “Connected vehicles” compliance pack: A new personal data protection tool


Véhicules connectés, conformité, CNIL, vie privée, RGPD.After several months of work begun in March 2016, the “connected vehicles and personal data” pack released last October by the CNIL constitutes a real “toolbox” for professionals in the automotive sector.

The compliance pack issue

Thanks to this system of reference, professionals in the automotive sector will be able to integrate personal data protection for their users, and at the same time, comply with the General Data Protection Regulation (GDPR), which will be applicable from May 25th, 2018.

Developed by the CNIL in consultation with both public and private actors of the sector, this pack applies to vehicles equipped with a communication system which communicates with the exterior. If this communication system provides users with a multitude of new services, their implementation imposes a considerable collection of data on the driver and its interaction with the road environment.

By this toolkit, the CNIL seeks to sensitize professionals of the sector on the personal character of certain collected data, for which special protection is required under the Computer and Freedom Law of January 6th, 1978 and RGPD.

Personal data collection

This pack intervenes with a protection objective, since these personal data collections, defined as any information identifying a natural person, are likely to impair the privacy of these connected vehicles’ users. Indeed, there are many risks associated with vehicle connectivity. For example, the geolocation data collected reveals the users’ habits, and could induce malicious people to enter their homes in their absences.

Towards a responsible use of data

In order to take greater responsibility with data use, the CNIL differentiated three options in its pack for which guidelines are offered to professionals although the first is strongly encouraged by the Commission:

  • The data collected in the vehicle shall remain in it without transmission to the service provider;
  • The data collected in the vehicle is transmitted to the exterior to provide a service to the person concerned;
  • The data is transmitted to the exterior to trigger an automatic action in the vehicle.

By encouraging manufacturers to integrate the protection of personal data of connected vehicles’ users that produce an average of 1 billion bytes of data per day, this guide ensures transparency and control of data by the user.

The future adaptation of the CNIL pack to autonomous vehicles

If this text anticipates the future of the automotive sector, it is intended to be modified in the future in order to adapt to autonomous cars that will produce 30 000 times more bytes of data per day according to Le Monde (a French newspaper). This is because, in the long run, autonomous vehicles will need to capture, analyze, understand its environment constantly, thus becoming truly dependent on the data collected.

If the pack is applicable today expressly to connected vehicles, two of its obligations significantly impact the development of autonomous vehicles: data protection from the conception of the product governs by the principle of Privacy by Design and default data protection, framed by the principle of Security by default.

The design of “Ethics by Design” vehicles in response to the objective of protecting users ‘ privacy

Indeed, serious consequences on the privacy of users can result from the use of these connected vehicles. Thus, in order to avoid breaches of the principle of protection of privacy and to gain the confidence of users in the use of these new technologies, ethical questions arise and new commitments are necessary. Among these commitments, car manufacturers and suppliers of artificial intelligence platforms could be bound by the obligation to design vehicles considered “Ethics by Design”.

Having a vocation to evolve according to the application of the GDPR, and according to the progress of the technology, we recommend you to initiate compliance as soon as possible. Endowed with a department dedicated to the issues of personal data and a department with technical skills, Dreyfus and Associates is the ideal partner to assist you in this process of securing the collected data.