French DPA Publishes a Compliance Pack Regarding Connected Vehicles

2 Minute Read

October 27, 2017

Categories: Information Security, International

On October 17, 2017, the French Data Protection Authority (“CNIL”), after a consultation with multiple industry participants that was launched on March 23, 2016, published its compliance pack on connected vehicles (the “Pack”) in line with its report of October 3, 2016. The Pack applies to connected vehicles for private use only (not to Intelligent Transport Systems), and describes the main principles data controllers must adhere to under both the current French legislation and the EU General Data Protection Regulation (“GDPR”).

The CNIL distinguishes between the following three scenarios:

1. “IN -> IN” scenario

The data collected in the vehicle remains in that vehicle and is not shared with a service provider (e.g., an eco-driving solution that processes data directly in the vehicle to display eco-driving tips in real time on the vehicle’s dashboard).

2. “IN -> OUT” scenario

The data collected in the vehicle is shared outside of the vehicle for the purposes of providing a specific service to the individual (e.g., when a pay-as-you-drive contract is purchased from an insurance company).

3. “IN -> OUT -> IN” scenario

The data collected in the vehicle is shared outside of the vehicle to trigger an automatic action by the vehicle (e.g., in the context of a traffic solution that calculates a new route following a car incident).

In addition to listing the provisions already included in its report of October 3, 2016, the CNIL analyzes in detail the three scenarios described above and provides recommendations on the:

purposes for which the data can be processed;
legal bases controllers can rely upon;
types of data that can be collected;
required retention period;
recipients of the data and use of processors;
content of the notice to data subjects;
applicable rights of individuals with respect to the processing;
security measures to adopt; and
registration obligations that may arise under current law.

Beyond being a helpful guide for data controllers to refer to when implementing such tools in vehicles, the Pack might help preview how supervisory authorities will interpret various GDPR provisions.

Tags: CNIL, Compliance, Data Controller, Data Processor, Data Protection Authority, France, GDPR, Personal Data

You May Also Be Interested In

3 Minute Read

March 30, 2026

Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

2 Minute Read

February 23, 2026

Data Protection Authorities Globally Highlight Privacy Issues in AI Image Generation

On February 23, 2026, a Joint Statement on AI-Generated Imagery was published by 61 data protection authorities. The Joint Statement addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent.

6 Minute Read

February 20, 2026

NetChoice Files Suit Challenging South Carolina Age-Appropriate Code Design

On February 9, 2026, trade association NetChoice filed a lawsuit challenging South Carolina’s newly passed Age-Appropriate Code Design (“SC AACD”) on First and Fourteenth Amendment grounds. The SC AACD was signed into law on February 5, 2026, making South Carolina the fifth U.S. state to enact such a law, following California, Maryland, Nebraska and Vermont.

2 Minute Read

February 12, 2026

Congress Extends Cybersecurity Information Sharing Act of 2015 through September 2026

Congress has extended the Cybersecurity Information Sharing Act of 2015 through September 30, 2026 as part of the Consolidated Appropriations Act, a government funding package enacted in early February 2026.

Privacy & Cybersecurity Law Blog

You May Also Be Interested In

Search

Recent Posts

Categories

Tags

Archives