EU Regulators taking action on vehicle tracking

Telematics services for connected vehicles offer massive benefits for fleet managers, with the potential to increase vehicle uptime and productivity, reduce maintenance costs, and improve efficiency.  This has led to vehicle tracking becoming widespread in the past few years, at least in the commercial sphere.  However we’ve seen a flurry of decisions across the EU this year, which demonstrate it’s still important to remember your GDPR basics, rather than just collecting all the data you can because it might prove interesting, and then deciding what to do with it.

April saw the publication of a decision by the French Cour de Cassation relating to the dismissal of an employee for gross misconduct, based on the use of geolocation data from his company vehicle. The data showed he had been driving very long distances to return home almost every day, which allegedly added more than 250km per day to his truck’s mileage, as well as creating risks from tiredness because he spent so long driving.   Crucially these journeys home, and therefore the tracking of his location, took place outside his working hours.  The Cour de Cassation overturned an Appeal Court decision on the basis that the Appeal Court had failed to consider whether this evidence was admissible, given that it had been collected in violation of the employee’s right to privacy.  The decision referenced a CNIL “deliberation” from 2015 setting out when it was permissible to process geolocation data relating to an employee.  This  expressly prohibited “location data outside the driver's working time, in particular during journeys made between his home and his place of work or during his breaks.“

A recent Belgian complaint related to disciplinary action against a public employee, where the tracking data showed his car had stopped at addresses such as his mother’s and a bar during working hours.  The employee complained that he had not been aware of the GPS tracking.  The Belgian DPA found the public authority had breached GDPR in a number of respects, including transparency, but upheld its right to carry out the tracking on the basis of a task carried out in the public interest[1], as there was a public interest in the efficient use of scarce government resources.  The decision recognised that the processing took place under specific parameters, such as only during working hours, and the number of people who could access the data was strictly limited.

A further illustration of the importance of proportionality is a fine imposed by the CNIL on an escooter company for excessive collection of location data.  The company collected location data every 30 seconds when the scooter was active and every 15 minutes when it was not.  The CNIL considered the various purposes for which the company said it needed the location (which included handling traffic offences and theft), and concluded that none of them justified the frequency of the data collection. 

The above decisions are all based around points which tend to be the provenance of lawyers: what’s your lawful basis for processing? What’s an appropriate amount of data to collect?  Have you completed a DPIA?  In contrast two Italian fines (which relate to the same complaint) demonstrate the importance of getting the operational processes right.  In this case a delivery driver complained because he’d found a plug-in device (“PID”)  in his vehicle.  The PID was operated by Verizon, but seems to have been placed there on the instructions of  a third company, Giessegi.  We say “seems” because no one seems to have had a record of how the PID came to be in the complainant’s vehicle, but the complainant had previously been contracted to provide delivery services to Giessegi, and Giessegi had used Verizon to track the mileage of third party delivery drivers to ensure it wasn’t overcharged.  The PID continued to transmit data to Giessegi for 18 months after its arrangement with the driver had ceased and remained in place even after Giessegi’s relationship with Verizon terminated, apparently because no one at either company felt responsible for de-activating devices.

The Garante’s investigation uncovered some “legal” failings, such as failing to do a DPIA and not having an appropriate controller/processor contract.  But the case also illustrates how important it is for companies to get their administrative processes right.  Giessegi  couldn’t demonstrate that the driver had received notice of the PID’s installation because it hadn’t kept records, it also failed to remove the PID because it had no record of it, and Verizon continued to collect data from the PID when it was no longer being asked to do so.  If the companies involved had managed use of the PID appropriately, and removed it or switched it off at the appropriate time, it’s quite possible the other failings would never have come to light. So when looking at data protection compliance around telematics, don’t overlook your implementation processes.

[1] As a public authority it couldn’t rely on legitimate interest