Access to vehicle data – EU Commission answer

Brussels, 9 February 2024

See question(s) : E-003077/2023

EN
E-003077/2023
Answer given by Mr Breton
on behalf of the European Commission
(9.2.2024)
The vehicle manufacturer is responsible for vehicle safety and security in the type-approval framework and access to vehicle data and functions cannot come at the expense of vehicle safety, cybersecurity or data protection. In particular, the vehicle manufacturers are subject to type approval legislation on the protection against cyberattacks, with obligations to identify the risks and threats, to implement mitigating measures, as well as the requirement to hold a cybersecurity management system. They are also liable under the Product Liability Directive¹in case of damages caused by malfunctioning of the vehicle.

Furthermore, insofar as it contains personal data, access to vehicle data remains fully subject to the ePrivacy Directive²and the General Data Protection Regulation³. In particular, the rules of the ePrivacy Directive restrict storing and accessing information stored in the connected vehicles⁴. Furthermore, the ePrivacy Directive protects the confidentiality and security of the data transmitted from or to the vehicle in the electronic communications networks preventing unauthorised interference⁵.

The Data Act⁶establishes clear and fair rules for accessing and using data, including certain vehicle data. It does not impose any particular mode of access to data that would prevent the manufacturer from choosing the way of ensuring compliance and should not affect the manufacturer’s business strategies in this regard. In addition, subject to conditions, the Data Act allows data holders to contractually restrict data access by third parties, if such processing could undermine security requirements of the connected product and result in a serious adverse effect on health, safety or security of natural persons.

1 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31985L0374
2Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
3 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
4 Article 5(3) of the ePrivacy Directive requires the users’ consent to store or gain access to information stored in their terminal equipment, except for the purpose of carrying out the transmission or where it is strictly necessary for the provision of an information society service explicitly requested by a user. The connected cars fall under the scope of terminal equipment, for example, if they are connected to internet; Article 1, Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment, OJ L 162, 21.6.2008, p. 20–26.
5 Articles 4 to 6 of the ePrivacy Directive.
6 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0068

Source: Answer to a written question – Access to vehicle data – E-003077/2023(ASW)

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.