E-003077/2023
Answer given by Mr Breton
on behalf of the European Commission
(9.2.2024)
The vehicle manufacturer is responsible for vehicle safety and security in the type-approval framework and access to vehicle data and functions cannot come at the expense of vehicle safety, cybersecurity or data protection. In particular, the vehicle manufacturers are subject to type approval legislation on the protection against cyberattacks, with obligations to identify the risks and threats, to implement mitigating measures, as well as the requirement to hold a cybersecurity management system. They are also liable under the Product Liability Directive1 in case of damages caused by malfunctioning of the vehicle.
1 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31985L0374
2Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
3 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
4 Article 5(3) of the ePrivacy Directive requires the users’ consent to store or gain access to information stored in their terminal equipment, except for the purpose of carrying out the transmission or where it is strictly necessary for the provision of an information society service explicitly requested by a user. The connected cars fall under the scope of terminal equipment, for example, if they are connected to internet; Article 1, Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment, OJ L 162, 21.6.2008, p. 20–26.
5 Articles 4 to 6 of the ePrivacy Directive.
6 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0068