Removing data from used cars – whose job is it?
When used cars are part-exchanged by individual customers or de-fleeted by (for example), hire or lease companies, before selling through auction houses, it is becoming all too common to find that many still retain lots of personal data on their in-car infotainment systems, be it a name attached to a music playlist, Satnav location data, or in some cases, even mobile phone contact lists.
Common sense suggests that customers would usually be keen to make sure they remove any such data before a vehicle is handed over. Wholesale buyers might even try and oblige such customers in their purchase contracts to do so or at least understand the consequences of not doing so.
But whose legal responsibility is it to erase personal data stored in vehicles for the purposes of UK GDPR and e-Privacy laws, and what are the sanctions for non-compliance? The following article considers these two fundamental questions in more depth.
The starting point is the Data Protection Act 2018 (“DPA”) and the UK General Data Protection Regulation (UK GDPR), representing the two most important UK laws in this area.
Deletion of Personal Data
The general right to the erasure of personal data is dealt with under Article 17(1) of the UK GDPR and states that:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” where one of six grounds applies.
The most relevant grounds regarding the erasure of personal data in motor vehicles are the following, namely where: –
a. the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b. the data subject withdraws consent on which the processing is based (and there is no other lawful basis for processing the data);
c. the data subject objects to the processing (and there are no overriding legitimate grounds for continuing the processing); or
d. the personal data has been unlawfully processed.
It is important when interpreting Article 17(1) UK GDPR, and the data regulations generally, to clearly identify who the data subject and controller are and what constitutes personal data.
A data subject is defined under Section 5(1) DPA and Article 4(1) GDPR as the identified or identifiable natural person, whose personal data is being processed and to whom personal data relates.
The data controller is defined under Section 6 DPA and Article 4(7) GDPR as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, including the following: –
- Companies or other legal entities such as incorporated partnerships, incorporated associations, or public authorities; or
- Individuals such as sole traders, partners in an unincorporated partnership, or self-employed professionals.
Personal Data is defined under Section 5(1) DPA and Article 4(1) GDPR as any information that relates to the data subject.
The UK’s Information Commissioner’s Office (“ICO”) confirmed in its guide ‘What is personal data?’ that any information relating to an identifiable natural person, whether processed manually or by automated means, will constitute ‘personal data’ for the purposes of the DPA 2018 and UK GDPR.
Article 17(1) UK GDPR therefore stipulates that unless any exceptions apply, both the data subject and the controller have a right to deletion, but, ultimately, it is the responsibility of the controller to actively delete personal data.
In the context of motor vehicles, situations in which a data controller would not be obliged to delete personal data appear to be, on the face of it, quite rare; ultimately, a controller will do well to argue that retaining such personal data in a vehicle prior to re-sale is necessary for the purpose for which it was collected or otherwise processed – the first ground under Article 17(1) UK GDPR. In other words, they will almost always be obliged to erase such data upon handoff or sale.
Comparative European Laws
The UK laws regarding data erasure are echoed by the European Data Protection Board, which, whilst no longer directly applicable to UK law post-Brexit, provides a very useful steer on how GDPR and e-Privacy laws apply specifically to automotives.
The Guideline 01/2020 on processing personal data in the context of vehicles clearly identifies that car companies have effective control over the processing of data and, as such, they have the responsibility to ensure its confidentiality. In other words, the personal information stored in the dashboard must be deleted by the car company at every handoff or sale. Not doing so constitutes a breach of EU GDPR and e-Privacy laws.
Whilst such guidelines only pertain to EU Member States, it is important to note that almost all of the EU GDPR has been adopted and replicated in the UK; thus, such guidelines are still a useful resource and illustrate a united front in respect of data laws across multiple European jurisdictions. So, whilst the UK does not have such definitive guidelines regarding data stored in motor vehicles, it is highly likely that guidance from the EU will remain applicable until such specific guidelines are introduced.
It is unclear whether traders and retailers in the automotive sector fully appreciate their responsibilities, or if they do, how seriously they are prepared to take them. Sanctions for non-compliance are extremely serious. Whilst some infringements might only attract the likes of warnings, reprimands or bans on data processing, fines of the higher of 4% of global turnover or £17.5m are theoretically possible. Time will tell whether the ICO imposes such sanctions. Until then, the sector needs to be alive to the threat and take active steps to ensure personal data is deleted in compliance with the DPA and UK GDPR.
If you have any queries regarding data regulation and e-privacy laws relating to automotives, please get in touch with the Commercial Dispute Resolution Team and we would be happy to assist you.