How Automotive Companies Should Respond to GDPR, CCPA, and other International Privacy Laws

First Reviewed : August 13, 2020
Last Reviewed: August 13, 2020




Germany: Fine against police officer First fine against a person working in the public sector – 1,400 EUR ($1,595) for misuse of data for private purposes

France: 20k fine Fine of 20,000 EUR ($22,779) against a small company (9 employees) with negative turnover for CCTV

EEA-wide 55.955.8EUR in fines 11 EEA countries have imposed fines under the GDPR to the tune of 55,955,871 EUR ($63,730,659)

“In January 2019, The French Data Regulator (CNIL) fined Google €50 million ($56 million) for “lack of transparency, inadequate information and lack of valid consent regarding ad personalization.” The regulator deemed that Google had not sufficiently informed users about how they were collecting personal data in order to use this in line with personalized advertising (Article 12(1)). It was deemed by the watchdog that individuals were not able to access all the information regarding Google’s processing operations in a clear format, which resulted in failure of obtaining a clear and informed consent (Article 7). As long as the consent was not validly obtained, the regulator deemed that Google failed to have a valid legal basis to process individuals’ data (Article 6 (1)(a)). So far this is the biggest GDPR fine yet to be issued by a European regulator.”[1]

Article 12 necessitates Transparent information, communication and modalities for the exercise of the rights of the data subject

General Data Protection Regulation: Official Journal of the European Union

Article 7 states THE Conditions for consent

General Data Protection Regulation: Official Journal of the European Union

Article 6(1)(A) provides that one of the stipulations necessary for Processing to be lawful is that the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

General Data Protection Regulation: Official Journal of the European Union

While Google is not an automotive company, it would not hurt other industries to take a cue from this and be more GDPR compliant.

Does the GDPR have a bearing on the companies and individuals in the United States?

The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018 unifies data privacy laws across Europe while bolstering data privacy of the EU citizens. GDPR is an extremely comprehensive legislation impacting every company that processes or controls EU citizens’ data, irrespective of the location, therefore, the GDPR is legally binding even on U.S. businesses that have global operations, international sites or remote workers.

How does this impact the auto industry?

According to the GDPR, data generated in a vehicle is the property of the driver. This clarification of ownership puts a significant data privacy compliance burden on car manufacturers, rental car companies and fleet operators. To make matters worse, Intel data estimates that a single self-driving car can generate as much data as about 3,000 people. That in turn means that a million self-driving cars would create data that would be equal to data of 3 billion people. This puts the car makers in the hot seat! The sheer volume of the data is extremely overwhelming, warranting adoption of strict compliance regimes not only to escape the wrath of heavy GDPR penalties but also to keep the data of the trusting customers safe. Data leaks can be seriously damning for the business and may result in losing the customer base to the competitors.

From the standpoint of the auto industries what kind of information is protected by GDPR?

Under the GDPR, no sensitive personal data can be collected without the express consent of the users. This includes biometric data such as voice or fingerprint recognition, behavioural data such as driving patterns, routes and destinations; diagnostics information such as speed, fuel economy; navigation data, as well as access codes for a garage door, log-in information and any stored information in the vehicle infotainment systems.

Something as simple as a mere note saying that a customer has children or a dog, would also be considered profiling under the GDPR.

Fines and penalties—what to expect?

If either the GDPR or the e-Privacy Regulation is breached, the OEM can be fined up to €10 million ($11.3 million), or 2% of a car manufacturers’ total worldwide annual turnover, whichever punishment is higher. Under certain articles of the GDPR, the maximum penalty can go up to 4% of annual global turnover or €20 million ($22 million), whichever is greater.

Since its implementation, the GDPR has upped the stakes of data protection across the globe. Hefty penalties and fines can now be seen being imposed on simple failure to comply with the law.

Which other privacy laws should the automakers watch out for?

  • It would augur well for the wilful defaulters to know that intentional violations of the California Consumer Privacy Act will take effect on January 1, 2020  can lead to imposition of civil penalties of up to $7500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. However, enterprises would have 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure the violation. If a business does not take steps to cure the violation in the thirty-day period after receiving notice, then it may be considered an intentional violation.
  • The long arm of the data privacy laws is another thing to look out for. It is important to note that countries across the globe, big or small, are enacting data privacy legislation that have extraterritorial application.
  • Brazil— the fifth largest country in the world, has passed the General Data Protection Law, which will take effect in February 2020. Thailand, the world’s 50th largest country, has enacted the Personal Data Protection Act (“PDPA”) this year. Like the GDPR, the Brazilian and the Thai data privacy laws apply extraterritorially.

Keeping track of all the new laws on the subject to avoid regulation or data breaches can be a challenge. It would be in the best interest of all businesses with a global footprint to have a defined roadmap for data protection and data privacy compliance.

LegalEase Solutions offers corporate legal departments and law firms innovative support with regulatory compliance, Contract Lifecycle Management, legal analytics, and legal research and writing. Our team is designed to function as an extension to your legal practice/department, providing you the capabilities and resources to stay up to date with your needs. If you have a project you need a hand with, feel free to reach out to us at Our team is happy to assist.


Share the Post: