When is data concerning health?

A29WP describes scenarios when the data is concerning health in the Opinion of 2015, which advised on namely health data in apps and devices, which is relevant also for the new GDPR and processing of data from vehicles.

The first scenario is when the health data is “clearly medical data”, which contains data of physical and mental health and generated in a “professional, medical context”.¹⁵⁶ The second example of health data is if “the data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person”. If sensor data of someone’s heart rate, age and gender are stored together, but it is not in fact being used to draw a conclusion of the health, it is not “concerning health”.

Nevertheless, raw sensor data can be personal data, and even lead to revealing one of the other sensitive information that is prohibited.

If “conclusions are drawn about a person’s health status or health risk”, the data is also considered health data, regardless if the raw sensor data is considered as data concerning health.

What determines if the data qualifies to be health data, is if the data are used to draw conclusions on the drivers’ health or health risk. Data that, to begin with, merely reveals when a person uses the vehicle and where the person drives, can become such health data when, for instance, uses that data to draw a conclusion of the persons health. For instance, if a health insurer company retrieves data on the eye. The health insurer will then be a controller in the terms of the law, who must comply with the GDPR.

Data of eye movement can only be processed if the requirements of exception are fulfilled.¹⁵⁷ The processor must have explicit consent from the data subject that they can process the data of the driver’s eye movement with the purpose of drawing health conclusions.¹⁵⁸

There are other exceptions opening up for processing sensitive data pursuant to Art. 9 (2), where the most relevant to mention is where the national law in the state conciders processing of such data necessary “for reasons of substantial public interest” without otherwise come in conflict with data protection law.¹⁵⁹

156 A29WP 2015, Annex by letter – health data in apps and device, p. 2.

157 Art. 9 (2) (a)

158 See chapter 4 on terms of consent, and explicit consent under this thesis

159 GDPR Article 9 (2) (g)

Many technologies in vehicles processing raw data that is or potentially can be health data increases road safety, for instance. Road safety is in the public interest, and even an issue emphasized by the European working groups who aims for less fatalities in the traffic on roads in Europe (Vision Zero). ¹⁶⁰

In many situations, especially if there is not a legitimate interest to process the data, the data controller will have to depend on the free choice of the data subject themselves: explicit consent¹⁶¹, which is assessed further in chapter 4.

There are such massive amounts of data being generated in vehicles that in certain circumstances lead to sensitive data, or that the technology itself requires processing of sensitive data (for instance software recognizing eye movement or open the door with fingerprint).¹⁶² Even more so in the nearest future, with more intelligent solutions and increasing automation of vehicles, generating more data in even bigger amount. Controllers must also be aware that some personal data, which at first sight is not sensitive, nevertheless has the potential to become sensitive data.¹⁶³

The address of a hospital will isolated not identify a person, as it is simply a name of a street.

However, when processed from a vehicle to an external cloud-based service, the address can reveal the location of the driver, which means that it will be personal data pursuant to Art. 4 (1).¹⁶⁴ Furthermore, those data can potentially reveal information about the health of the driver, for instance, if added with other data, such as eye movement data of the driver. That will mean that due to the circumstances, it must be considered as health data and be processed data pursuant to the rules of sensitive data in Art. 9 (1).

To answer the main question under this chapter, data processed in or from a vehicle is therefore subject to the GDPR if it is personal, meaning if it can reveal the identity of the driver. As most vehicles today are connected and process a huge amount of data, controllers of this data are most likely to process data that is identifying the driver, either alone or together with other data, also held by third parties. The controller of a vehicle must therefore assess whether the data

160 COM (2011) 144 final, p. 10. See also COM (2018) 293 final, ANNEX 1

161 Article 9 (2) (a).

162 EDPB Guidelines 01/2020, v2.0, p.

163 A29WP (2011) Advice paper on special categories of data, p. 6.; “data which by its nature contains sensitive information (…)”, but also “data from which sensitive information with regard to an individual can be concluded”.

164 ART29WP 203 Opinion 03/2013, p. 46, and Schartum et al (2014) p. 127

they process can identify the driver, independent of whether the car has several drivers, because the information relating to the cars also relates to the person using the car. If the data can identify the user of the car, the data is personal, and the processing must be in accordance with the other rules of the GDPR. Furthermore, the controller must assess if the data is or can lead to sensitive information, to determine which ground should be applied to lawfully process the data.

4 The concept of consent

4.1 What is required of a consent as a legal ground to process personal data in vehicles?

Chapter two in the GDPR sets out the principles of processing personal data. According to Art.

6, the processor must have a valid lawful ground for processing the personal data.

There are six different alternatives to process personal data on a lawful ground in Art. 6 first paragraph. Only the first one, consent (a), is based upon a voluntarily action from the data subject. The other grounds are based on the necessity of different reasons: to comply with a contract (which is voluntary to begin with) (b); compliance with a legal obligation that the controller is subject to (c); protect vital interests (d); a task carried out in the public interest or in the exercise of official authority vested in the controller (e); and legitimate interest (f). The list is exhaustive, meaning that one of these listed grounds must apply.

Several solutions and services in vehicles process data from the car, for instance, lane assist, automatic break-system among others, provide improved road safety to different extents. In a sense, processing of such data is therefore “necessary” in order to protect the person. However, it is not necessary in the sense of “vital” interests as the Regulation means to cover. Another alternative that might apply, is if the data controller has “legitimate interests” to process the personal data. If they can`t show to a legitimate interest, the processing must be based on the consent of the data subject; the driver, and that is the topic for the following discussion.

The implication under the GDPR on this regard is among many: when a consent is possible or mandatory as a legal ground for the processing; what necessitates consent; and what conditions must be fulfilled to obtain the consent lawfully.¹⁶⁵ The most relevant lawful ground for

165 A29WP 187 Opinion 15/2011, p. 3.

processing in the purpose of this thesis is, therefore, consent¹⁶⁶ and often in addition to a contract between the driver and, for instance, the seller of the car, which will be addressed shortly.

As technology develops and vehicles process data in an increasing speed and amount through built-in sensors, applications and other offline and online methods and software, this comes with a greater need to inform and build trust with the driver. This necessitates a firm and strict regulation to protect the drivers as data subjects, as well as to raise awareness of the extent of the processing and to give control and to decide over their own data.

In the following, the conditions of consent in general will be analyzed, with some practical aspects of complying with the examples of use of consent as a legal ground to process personal data in vehicles; and when it is not necessary or possible to use consent as legal ground.

The term “consent” is defined in Art. 4 (11) as

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The definition and terms of a valid obtained consent must be read in conjunction with the principles applied to the processing of personal data in general. Of particular importance in regards to consent is Art. 5, such as the principle of processing data lawfully, fairly and transparent (a); to only collect the data that are for specified, explicit and legitimate purposes (purpose limitation, letter b); and to only collect data on what is necessary (data minimization, letter c). These principles apply regardless of the lawful ground, which means that consent does not preclude the controller’s duties laid down in the principles. EDPB highlights that consent

“would not legitimise a collection of data, which is not necessary in relation to a specified purpose of processing and be fundamentally unfair”.¹⁶⁷ The consent is therefore to be regarded as an additional condition for processing.

In addition, Art. 7 is of importance as it dictates “conditions for consent” and will be addressed where relevant for the understanding of “consent”.

166 But other can be relevant too, see A29WP 187, Opinion 15/2011, p. 8.

167 EDPB Guidelines 05/2020 on consent, p. 5.

The starting point for the following analysis is the formulation in Art. 4 (11). The other relevant provisions, recitals and expert opinions will be addressed where its relevant and necessary to clarify the criteria of consent.

The provision in Art. 4 (11) states four cumulative criteria for the consent to be valid. It must be freely given, specific, informed, and unambiguous indication of the data subject's wishes.