Vehicle tracking: French DPA sanction
Frédéric Saffroy and Alice Bastien
The processing of vehicle geolocation data has become a major stake for companies in many sectors: transport, logistics, vehicle rental, fleet management, insurance and vehicle financing, predictive maintenance, protection against theft, etc. This data allows them to manage in real time and anticipate the need for personnel and vehicles, to assist the user, to track journeys made, to invoice services (car-sharing, rental, financing, insurance), to identify – and block – stolen vehicles or to deal with traffic violations.
However, this data reveals the private lives of users of connected vehicles (construction equipment, buses, trucks, cars, motorcycles, mopeds, bicycles, e-scooters, etc.). Their processing (collection, analysis, use, storage, etc.) therefore raises major questions in terms of personal data protection and respect for fundamental rights and freedoms.
- A strict framework provided by the GDPR and the guidelines
As early as 2006, the French Data Privacy Agency (“CNIL“) regulated the geolocation of employees’ vehicles (special rule “NS-051”, amended in 2015). After the adoption of the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR“), guidelines were developed to regulate the collection and processing of geolocation data.
In France, the CNIL published a “Connected Vehicles and Personal Data” compliance pack in 2017 recalling the key principles to be respected with regard to Law No. 78-17 of January 6, 1978, as amended (French “Data Privacy Act“) and the GDPR. These principles include the obligation to have a legal basis, fairness in the collection of data, a legitimate purpose, application of the principle of proportionality, a limited retention period and the implementation of security measures.
The following year, the CNIL published guidelines on the geolocation of employees’ vehicles, replacing NS-051. Geolocation devices installed in vehicles provided to employees may not be used to monitor compliance with speed limits, control employees or calculate their working hours. Their rights must also be respected (information on the processing, the purpose, the legal basis, the duration, as well as the rights of access, rectification, deletion, and opposition) and the employee representative institutions shall be consulted.
In 2020, the European guidelines 01/2020 on geolocation data for connected vehicles and mobility-related applications were published. Strongly inspired by the CNIL guidelines, they set a European interpretative framework for the collection, processing, and use of geolocation data.
After recalling that the processing of location data raises concern as their “increasingly intrusive nature can put a strain on the current possibilities to remain anonymous“, the European Data Protection Board (“EDPB“) specified that vehicle and equipment manufacturers, service providers and other data controllers must be vigilant with regard to geolocation data, which can reveal life habits and infer the place of work, the residence, and even sensitive information, such as religion or sexual orientation. Location data should therefore not be collected unless absolutely necessary for the purpose of the processing.
Like the CNIL, the EDPB specifies that the collection of geolocation data shall comply with the following principles:
- an adequate setting of the frequency of access to the location data collected and the accuracy of such data in relation to the purpose of the processing,
- the provision of detailed information on the purposes of the processing,
- when the processing is based on consent, the collection of a valid consent (free, specific, and informed) distinct from the general terms of sale or use,
- the activation of location only when the user initiates a functionality that requires knowledge of the vehicle’s location, and
- setting a limited retention period.
Although these guidelines are not binding, the CNIL expressly referred to them in its sanction decision of March 16, 2023, against the company Cityscoot.
- The sanction against Cityscoot
Cityscoot is an electric moped rental company. These mopeds are equipped with electronic boxes containing a SIM card and a GPS geolocation system, which collects geolocation data every 30 seconds when the scooter is active, and its dashboard is turned on.
The data is collected for the following purposes: processing of traffic violations, processing of customer complaints, user support (calling for help in case of a user’s fall), management of claims and theft. They are stored in three separate databases: a “moped database”, containing the data collected by the sensors attached to the moped; a “reservation database”, containing the dates and times of the beginning and end of each rental; and a “customer database” containing the data used to manage the billing.
The CNIL considers that this geolocation data is personal data, as long as it is possible to reconcile the company’s different databases, making it possible to assign positions or a route to a user.
In its decision, the CNIL considers that “none of the purposes put forward by the company justifies the collection of geolocation data every 30 seconds during the rental of a moped and the conservation of this data” and that “such a practice is indeed very intrusive in the private life of the users insofar as it is likely to reveal their movements, their places of frequentation, the totality of the stops carried out during a route, which amounts to questioning their freedom to circulate anonymously“.
Concerning the end of the rental and the resulting billing complaints, the CNIL notes that it would be possible “to put in place alternative and less intrusive mechanisms allowing the company to ensure that the user has indeed ended the rental or, on the contrary, to warn her/him when this is not the case, for example by sending a text message or confirming, through an alert via the application, that the rental has ended”.
For the management of traffic fines, the CNIL’s panel considers that “the collection and storage of moped position data every 30 seconds is excessive insofar as it concerns all the mopeds rented by the company, whereas it only serves an incidental purpose in the event that a user would need this data to contest a traffic violation”.
Similarly, only the last known position of the moped is necessary for the management of theft during a rental period. This assumption “is not sufficient to justify the collection of geolocation data every 30 seconds of all the users’ journeys”.
Finally, “the technical notification of the moped being too inclined or the call from the user” is sufficient to inform Cityscoot of an accident, in order to assist a user. Geolocation is therefore neither adequate nor relevant for this purpose.
As a result, the CNIL has imposed a fine of 125,000 euros on Cityscoot for breaches of Articles 5(1)(c) and 28(3) of the GPDR and a fine of 25,000 euros for the breach of Article 82 of the French Data Privacy Act.
This decision is in line with the one of July 7, 2022, against Ubeeqo, Europcar’s car-sharing subsidiary.
It is therefore incumbent on mobility actors implementing geolocation to strictly respect the following principles:
- obtaining a specific consent from the user that is distinct from the general conditions of sale or use;
- adequate configuration of the conditions of geolocation relative to the purpose of processing (activation/deactivation, frequency, accuracy, etc.);
- the option to deactivate geolocation at any time (if consistent with the service provided);
- activating geolocation only when the user launches a functionality that requires the vehicle’s location to be known, and not by default and continuously;
- informing the user that geolocation has been activated, in particular by using icons on App and/or vehicle dashboard;
- providing accurate information on the purpose of processing;
- defining a limited storage period.
For further information, please contact Alerion Privacy Team.
 https://edpb.europa.eu/system/files/2021-03/edpb_guidelines_202001_connected_vehicles_v2.0_adopted_en.pdf (version 2.0 of March 9, 2021)
 Decision SAN-2023-003 of March 16, 2023 regarding the company Cityscoot