On March 24, 2020, the Dutch Supervisory Authority (“SA”) announced the launch of a broad investigation into automobile manufacturers, to determine whether any violations of data protection laws have occurred in relation to connected cars.
The Dutch SA sent a questionnaire to all Netherlands-based car and truck manufacturers, asking what types of personal data they process, how long they keep it, what measures they take to secure it, and with whom they share it. On the basis of the results, the SA intends to engage in dialogue with the sector and, where it deems necessary, initiate enforcement actions.
The SA mentioned in its announcement that, thus far, it has received few complaints on this topic, but attributes this to a lack of privacy awareness among drivers. The SA also alluded to its current understanding that “much is not properly addressed”.
Finally, the SA acknowledged that many automobile manufacturers do not have headquarters or a “main establishment” in the Netherlands. Therefore, the SA indicated it will share evidence or suspicions of data protection violations with the competent authorities of such manufacturers, for further follow-up action and possible enforcement.
This investigation follows the publication of guidelines for connected car manufacturers by the European Data Protection Board back in February 2020.