Skip to content

menu

Open Legal Blog Archive logo
HomeAboutBlogsFAQsSubmit

French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles

By Kristof Van Quathem & Alix Bertrand on April 15, 2025

On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French).  The Recommendation is open for public consultation until May 20, 2025.

  1. Scope

The Recommendation is meant to help stakeholders of the vehicle industry (e.g., manufacturers, fleet managers offering vehicles for short or long-term rental, suppliers of telematics tools installed in the vehicles, data aggregators and integrators) comply with French privacy rules.  It covers some of the most frequent uses of location data in relation to connected vehicles driven by consumers.[1]  Purposes of processing covered by the Recommendation include:

  • fleet management by vehicle rental companies (management of rental contract execution and service performance); 
  • personal assistance and vehicle recovery;  
  • personal assistance in the event of an accident; 
  • theft prevention; and
  • optimization and improvement of products and services (identification of areas for improvement in equipment or services offered).
  1. General Recommendations

    The CNIL first sets out recommendations applicable to all in-scope processing activities.  Key topics covered in these general recommendations include:

    • Understanding when French data protection and privacy rules apply – in particular, the CNIL highlights that the French cookie rules will apply in case of access to location data from a connected vehicle;
    • Identifying an applicable legal basis – the CNIL provides a few examples in which various legal bases (e.g., consent, contractual necessity, legitimate interests) may or may not be relied on.  Interestingly, when considering the legitimate interest legal basis, the CNIL only provides examples excluding this legal basis;
    • Informing data subjects and facilitating the exercise of their rights – the CNIL recommends for instance that information be provided to data subjects in a layered manner and potentially using various formats (e.g., digitally via the system incorporated in the vehicle, via a QR code, in paper, etc.).  It also recommends that manufacturers add a simple function to the vehicle enabling data subjects to quickly and easily delete their personal data (e.g., a delete button within the vehicle or in an app used in connection with the vehicle);
    • Implementing appropriate security measures – on this point, the CNIL not only refers to various technical standards that may be helpful to address cybersecurity risks (e.g., UN Regulation No 155 and ISO/SAE 21434), but also recommends a number of security measures (such as encryption, authentication and access logs).
    1. Specific Recommendations

      The Recommendation then addresses some more specific use cases, which we have summarized below.

      1. Anonymization of location data

      After reiterating that the anonymization process itself is a processing activity that remains subject to the GDPR, the CNIL provides some practical and technical recommendations for companies seeking to anonymize location data and lists some considerations to take into account when assessing the risk of reidentification.

      1. Recommendations specific to certain processing activities

      The CNIL sets out more detailed recommendations for certain processing activities in the context of the management of a commercial fleet or personal use of a connected vehicle.  Such activities include for instance using location data to combat theft, to provide assistance in the event of an accident, or to improve products and services.  In each case, the CNIL offers some insight on the role of various stakeholders and conditions for lawfully processing the location data (including by considering how to comply with the French cookie rules depending on the use case and identifying an appropriate legal basis).

      1. Localization techniques: telematic boxes and data aggregators

      The CNIL highlights more specific security considerations with regard to the use of telematic boxes or solutions provided by data aggregators in connected vehicles.  Where personal data are shared via an application programming interface (“API”), it refers to the recommendations and guidelines provided in its 2023 guidance on APIs (see here in French).  The CNIL also flags some security concerns for providers of telematic boxes and data aggregators to consider when designing their products and services.

      1. Next steps

      Stakeholders (whether from the public or private sector), citizens and civil society may submit their comments on the Recommendation until May 20, 2025.  Following this consultation period, the CNIL will examine the received comments and adopt a final version of the Recommendation – although it has not yet provided any estimated timeline for such adoption.

      *          *          *

      The Covington team will continue to monitor developments on this topic, and we are happy to assist clients if they have any queries.

      [1] The Recommendation thus does not cover uses of location data linked to connected vehicles driven by employees, which the CNIL already addressed in a previous guidance from May 2023 – see here in French.

      • Posted in:
        Privacy & Data Security
      • Blog:
        Inside Privacy
      • Organization:
        Covington & Burling LLP
      • Article: View Original Source
      Open Legal Blog Archive, Inc. logo
      Seattle, Washington
      Copyright © 2025, Open Legal Blog Archive, Inc. All Rights Reserved.
      Law blog design & platform by LexBlog LexBlog Logo