November 2021
Data Protection Impact Assessment: the case of connected cars
This 22nd Meeting, co-organized by the Values and Policies of Personal Information Chair (VP-IP) and Connected Cars and Cyber Security (C3S), aimed to present the research report of the Chaires C3S and VP-IP on Data Protection Impact Analysis: the case of connected cars, as well as the companion document.
Download
The research report (FR)
The excutive summary (FR)
The PWP presentation (FR)
¬ PROGRAM
10:00 am: Presentation of the C3S and VP-IP Chairs
François Pistre, Chairman of the C3S Chair Steering Committee, Romain Galesne-Fontaine, Chairman of the VP-IP Chair Steering Committee, Rida Khatoun, Co-Chairman of the C3S Chair, Claire Levallois-Barth, VP-IP Chair Coordinator.
10:10 am: Presentation of the report Analyse d'Impact pour la Protection des Données : le cas des voitures connectées by its authors
Claire Levallois-Barth, VP-IP Chair Coordinator and teacher-researcher at Télécom Paris and Jonathan Keller, Law Engineer, Institut Mines-Télécom/Télécom Paris
10:45 a.m.: Presentation of the electronic document accompanying the Data Protection Impact Assessment report: the case of connected cars
Aymeric Poulain-Maubant, consultant, trainer & lecturer in the digital sector
11:00 am: Round table discussion moderated by Florian Damas (Nokia) and Claire Levallois-Barth with the participation of :
- Thomas Moreau, Data Protection Lawyer, CNIL
- Antonio Kung, President, Trialog
- Cidalia Beleza, Data Protection Officer, Renault
- Jonathan Keller
12:00 am : Discussion with the audience
¬ THE REPORT (FR) Data Protection Impact Assessment : the case of connected cars
This report, written by Claire Levallois and Jonathan Keller, deals with the interaction between the Data Protection Impact Assessment (DPIA) arising from a legal obligation imposed by the RGPD and the operational needs of the automotive sector. Indeed, data flows in the automotive sector have become more complex, with vehicle connectivity transforming the vehicle into an informational platform raising new issues, particularly with regard to identifying data subjects and regulating the sharing of personal data.
Against this backdrop, the :
- Mapping the flow of personal data within the ecosystem of a connected vehicle,
- Then identifying the risks associated with the creation and use of personal data,
- In order to determine the methodologies that can optimally reduce these risks.
More specifically, with the industrial partners of the C3S Chair, we have defined a practical case (called “Biomem”) comprising three hypotheses (“Biomem-constructeur”, “Biomem-Indé” and “Biomem-VOD”). Based on these three hypotheses, we applied four impact analysis methodologies, namely:
- The CNIL's personal data protection impact assessment,
- An institutional methodology developed by the German Bundesamt für Sicherheit in der Informationstechnik (BSI),
- The privacy impact assessment proposed by the US National Institute of Science and Technology (NIST),The Privacy Risk Analysis Methodology by Daniel Le Métayer and Sourya Joyee De of INRIA.
We have thus compared these methodologies and determined their strengths and weaknesses in terms of respect for the rights and freedoms of data subjects.
The third, legal, part of the report deals with the judicialization of risks linked to personal data. It deals with the assessment of risks by the European courts (European Court of Human Rights and Court of Justice of the European Union) and, in the case of the European Court of Human Rights, the European Court of Justice.
¬ SPEAKERS
Thomas Moreau
Twitter : @CNIL
Thomas Moreau is a lawyer in the Economic Affairs Department of the Commission Nationale Informatique et Libertés (CNIL). He is in charge of the Transport and Energy sectors. In this capacity, he monitors all files related to connected vehicles. Before joining the CNIL in 2019, he worked for 16 years in the telecoms sector, notably as head of regulatory affairs at SFR.
Antonio Kung
Twitter : @antoniokung
Antonio Kung is co-founder of Trialog. With over 30 years' experience in cyber-physical systems and the Internet of Things, he brings expertise and know-how in architecture, interoperability, security and data protection. He has been coordinator of numerous collaborative projects in France and Europe in these fields. He is active in standardization on the Internet of Things, data security and protection, notably the editor of ISO/IEC standards 27550 (published), 27556, 27561 - POMME, 27570 (published), 21823-3, and 30149. In 2018, he became a Senior Partner of Trialog and serves as its President. Antonio Kung is a graduate of Harvard University and Ecole Centrale Paris.
Cidalia Beleza
Twitter : @renaultgroup
Cidalia Beleza is Group Data Protection Officer at Renault Group. She joined Renault from DLA Pipper and Hogan Lovells, where she worked as a lawyer, Hewlett Packard, and most recently as General Counsel of IQVIA, the world's leading technological data management company in the healthcare sector. Ms. Cidalia Beleza acted as IQVIA's relay DPO for France and in this capacity was responsible for bringing the company into compliance with the GDPR, in direct liaison with the CNIL.
Florian Damas
Twitter : @florianorama
Mr. Florian Damas is in charge of policy and regulatory affairs, responsible for developing NOKIA's positions on key regulatory issues and thinking for Nokia. He advises regulators and competition authorities to ensure infrastructure interoperability and competition. He works with governments to support national broadband plans and maximize the economic and societal benefits of ICT.
Jonathan Keller
Jonathan Keller holds a doctorate in public law, and is a research engineer for Axis 5 “Protection of personal data involved in the connected vehicle” at the Connected cars and Cyber Security (C3S) Chair at Télécom Paris.
He is a research associate at the Values and Politics of Personal Information Chair at Institut Mines-Télécom.
Claire Levallois-Barth
Twitter : @CVPIP
Claire Levallois-Barth is a lecturer and researcher in law at Télécom. She is the Coordinator of the IMT Chair Values and Policies of Personal Information and the IMT manager of the Living Lab 5G program. She is responsible for Axis 5, Protection of personal data involved in the connected vehicle, of the “Connected Cars & Cyber Security” (C3S) Chair at Télécom Paris.
Claire Levallois-Barth is a member of the Comité national pilote d'éthique du numérique, the scientific committee of the Forum International de la Cybersécurité (FIC), AXA's Data Privacy Expert Panel, Pôle Emploi's Artificial Intelligence Ethics Committee and Orange's Data and AI Ethics Committee.
¬ WITH THE SUPPORT OF THE SPONSORS, PARTNERS AND MEMBER SCHOOLS OF THE VP-IP AND C3S CHAIRS
Chaire Valeurs et Politiques des Informations Personnelles
Chaire Connected cars and Cyber Security
