68. The representative of FIA explained (GRVA-17-20) the importance of clarifying rules related to vehicle data access and he illustrated this position with several examples such as refilling Adblue or replacing a 12-Volt battery: two cases where some manufacturers define such consumables and parts of their vehicles as security relevant and set specific conditions as a prerequisite for repairs.

69. The representative of FIA also presented views on data privacy in connected vehicles. He referred to the study called privacy not included, by the Mozilla Foundation. He explained that consumers were not informed in detail of the data collected by their vehicles and for what purpose they are used. He stated that, in these conditions, an informed consent by consumers on data collection and data use was not possible. He also stated that consumers were not able to submit consent or revoke consent on single services, due to e.g., bundles (including bundles that include mandatory updates for safety). He called for privacy-by-design related technical requirements.

70. The representative of SAE International supported the views of FIA.

71. The representative of China supported the concerns expressed by FIA and suggested to address several items such as personal data protection, videos and images taken inside and outside of the vehicles, including elements such as licence plates or pedestrian faces.

72. The representative of the United Kingdom of Great Britain and Northern Ireland noted the limited scope of WP.29 when it comes to privacy but agreed that new technical items could be addressed.

73. The representative of OICA mentioned that the FIA position was similar to the CITA position expressed at previous sessions. He stated that these considerations were not for GRVA but to be dealt with at national or regional level. The representative of Japan supported the view of the United Kingdom of Great Britain and Northern Ireland and OICA. The representative of AVERE supported OICA and inquired if UN Regulation No. 155 would be the right place for privacy-by-design.

74. The representative of the European Commission mentioned that the fair and lawful collection of data was for national or regional level, but that GRVA could focus on the transparent processing of data.

75. Upon request, the secretariat mentioned that WP.29 already adopted in 2016 guidelines on security-by-design and privacy-by-design, reproduced in Annex 6 to the Consolidated Resolution R.E.3. Noting comments on the lack of information on applicable rules on data privacy, the secretariat offered to contact the leadership of the IWG on ITS to evaluate whether there would be an interest to collect information via that group. The representative of Japan inquired whether this would be the right to tackle this issue. The Chair clarified that this proposal should be limited to collecting information, which would fit under the current mandate of the group.

76. GRVA agreed that the two topics, namely vehicle data access and privacy-by-default shall be addressed, from the technical side, by the IWG on CS/OTA.