When you're considering the compliance implications of the data flowing from connected cars in the EU, don't just think about data protection law — when the cars are being used for work, you'll also have to take labor law into account, and that's where things might get really tricky.

That's the message from Wojciech Wiewiórowski, assistant supervisor at the office of the European Data Protection Supervisor (EDPS), which scrutinizes the privacy implications of EU laws. Speaking on a panel at IAPP's Data Protection Congress 2016 recently, Wiewiórowski pointed out that the new EU General Data Protection Regulation – due to come into effect in May 2018 – leaves labor regulations up to the bloc's member states. That means there are aspects of EU privacy law that won't be harmonized under the GDPR.

Wiewiórowski was referring to a case brought up by fellow panellist Lokke Moerel, senior counsel at Morrison & Foerster. In an October ruling, the Paris Court of Appeal ordered telecoms firm Orange to remove the telematics units from around 20,000 of its company cars, due to its poor practices around the data derived from the units.

The court said the firm was collecting too much data and storing it for too long – three to six years – and its activities were disproportionate to its objectives. Employees were also unable to turn off the tracking outside of working hours, or, if they decided to do so, through collective action.

"[The case] would be answered differently in other countries of the EU, where the employer has a right to monitor driving for the purposes of work," said Wiewiórowski.

The EDPS assistant supervisor noted that there are many outstanding questions when it comes to connected cars, such as the identities of the data controller and data subjects – after all, the Wi-Fi connection in the car may collect data from the passengers: "Who has to do the privacy assessment? Probably the driver – he is the controller." If cars are used by public authorities, is their data up for being requisitioned under freedom-of-information requests, he asked. Can employees access all the data their employers have collected about them?

Interestingly, Wiewiórowski suggested that connected cars were effectively mobile devices. "A lot of the things we issue as the EDPS as far as mobile devices are concerned, as far as bring-your-own-device is concerned, also applies to connected cars," he said.

A particularly interesting topic of discussion was consent, in the context of insurance companies increasingly collecting telematics data for various purposes. David Evans, a data protection officer at re-insurance giant Swiss Re, noted: "As an industry, we are interested in moving from a one-size-fits-all approach to providing coverage to personalized insurance. … Telematics does not tell your insurer whether you are a good or bad driver, but it does help them price the risk."

Insurers are these days offering discounts to drivers who agree to being monitored, so that the insurers' algorithms can more precisely categorize them, according to factors such as braking speeds and whether they drive at night.

"If you do pay-how-you-drive and ask the consent of the individual, how valid is that if we end up with a class of people who have to say yes, otherwise they can't be insured?" asked Moerel.

"Consent is very tricky," said Evans. "We're trying to avoid a situation where people are penalized for not having these devices." He added: "What if I agree because I'm the policy-holder, but my wife wants to turn it off?"

Moerel noted that the regulation of connected cars fell victim to the Collingridge technological dilemma: you can't tell what the effects of a new technology will be until it is widely deployed, but by that point it is so entrenched that it may be difficult to regulate. That, she said, makes it incumbent on those doing the implementing to think of the possible implications down the line.

"Legal compliance is not good enough," she said. "You have to think of the ethical implications … If there are benefits to a new technology, everyone needs access in a fair way."

This isn't just about the goodness of being ethical – it's about ensuring buy-in from customers. "If the goal is to save cost, then individuals will feel like a means to an end," Moerel said. "If you want to make this socially acceptable, you will have to think about a different way to do that and get the benefits to the individual as well. Social acceptance is not a given."

"To make this fly … you will need to make it socially acceptable by giving added value," she added, recalling a U.S. survey that showed 40 percent of respondents would reject such tracking because of a lack of guarantees over what would happen to the data. "For each and every purpose, you need a justification … Only collect the data that is relevant for the actual service."