Insurance Black Boxes and the GDPR
I am not a lawyer.
It is possible - just possible - that the inclusion and use of black boxes [such as those fitted in cars by manufacturers] may fail various tests within the GDPR.
Firstly, if it could be shown that the vehicle can continue to function without having to "phone home" large amounts of data, then provisions around the "lawful basis for processing" might come to bear.
Secondly, it is likely that the processing being performed would fail the "transparency" provisions.
Third, I'm not aware of any vehicle manufacturer [this is not true of insurance companies, as a previous post notes] which allows the owner of a vehicle to "opt out" of the data collection.
As others have stated, a significant part of the basis for determining whether or not this data slurping is legal will pivot around vehicle ownership. If you are a company car driver or your vehicle is part of a lease fleet, you are almost certainly out of luck. However, the same is likely to be true if you are buying on any form of credit or hire purchase deal, at least until the vehicle is fully paid for and entirely yours.
But this last scenario brings in another question. Suppose the dealer from whom you buy a vehicle on credit decides to fit extra electronics [i.e. tracking] to the vehicle in case you abscond with it. What happens when you make your final payment? Does that tracker get removed? Can you demand it?
This is going to be a very murky world of conflicting legal opinions until sufficient case law has been hammered out to make sense of it. Even then, I just can't see this going well for the private motorist that doesn't want to be spied upon. The temptations [for manufacturers and governments] are simply too great.