Privacy in the Automobile Industry
Connected devices have penetrated every aspect of our everyday lives—from phones and homes to cars and roads. The modern automotive vehicle comes with a range of features to provide a personalized experience to the users and make their life easier. It offers better performance in terms of safety and accuracy, with easy integration into other systems.
Gartner defines connected cars as automobiles that are capable of bidirectional wireless communication with an external network for the purpose of delivering digital content and services, transmitting telemetry data from the vehicle, enabling remote monitoring and control, or managing in-vehicle systems.
Such cars can connect to the internet and communicate with other devices and vehicles in the vicinity. They are equipped with a range of sensors and equipment like navigation systems, infotainment units, pre-collision systems, emergency response systems, etc. And while performing these functions, these vehicles collect large amounts of data relating to consumer habits and behaviors.
Cars today contain about 100 million lines of software code and the number is expected to reach 300 million by 2030. With the computing power of 20 personal computers, an average car can generate up to 25 gigabytes of data every hour. The many touchpoints associated with the data sets bring in several other players into the picture that collect and use data from these vehicles and their users.
However, an average user is unaware of the type of data that is being transmitted from their car. A typical car trip involves collection of data like internal temperature, presence of passenger in the driver’s seat, location from where the trip began, and goes on to collect data like the song being played on the infotainment system, speed of the vehicle, oil level, etc.
With the various types of data being collected from such vehicles, the number of businesses within the vehicle data industry has also multiplied exponentially. Along with the original equipment manufacturers (OEMs), other parties involved are insurance companies, driving assistance services, ride-sharing companies, infotainment service providers, etc. And apart from the companies providing products and services, there are several third-party data companies that gather vehicle and location data from different sources and sell it to other businesses for analytics.
But collection of location and movement data can increase the chances of privacy violation. Especially, when several companies have been found to be collecting more data than they require. Unlike the regulatory atmosphere around smartphones and computers, the connected cars market lacks a clear definitive around the privacy and legal aspects regarding the collection and usage of such data.
The global connected car market is projected to grow from $59.70 billion in 2021 to $191.83 billion in 2028. With this growing demand, the industry faces an increasing challenge of meeting customer demands in terms of providing a personalized experience while also complying with the privacy obligations. The privacy challenges are magnified, particularly in this industry, due to the role of different players involved and the different types of data being collected by the vehicles.
In 2021, the European Data Protection Board (EDPB) published the final version of its Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility-related applications that focuses on incorporating privacy right from the design phase and providing transparency and control to users in relation to their data. On a similar note, the California Consumer Privacy Act (CCPA) mandates companies to disclose how they collect, use, and share personal information. The law also addresses personal vehicle data and certain exemptions for its use by businesses and service providers. For instance, the law excepts the right to opt out vehicle information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
Automakers are expected to face growing challenges around the collection and processing of data, its retention, accessibility and storage in the coming years. With the number of vehicles, consumers, manufacturers and service providers expected to rise, we may see the introduction of new and stringent regulations around connected cars.
Let’s discuss some of the problem areas that need focus from the OEMs:
1. Data Collection: Consumers are becoming increasingly concerned about their personal data and aware of their privacy rights. As per a Deloitte survey, six out of ten consumers were somewhat or very concerned if data related to biometrics, data location and app usage, or driving behavior is collected and shared. However, 80% did not mind sharing personal information if a significant value was to be received from their data.
Companies need to be mindful of what data they collect, how it is being used, and who it is being shared with. According to the EDPB, every data processing activity involving personal data collected from terminals in connected cars shall have a legal basis. Almost all data collected from connected cars is likely to be considered personal data as it can be linked to one or more identifiable individuals.
Businesses need to think beyond compliance and shift their focus towards meeting customer expectations and gaining their trust. Automakers need to:
Reconsider their data collection and data sharing practices with consumer privacy at the core. Restrict data collection to the minimal dataset needed for each service.
Develop easy ways for users to exercise their data-related rights and make data subject requests for opt-outs, deletion, access requests, etc.
Provide additional options to users mentioning how their data is used. For instance, non-biometric alternatives should be provided when asking for biometric data.
Incorporate privacy-protective features even when not legally required
2. Consent: As OEMs are the owners of the data being collected in most cases, they need to inform customers of what data is being collected and secure permissions for the same. OEMs should consider the below suggestions while seeking consent:
OEMs should also consider the different participants, including the owner, driver, or passenger, when seeking consent instead of binding it into the contract of purchase or lease.
Consent must be provided separately for a specific purpose. The data can be processed only for the purpose for which the user has consented and cannot be processed for different purposes without additional consent.
After giving consent, the user should have access to some type of profile management system that would have all the consent-related information for managing it all from a single place. As simple as it is to provide consent, it should be equally easy for someone to withdraw consent.
3. Data Storage: The EDBP recommends that data should be stored and processed locally in the vehicle and must be encrypted. In cases where data must leave the vehicle, it must be either anonymized or pseudonymized to prevent it from being identifiable to an individual. Based on the sensitivity of data, a Data Protection Impact Assessments (DPIA) can be deployed even if not required by the law.
Recently, US carmaker Tesla began setting up data centers in China to comply with the country’s regulations around data localization. Apart from ensuring data security, some regions mandate strict data localization requirements. The OEMs should evaluate the local laws and regulations and devise a suitable strategy around data storage and sharing.
4. Data Ownership: As discussed earlier, there are a host of players that collect and use personal data from connected cars. Clearly defined roles to differentiate the controllers, joint controllers, and processors will help establish each party’s legal obligations and liabilities.
The vehicle manufacturers are not the only controllers and certain service providers that process vehicle data and insurance companies can also be controllers under specific circumstances. In certain situations, the OEMs may act as controllers if they process personal data collected from vehicles for their own purposes.
5. Privacy by Design: Instead of relying on third parties for better regulation and compliance, vehicle manufacturers should take the onus for defining the privacy landscape in the auto industry. Automakers should embrace privacy by design so that the consumer can take back control of their data. Manufacturers need to provide better transparency and control over data processing within the vehicle. Simpler privacy options will ensure that users can easily make changes to consent and data settings.