Implications of privacy laws and connected cars
New research shows that there are major privacy implications in today’s connected vehicles. Here, Garikayi Madzudzo, Advanced Cybersecurity Research Scientist at HORIBA MIRA, explores where our work can help manufacturers in implementing best practice.
When the General Data Protection Regulation (GDPR) was introduced in May 2018, it was a step-change which overhauled the way in which businesses processed and handled personal data. It also brought about awareness of the importance of privacy and the protection of personal data to the general public.
This issue has only grown more significant with the accelerating pace of connected technology deployment in vehicles, with everything from connected applications, telematics, black-box insurance to mobile phone use.
Industry Leading Insights
In-vehicle data collection and processing has increased in content type and volume, and now encompasses a vast array of personal information including phone numbers, address books, emails, location history, browsing history, preferences and driving habits. This collection and processing also takes place in a complex ecosystem, including not just the vehicle but the phones, the networks and, ultimately, the infrastructure it connects to.
Furthermore, industry sources estimate that on average about 480 Terabytes (TB) of data was collected by every automotive manufacturer in 2013, and it is expected that this will increase to 11.1 Petabytes (PB) per year by 2021 (a petabyte is about one million gigabytes). Looking into the future, it is predicted that connected vehicles will create up to 4,000GB of data per day that is over 1400TB of data per year. With such large volumes of personal information being collected, it is inevitable that privacy will be a challenge. All the above will only increase with the rise of connected and autonomous vehicles.
Thus, recognising the importance of user privacy in connected vehicles, we conducted pioneering research to enable us to explore the current state of user privacy and how it is presented to consumers in a modern vehicle.
A survey of 1,038 car owners from the UK, Germany and Italy was conducted, asking a series of questions based on GDPR principles to establish how consumers saw privacy in the connected vehicles that they owned.
From a dealer’s perspective, compliance with GDPR is clear cut. The findings indicate that a good proportion of recipients (70%) across the three countries received a request to consent from the dealer to collect personal data, while around two thirds (68%) received a consent request from the dealer to store personal data.
However, once inside the vehicle, the need to comply with GDPR as it stands currently is less clear cut. This is the case even if the operator of any of the connected features gathering personal data (such as location) could be considered a data controller. This was reflected in the numbers: less than half (45%) received a request to consent to collect personal data once using technology inside the vehicle, less than half (47%) to store personal data and only a third (35%) to share it.
Only 60% of the study’s participants were given the option to choose whether their personal data could be shared with third-party companies and were informed of third-party companies that would have access to their data by the dealer and/or vehicle.
Default consent was also prevalent, with around one in three recipients (32%) responding that they were opted in by default. Almost half (42%) said they were not made aware that they can withdraw their consent from either the vehicle or the dealer.
Based on the findings, it is recommended that manufacturers revisit their governance procedures and start to explore new approaches to ensure fair use of personal information. One such method is to look at increased transparency with regards to collection of personal data for the unique automotive use cases.
An example of this is looking at where to place privacy notices such that two different owners can find them easily. Another recommendation could be to give consumers the power to completely erase private information from vehicles so that there is no danger of leakage if the vehicle was resold or scrapped.
Implementing privacy best practice (such as that espoused by GDPR) would build on existing measures for protecting customers. This would ultimately lead to increased consumer trust in advanced technologies and is vital in ensuring mass adoption of future connected vehicles.