Latest news

« »

Thursday, 13 November 2014

Connected car data require stronger protection, consumer choice

Car owners are at the mercy of vehicle manufacturers when it comes to what is done with their vehicle diagnostic, geolocation and mileage data, and even biometric data about the driver and information about driving behaviour. It goes directly to the VMs who then decide which third parties should receive it. However, on 12 November in the US the Alliance of Automobile Manufacturers and the Association of Global Automakers released a document entitled ‘Consumer Privacy Protection Principles’ which will give owners protection through a set of principles about data sharing over vehicle telematics systems.
The principles will require VMs to get permission for certain uses of data by model year 2017 at the latest (although there will be a one-year extension available if engineering changes are needed). VMs will tell owners what types of data they collect, and how those data are used and shared. The information will be included in owners’ manuals, on displays inside vehicles and on Internet registration portals maintained by the manufacturers, so consumers will be able to inform themselves before deciding to buy. The promoters recognise that there is no one-size-fits-all solution.
Car makers will also have to get permission from customers to use any personal information for marketing, and will be forbidden from providing insurance companies with driver behaviour data which identify an individual without the customer’s consent. It is hoped that replacing the current terms on which such data are collected and used, which vary between manufacturers, with a single set of principles, the industry might head off calls for legislation which it fears might stifle innovation. The new principles use guidance from the FTC, the White House Consumer Privacy Bill of Rights and the Fair Information Practice Guidelines.
The data may still be used in ‘scrubbed’ or anonymised form for other purposes, common practice in the new world of Big Data, although there are doubts about whether even using data in this form could be a breach of privacy.
So much for the position in the USA. European data protection laws are much more rigorous. How would the new guidelines play in the EU? Not well: while they are a step in the right direction, they fall well short of what the current EU directive requires. Collecting data for ‘reasonable business purposes’ might be acceptable in the US but is far too vague for the EU: and the idea that just by using a vehicle data subjects are giving implicit consent to their personal data being processed would never wash.