Car owners are at the mercy of vehicle
manufacturers when it comes to what is done with their vehicle
diagnostic, geolocation and mileage data, and even biometric data
about the driver and information about driving behaviour. It goes
directly to the VMs who then decide which third parties should
receive it. However, on 12 November in the US the Alliance of
Automobile Manufacturers and the Association of Global Automakers
released a document entitled ‘Consumer Privacy Protection
Principles’ which will give owners protection through a set of
principles about data sharing over vehicle telematics systems.
The principles will require VMs to get permission
for certain uses of data by model year 2017 at the latest (although
there will be a one-year extension available if engineering changes
are needed). VMs will tell owners what types of data they collect,
and how those data are used and shared. The information will be
included in owners’ manuals, on displays inside vehicles and on
Internet registration portals maintained by the manufacturers, so
consumers will be able to inform themselves before deciding to buy.
The promoters recognise that there is no one-size-fits-all solution.
Car makers will also have to get permission from
customers to use any personal information for marketing, and will be
forbidden from providing insurance companies with driver behaviour
data which identify an individual without the customer’s consent.
It is hoped that replacing the current terms on which such data are
collected and used, which vary between manufacturers, with a single
set of principles, the industry might head off calls for legislation
which it fears might stifle innovation. The new principles use
guidance from the FTC, the White House Consumer Privacy Bill of
Rights and the Fair Information Practice Guidelines.
The data may still be used in ‘scrubbed’ or
anonymised form for other purposes, common practice in the new world
of Big Data, although there are doubts about whether even using data
in this form could be a breach of privacy.
So much for the position in the USA. European data
protection laws are much more rigorous. How would the new guidelines
play in the EU? Not well: while they are a step in the right
direction, they fall well short of what the current EU directive
requires. Collecting data for ‘reasonable business purposes’
might be acceptable in the US but is far too vague for the EU: and
the idea that just by using a vehicle data subjects are giving
implicit consent to their personal data being processed would never
wash.
No comments:
Post a Comment