Connected Cars and GDPR
Data protection and the connected cars of the future
Anyone who has purchased a car recently, or has even considered doing so, will be aware of the number of technological developments being integrated into new cars. These ‘connected vehicles’ have the ability to collect and process vast amounts of data. Perhaps unsurprisingly, one of the central features of these cars is their ability to capture personal data (including directly identifiable data such as a driver’s name or fingerprint, and indirectly identifiable data such as details of journeys made, data relating to driving style or distance covered), in order that manufacturers might improve the customer experience generally.
While no specific Irish or EU legislation exists which addresses the range of potential legal issues applicable to connected cars, there is a patchwork of data protection, telecommunication and cybersecurity legislation which might apply, depending on the circumstances. For example, the General Data Protection Regulation applies to the processing of all personal data generated by a “vehicle equipped with many electronic control units that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle”.
Key challenges in regard to ‘connected vehicles’ and GDPR
Obtaining valid consent – Explicit customer permission is a core principle in GDPR. Therefore manufacturers should ensure that data from connected cars is not captured, processed or shared without the data subject’s valid consent. The ability to secure this valid consent can prove a significant challenge.
Excessive data collection – The systems and sensors employed in connected cars have the ability to capture an estimated 25GB of data per hour. There is a risk that this data collection might be regarded as excessive, when viewed through the prism of the GDPR’s ‘data minimisation’ principle.
Security Issues – There is always the potential for the various systems and interfaces (USB, Wi-Fi, RFID etc.) which are used to collect data to be exposed to attack or hacking. The personal data stored within the vehicles or on an external server may also be at risk of unauthorized access, for example by vehicle technicians.
Third Parties – A novel aspect of data processing and connected vehicles is the involvement of third parties. There are a number of different participants aside from the vehicle owner, such as the driver, second-hand owner, renting/leasing drivers, and passengers. Often these participants or users of the car will not have given consent to the collection of data or may not be aware that data is being collected at all.
How to respond?
Privacy and data governance should be considered carefully during product or project development, with legal advice secured and integrated into the strategy, design and development phase of connected car projects. A proactive approach to privacy will bring a better awareness of privacy issues and ensure that any issues are identified and solved early in development.
In addition, the role of third-party product manufacturers should be carefully managed, as their products may be less rigorous in ensuring proper data management in their own systems and in the systems they design. This could lead to problems for the connected car manufacturer in the future should there be deficiencies in the services or products obtained.
Connected car manufacturers need to keep track of the data collected. They should also map the flow of data they collect. As data will often flow automatically and be transferred and stored across multiple different platforms, it is vital that manufacturers have robust tracking and storage systems for this data.
If you would like to discuss this further please get in touch – firstname.lastname@example.org
Or contact us here
Or call us here – 01 4378349
The material contained in this post is for general information purposes only and does not constitute legal advice. Specific legal advice should be sought on any particular matter. No liability whatsoever is accepted by PF Solicitors for any action taken in reliance on the information in this post.