GDPR: A Security Headache for Connected Car Makers & OEMs

Since the introduction in the European Union of the General Data Protection Regulation (GDPR) two years ago — it officially went into effect on May 25 — many car manufacturers and OEMS have been struggling to find ways to continue collecting data from the vehicles without stepping on any of the law’s landmines.
The EU has ruled that data generated in a vehicle is the property of the driver and no one else. This clarification of ownership is going to add a significant compliance burden to car manufacturers, rental car companies and fleet operators.
Some car manufacturers and OEMs are turning off some of the data collection features of their connected cars until owners sign up on online or visit a dealer to authorize the collection and processing of data.
A car can generate several gigabytes of data every hour, according to some estimates.
Drivers want to use connected services and be safer on the road, but they are concerned about data protection and safety. Car manufacturers need to find the balance between providing all the benefits of connected vehicles and infrastructure while addressing consumer concerns.
Collecting any personal data, including driving patterns, destinations, speed and other information collected by car sensors, without the user’s explicit consent, could trigger expensive lawsuits, and fines for breaking the rules can be as much as 4% of the company’s global revenue.
In the past, some car manufacturers were using an opt-out model and skirting close to the law on data collection, something the GDPR has put an end to. In 2011, for example OnStar, the navigation technology developed by GM, announced that its system would collect data, and send it, even if the user did not sign up for the service.
Another example from January 2014 involved Ford’s Jim Farley, the company’s global vice president for marketing and sales, who told the attendees during that year’s CES expo in Las Vegas: “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone.”
Last year, as part of a research project, Privacy International rented a number of Internet-connected cars in a bid to explore how information is collected and stored on their infotainment systems.
Every vehicle the organization rented exhibited serious privacy flaws when it came to personal data. The cars contained information about previous and current drivers, including locations visited and smartphone contacts.
Those data collection schemes, while borderline legal a few years ago, need to be discontinued under the GDPR. Companies cannot pass on prior consent that was collected before this date if that consent doesn’t meet the new regulations. The OEMs need to go back and get consent again. If the user doesn’t answer a request for consent or refuses to give it, companies need to immediately stop collecting data.
In the event of a problem, it is the brand that will bear the brunt of the reputational damage – not the service provider. If there is a data breach for whatever reason, the legislation allows 72 hours to report it.
And GDPR is clear about refusing service, too.
If the user doesn’t consent to data processing that is not strictly necessary to provide a service, the provider can’t stop giving it. OnStar, for example, can’t stop providing its navigation features to paying customers if they refuse to allow the company to collect and process their driving data.
Consent must also be separate from other terms and conditions, and companies will need to provide simple ways for people to withdraw it. Employers of professional drivers will need to take particular care to ensure that consent is freely given.
Now that the GDPR is in full effect, and we are seeing many companies struggling to adapt to the new privacy rules, it is important for consumers to understand and exercise their rights. Data collection and processing that do not directly benefit the user should be stopped, except when they are required by law or absolutely necessary to provide a service.
It is still early to see the full impact of the new rules on automakers, car rental companies, fleet management and insurance providers. No lawsuits have been filed yet, but many privacy organizations are already gathering information and watching.
— Pablo Valerio is a technology writer and consultant working out of his home city of Barcelona, Catalonia. Follow him on Twitter @Pabl0Valerio.