Your vehicle remembers your driver’s settings and those of your spouse, who also drives your car.
Your recent call history is saved and displayed on your vehicle screen.
Your car sends you emails to let you know how it’s doing re: average mileage and tire pressure.
Your car sends crash incident and medical data to nearby first responders.
Your car can tell whether or not you are under the influence, distracted, tired or sad and shares this information with insurance companies or advertising companies.
Fact? Fiction? A bit of both?
The vehicle you are driving is no longer a car, it’s actually a computer on wheels. Some even say a smartphone on wheels, though others take issue with this comparison. What is clear is that today’s cars collect, use and share a great deal of information, much of which can identify the individuals using the car or the car itself.
The use of this information can be very beneficial to individuals, making the driving experience more tailored and more efficient and even able to save lives by helping get medical assistance when it is needed.
However, there also are many risks associated with the handling of such vast amounts of information. In the wrong hands, sensitive information such as precise location and common driving routes could risk people’s safety and information such as driving habits, or mood could be misused by service providers and companies in ways that would prevent opportunities and even discriminate.
This type of information, which identifies or could be used to identify individuals, is called “personal information” or “personal data” under data protection laws such as the European Union’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA). These laws limit the use of this information. In addition, Europe’s top regulator, the European Data Protection Board (EDPB), has been considering how these regulations impact data collected and shared by connected and autonomous vehicles.
What do these laws require?
Legal Justification: Under GDPR, you may not collect or share or allow the vehicle to generate personal information if you do not have a legal justification (called “legal basis”) for such use. For example, the information is necessary in order to comply with laws related to safety or emissions; or such information is necessary to provide a feature requested by the individual.
Transparency: GDPR and CCPA require parties that collect personal information to provide the individuals with adequate disclosure of the information collected including what information is being collected, for what reason and with whom it is being shared.
Choice: In some cases, stakeholders are required to provide individuals with a choice about what is to be done with their information. This is especially the case when dealing with more sensitive (health) information or when the information is shared with third parties for reasons other than strictly required for the safe operation of the vehicle. Under these laws, individuals can access the information collected about them and, in certain cases, have this information be deleted.
Data Minimization and de-identification: Under GDPR, stakeholders are required to collect only the information they need and to de-identify or delete the information when it is no longer required.
Security: Connected vehicles are Internet of Things (IoT) equipment. As such, auto manufacturers and other stakeholders are subject to heightened requirements of information security both under the EU GDPR and under Internet of Things laws and bills being promulgated in several U.S. states.
As cars become increasingly connected and more information is collected, which can be analyzed and monetized, the issues are becoming more complex. Regulators on both sides of the ocean have their work cut out for them to find the right balance between protecting the rights of individuals and encouraging innovation.
Odia Kagan is a partner in Fox Rothschild's Privacy & Data Security Practice and chair of the firm’s GDPR Compliance & International Privacy Practice.
