Thursday, November 8, 2018
Can you guess who may know the following about you?
Most people would probably guess their phone, but how many people would say their car?
Modern cars are jam-packed full of features to make our lives easier and safer, such as lane control, adaptive cruise control, navigation and infotainment systems. All of this convenience has been shown to result in the generation of enormous amounts of data (which some estimates put at 25Gb of data per hour – the equivalent of 125,000 Word documents or 100 hours of video). Depending on the nature of the technology used in your modern car, this sensitive information could be accessible or made available to a number of interested parties including (i) the car manufacturer (ii) mobile network operators, (iii) in-car system providers and/or (iv) the cloud service providers who store the data.
All of this data is valuable and is of interest to many different parties – to put it in context, a recent study from March 2018 by McKinsey & Company estimates that the industry around car connectivity may be worth from $450 to $750 billion worldwide by 2030.
Worryingly, there is no specific legal framework at an Irish or European level regulating the protection of data collected from vehicles.
However, although most people are sick of hearing about it, all data collected that constitutes “personal data” (which would include, for example, your name, address, telephone number, GPS location and biometric data) is subject to the new GDPR legislation.
Under GDPR, there are only six lawful ways by which personal data may be stored (or processed in any way whatsoever), the most common being by way of the consent of the data owner.
When you purchased your brand new car, did you give your consent to the storage and processing of your data?
It is not the case that the collection of data by your car is simply another example of Big Brother’s interference in our lives – it is more complicated than that.
Most companies collect data with the stated purpose of maintaining and improving the services provided or developing new services. There are undoubtedly circumstances in which people would be happy for a car’s data to be made available to, and accessed by, the Gardaí (under powers conveyed by the appropriate legislation). Earlier this year, for example, Gardaí were able to use location data from a Nissan Qashqai to trace Mark Hennessy’s movements following the abduction of Justine Valdez – in this tragic case, it would be difficult to see anyone arguing with the Gardaí exercising its powers in this way.
In the US, in-car technology is routinely used by law enforcement which gives rise to greater privacy concerns. For example, in one case, a driver accidentally activated his car’s SOS system while discussing a drug deal. The call-centre staff listened to the discussion and then proceeded to inform the local police which lead to the driver’s arrest. In this case, while your knee-jerk reaction might be that the arrest of a drug dealer is obviously a good thing, are you happy that people in the car manufacturer’s call centre could listen in to your private discussions while in your own car, if you accidentally activate one of the emergency systems? Maybe this is a price worth paying for the security of knowing that if you are in an accident, help will be at hand immediately.
What about all of the data collected by your car – would you be happy for it to be used to show you personalised content and ads? For example, if your car is running low on petrol/diesel would you be happy for it to prompt you that there is a service station nearby (to which it will give you directions) and that you will get a 5% reduction on fuel if you go there? In this “transaction”, the service station would presumably pay the car manufacturer a certain fee for showing the ad, you would get a reduction in the price of your petrol/diesel and the service station would profit from the fact that you will probably purchase something else (such as a high margin coffee) while buying petrol/diesel – is this a case of everyone wins or is it creepy?
Finally, it is clear that in this brave new world of connected cars, nobody is quite sure where we are going. However, from a legal perspective, car owners must be informed of all the various personal data that are being collected and the uses to which it may be put – without this, the manufacturers are exposing themselves to investigations from the Data Protection Commissioner as well as litigation from disgruntled customers.
Sean McElligott is Head of Technology Partner with the firm. His comments and elements of this article have been published in Irish national newspapers and broadcast media.