On 20 December 2019, the EDPS (European Data Protection Supervisor) published a “tech dispatch” on connected cars and data protection: “Connected Cars”. For your interest, here is a brief summary of the document.
I. What Is a Connected Car?
A connected car has one or more systems for data connection, transmission, and communication with the exterior environment. Connected cars are fitted with multiple integrated sensors that collect information on driver behaviour, the functioning of the vehicle’s systems, cameras, other external sensors, and also external devices that are also connected to the vehicle, such as smartphones, WLAN hotspots, smart home services, etc.
In the early stages, the data collected by the car was internally processed, however the increased connection capacity of vehicle networks has made it possible to make connections between vehicles or with other bodies, such as traffic infrastructure (e.g. traffic lights), the vehicle manufacturer, insurers, the authorities, etc. Vehicle connections span a wide range of possibilities, for example, they make it possible to remotely control and diagnose the status of the vehicle, notify emergency services in case of an accident, provide parking assistance, etc.
In the near future, connected cars may become part of the Cooperative Intelligence Transport Systems (C-ITS), which allows users and traffic managers to share information and coordinate their actions. Currently, it is already included within the Internet of Things, with all its strengths and vulnerabilities.
It is important that we do not confuse a connected vehicle with an autonomous vehicle. “Autonomous vehicles are those in which at least some aspects of safety-critical control functions occur without direct driver input.”.
II. What Are the Data Protection Problems?
According to some estimates, connected cars produce up to 25 GB of data per hour. This data may be biometric, health-related, location and communications (metadata and contents), driving behaviour, apart from data for training systems. This data is directly or indirectly linked to an individual and therefore constitutes personal data, in accordance with the European Union’s legislation on Data Protection. Based on the processing, it is possible that the data controller may have to conduct a Data Protection Impact Assessment.
In its report, the EDPS describes the risks of data processing by connected cars:
Lack of Transparency
The controllers, as well as the data recipients, must be clearly identified for each processing operation.
Excessive data collection
The growing number of sensors used in connected vehicles increases the risk of excessive data collection beyond that which is strictly necessary for a specific treatment. The principle of data protection by design and by defect must be followed, especially that of data minimisation.
Data can be stored by the cars that generate data, by other vehicles to which they are connected or by any other information system to which the vehicle is connected through the telecommunications network. Personal data must be stored for no longer than the minimum time required to fulfil the processing needs. There are scenarios involving multiple actors which increase the risks of excessive data retention. For example, the users of shared cars and rental cars have permission to monitor and exercise a degree of control over the shared or rented vehicle, even after the service has been terminated. The former proprietor of a vehicle may also be able to access the vehicle through their mobile phones.
Lack of purpose limitation
Data initially collected for maintenance purposes may be used by insurance companies to enhance drivers’ profiles or by traffic authorities to monitor traffic regulations compliance, such as speed limits.
Collection or inference of sensitive information
The data collected may reveal sensitive information on the lives of the persons, the places they visit, their interests, etc. which makes it possible to not only identify them but to also extrapolate sensitive information such as their religion, political opinions, sexual orientation, etc. Data controllers must pay special attention to the special categories of data.
Security and Access Control
Maintaining the security of information systems in connected cars is essential. A cyber-attack may not only involve data theft but also the deactivation of security systems or even controlling the vehicle itself, dangers that have already presented themselves.
It must be remembered that on occasions, the connected vehicle is part of a system interconnecting other cars and systems. In these cases, the attack may have even more serious consequences.
According to the 2017 report “Access to In-vehicle Data and Resources”, there are three technical approaches to accessing in-vehicle data: on-board application platform, in-vehicle interface, and data server platform. Only the first approach prevents data transfer to external servers.