Navigating privacy in the age of connected vehicles
25 November 2024We would like to acknowledge the contribution of Stefanie Constance.
Overview
- Connected vehicles are here to stay. Connected service features are rapidly being integrated into passenger vehicles as a standard offering. Projections are that by 2031, 93 % of new passenger vehicles entering the Australian market will include embedded mobile connectivity [1].
- The after-sales role of Original Equipment Manufacturers (OEMs) is evolving. OEMs are now involved in providing connectivity services (e.g. in vehicle internet access and automated crash notification systems) and related support and maintenance services post sale. This increase in connectivity has led to OEMs collecting large volumes of data (including personal information).
- OEMs must ensure regulatory compliance, but can do so in a way that drives consumer trust. OEMs must comply with privacy obligations relating to the collection, use, disclosure and retention of personal information. This is particularly important given recent privacy amendments and statements by Australia's Privacy Commissioner that the collection and use of personal information by connected vehicles is in its focus. [2] However, there is also the opportunity for OEMs to adopt privacy by design principles in order to drive consumer trust.
In this article, we explore trends in automotive connectivity and some of the key privacy considerations OEMs should address as they embrace the era of connected vehicles.
The nuts and bolts of connected cars
Connected vehicles generate significant amounts of data, ranging from navigation and usage patterns to vehicle diagnostics and driver behaviour, depending on the feature set offered by a particular OEM. Connected vehicles leverage technology to share data and interact with drivers, other road users, and infrastructure. A vehicle’s Data Communications Module (DCM) plays a vital role in this connectivity allowing the vehicle to communicate with cellular networks to provide connected services, such as emergency assistance and roadside assistance. Key examples of connectivity include:
Connectivity in vehicles continues to increase, with projections indicating that by 2031, 93% of new passenger vehicles entering the Australian market will feature embedded mobile connectivity, and 25% will incorporate Co-Operative Intelligent Transport Systems (C-ITS) connectivity [4]. There are an estimated 1.2 million connected vehicles currently in Australia [5].
From car manufacturers to data custodians
The role of OEMs is evolving beyond the manufacturing of vehicles. OEMs now have obligations that extend to the ongoing provision of connectivity services and their related support and maintenance. In particular, the shift towards connected technology has led traditional OEMs to adopt a more technology-centric approach to vehicle development, demonstrated by initiatives like BMW ConnectedDrive (aiming to connect customer’s mobile devices, smart home technology, and vehicle's interfaces into a single environment, which allows customers to remotely control their vehicle or check whether there’s enough range for a trip).
In providing these connectivity services, OEMs are collecting large volumes of data – from driver behaviour and vehicle performance to location and usage patterns. As a result, there is a growing onus on OEMs to ensure they are collecting, using and storing personal information in a regulatory compliant manner.
Privacy regulation and reform
In Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern the collection, use, disclosure and storage of personal information. In September, an initial tranche of amendments were proposed as part of the Privacy and Other Legislation Amendment Bill 2024 (Privacy Amendment Bill), including:
- clarification that an organisation should take operational as well as technical measures to protect personal information from misuse, loss and unauthorised use and to destroy or de-identify information they no longer need
- introduction of a mechanism under which the Government may prescribe countries and binding schemes as providing substantially similar protection to the APPs, to assist organisations in assessing whether they are able to disclose personal information to an overseas recipient, and
- requirement for entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual.
These and other proposed amendments point to an increased regulator focus on privacy compliance and willingness to enforce such compliance. To ensure that OEMs are well placed to comply with existing and future privacy regulations, they should consider:
- Reviewing and refreshing consumer-facing documentation, including privacy policies (especially where overseas disclosure of personal information is likely and also to account for future changes to AI regulations) and collection notices (particularly where bundled consent is obtained at a single point such as a privacy landing page where users tick or toggle their consent for their information to be used for multiple purposes), along with internal information protocols and data governance frameworks, to strengthen data management practices, accountability, and transparency.
- Assessing the existing or proposed collection of biometric data (e.g. fingerprints for authentication or in-car payment of digital services and hardware, an offering available through Mercedes-Benz’s Mercedes pay+[6]) is classified as ‘sensitive information’ and its collection, use and disclosure by OEMs is subject to additional obligations.
- Optimising the consent withdrawal process to enable consumers the ability to control how their information is being used.
- Reviewing and updating data retention policies in line with statutory requirements and communicating the retention period when collecting personal information.
- Assessing the current use of collected personal information to determine if it may be deemed unfair or unreasonable, and identifying potential mitigations. This could involve limiting data collection to essential vehicle performance metrics.
- Building privacy into product and service design, with advancements in vehicle technology and global data exchange, keeping privacy obligations and consumer expectations in mind at every step.
Driving consumer trust through regulatory compliance
While OEMs must ensure they comply with privacy regulations, there is also an opportunity for them to build and maintain consumer trust through transparent data practices. There have been growing consumer concerns over the collection of data by OEMs, the disclosure of data to third parties (including to international companies) and the lack of transparency surrounding such use and disclosure [7]. The issue is further compounded when sensitive biometric data, such as voice recognition, is shared with third-party providers without express or implied consent.
Instead, customers increasingly expect transparency and reassurance about how their data is handled, especially when using connected services. While most brands offer opt-out features in relation to the collection of certain data, the automatic opt-in at purchase or app download, combined with complex privacy policies, reduces consumer awareness and control over their own data. Addressing these concerns may foster greater trust in OEMs in a way that aligns more closely with consumer expectations.
Telecommunications service providers
In addition to privacy considerations, OEMs should also be aware of the telecommunications regulations that impact connected vehicle manufacturers and distributors in their capacity as Carriage Service Providers under the Telecommunications Act 1997 (Cth). We will take a closer look at these regulations and consultation on these regulations in a subsequent article.
Conclusion
The inclusion of connectivity services in vehicles continues to increase at a rapid rate, and with it the volumes of data collected by OEMs. It is important that OEMs ensure they are complying with privacy laws in an evolving regulatory landscape, especially as we make the transition from the era of connected vehicles to fully autonomous ones.
However, OEMs have the opportunity to ensure compliance in a manner that balances the interests of both parties – that allows OEMs to unlock insights into vehicle performance, improve user experiences, and foster innovation while providing customers with the enhanced, data-driven experiences they have come to expect, in a way that safeguards their personal information.
[1] AP-R654-21 |Austroads, p. 27 - 28
[3] Department of Infrastructure, Transport, Regional Development, Communications and the Arts (2023), Telecommunications Legislation and Connected Vehicles
[4] AP-R654-21 |Austroads, p. 27-28.
[5] Connected Cars and Data Sharing, Australian Automotive Aftermarket Association Infographic (Accessed 04 November 2024.
[6] In-car payment by using your fingerprint | Mercedes-Benz Mobility AG
[7] Jarni Blakkarly, ‘Drive one of these car brands? This is how much of your data they’re tracking’, Choice (online at 13 November 2024)