You think you’re just playing music as you drive, or maybe listening to a favourite podcast, but as soon as you tether your smartphone to your car, whether by cable or by Bluetooth, you are opening up a potential can of data-privacy worms.
The issue of data privacy and your car has some sharply to light recently with a report in Autocar magazine in the UK, regarding Mario Bonfanti, a man with a troublesome Range Rover Evoque.
Having taken the car back to his local Land Rover dealer, in Ayr, in Scotland, Bonfanti found that data from the car's onboard computer system had been downloaded during the service. While that may seem entirely innocent – the garage was trying to locate the source of the mechanical issue – the fact is that while technical information was downloaded, so too was data from the car's infotainment system, which was paired to Bonfanti's phone. So that means that the garage had also downloaded his phone number, his phone's serial number, his contacts book and his text messages.
While this download was not done maliciously, nor with criminal intent, it still means that personal data was now sitting on someone else’s hard drive, a hard drive that may have been more vulnerable to a hacking attack, and to having that data copied or otherwise stolen.
Speaking to The Irish Times, Michael Kavanagh, chief executive of the Association of Compliance Officers of Ireland, or ACOI, an expert group when it comes to data privacy, was unequivocally clear on just how serious this is: "Even if personal data is downloaded or accessed inadvertently, it is a data breach. Car dealers need to have clear processes in place for resolving any breaches, and they must notify the Data Protection Commission within 72 hours of identifying the breach. They must also inform the customer where it is likely to result in a high risk to the individual or individuals affected. Most breaches are due to human error. Questions must be asked as to whether staff at the dealership receive sufficient GDPR training."
There are clear limits set out in terms of what data can and cannot be collected, and limits on how that data can be used and interpreted. The Data Protection Commission regulations state: “Personal data must be collected for specified, explicit and legitimate purposes, which are determined at the time of the collection of the personal data, and not be further processed in a manner that is incompatible with those purposes.”
Clearly, someone’s personal phone data is entirely irrelevant to the process of diagnosing a mechanical fault with a car, but the problem for dealers now is that in-vehicle systems are becoming increasingly interlinked, and that is causing some serious data-protection headaches.
An ever-increasing number of cars, including many mainstream models, now come with a built-in SIM card that allows always-on internet access. That can be of huge benefit to the driver, allowing in-car access to local parking availability, for example.
Or instantaneous warning of traffic snarl-ups, the cheapest petrol or diesel in the vicinity, or for the that matter the availability of nearby electric charging points. Many will even detect when you are passing near your local car dealer, and ping a reminder message about an upcoming service on to the dashboard.
It is these sorts of systems that have data experts so worried at the moment. According to the ACOI, there is a general push towards digitisation of driving metrics in the motor sector in general, “which means there must be some business case for [carmakers] to develop and provide this system to customers free of charge”.
“These devices added GPS location capabilities to vehicle diagnostics that were not always present to start with. These devices then enabled the recording of driving habits, location and other metrics such as fuel consumption, which can help to indicate the use of the vehicle at any time irrespective of the whether the vehicle is used for work or leisure.
“It is unclear how exactly this data is used by manufacturers or precisely with whom this data is shared. Their privacy statements tend to be a little vague and dealerships have not always the information to hand. It is likely the data is used to profile drivers and segment them for marketing analysis and possible provision of future services such as finance arrangements.”
Until now, much of the data-privacy worry over such systems has been to do with someone gaining direct, illegal access to such information. Now, the bigger worry is access that is both approved and legal, but careless.
In terms of issues involving car dealers in Ireland, the DPC told The Irish Times that it is not an issue it has come across to date and it has not received any complaints in relation to this.
“Regarding guidance on processing personal data, organisations must respect the obligations conferred on them by the GDPR, in particular by carrying out their activities in accordance with the principles of data protection found in article five. Organisations must show that any processing of personal data is lawful and fair; that it is transparent; that they record the minimum amount of personal data necessary for a stated purpose; that the personal data is stored securely and retained only for the minimum amount of time required; and they respond appropriately to data subject requests,” the DPC explained.
However, incoming European legislation could make a mockery of current GDPR laws, because in the interests of saving the environment, there are now discussions taking place that could see ever kilometre driven by every car monitored and dissected.
The European Union is working on a replacement for the current Euro 6 emissions regulations, and one proposal includes such live, constant, monitoring so as to ensure that all vehicles are sticking to their legislated emissions limits. What would be a major victory in an environmental sense could trigger a nightmare in a data-protection sense.
Such a system, similar to the vehicle monitoring setups currently used by some employers to monitor vehicle speed and location, could be in significant breach of data regulations. “Under the principle of transparency, drivers must be aware when the recording is occurring and what data is recorded and for what it is used,” says the ACOI’s Kavanagh.
“Employers should not regard vehicle tracking as a method to track or monitor the behaviour or the whereabouts of drivers. Given the DPC’s concern about proportionality and necessity, the constant recording and monitoring of a person’s personal or work-provided vehicle could be in breach of GDPR even before it is downloaded by the dealer, if the recording was not necessary or was excessive.”
The Society of the Irish Motor Industry (SIMI), which represents Irish car dealers and importers, told The Irish Times: "Our members take the safeguarding of personal data very seriously and their obligations under the General Data Protection Regulations in relation to the processing of personal data. When you choose to have a vehicle repaired or serviced the dealer will be one of the companies responsible for handling your personal information – known as a 'controller' under data-protection law – and may require certain personal information in order to fulfil the contract to repair or service.
“Consumers have several rights under data-protection law in relation to how companies use their personal information. Consent now must be freely given, specific, informed and unambiguous, and individual have the right to withdraw consent. SIMI have issued GDPR compliance guidelines and run courses in relation to data protection, so that our members are aware of data-protection law and how to comply with it.”
However, according to Kavanagh, simply getting someone’s consent to download their data may not be enough. “Necessity and proportionality would always need to be demonstrated in a data-protection impact assessment by whoever is implementing the technology, and the exact details of use made clear to the driver,” he said.
“Where consent of a driver has been requested to undertake what might be excessive processing of data, this does not give the car manufacturers and dealers a ‘get out of jail’ card even if they are fully transparent. This is because consent cannot override these two central pillars of data protection. Also, where the vehicle is provided in a work environment, employers cannot rely on the driver’s consent as a lawful basis due to the power imbalance in the relationship.”
The problems of data protection are unlikely to go away, given that the relationship between our phones and our cars is becoming increasingly symbiotic.
Already, it’s possible to lock and unlock your car with a smartphone app, or to remotely heat or cool the cabin, or in the case of electric cars, to schedule and control charging times.
Our phones are already an indispensable component of our in-car entertainment systems, and they already constantly record and measure our daily movements and habits outside the car. That data is a positive goldmine both for legitimate, if often intrusive, marketing and for those with a more sinister purpose. Try to keep that in mind next time you sync your phone with your car.