We need new GDPR protections for cars

Cars are generating more data about us and our movements every day, but how will that affect us?

Twenty-five gigabytes. That’s how much data is generated by a “connected” car every hour that it’s in use. To put that in perspective, that’s enough data to stream about 30 hours of non-stop HD Netflix. It’s enough data to overwhelm the memory chip of any first-generation smartphone. Or, if you want to get into serious numbers, it’s 214,748,364,800 times the amount of computer memory that was required to accurately fire Apollo 11 at the Moon. It’s a lot.

So, every hour that it’s in use, a car that’s fitted with the latest touchscreen infotainment system and an LTE internet connection (and that’s a description that applies to a lot of new cars) generates that much data. About us. Oh sure, some of it is just junk data, of interest to no one such as how many times in the preceding second that the spark plugs fired. Some of it, though, is deeply personal. Our location. Our music preferences. What internet site we sneakily took a peep at on our phone (connected to the car via Bluetooth or USB, of course) while we were waiting at a red light.

"Data is the new oil in 2018," Sean McElligott told The Irish Times. Mr McElligott is the partner and head of the technology group at leading Dublin law firm Philip Lee, and he's concerned about how many grey areas that there are when it comes to the strict, legal, definitions of who gets this data, and what they then do with it.

Your data?

“It is your data, or my data. You own it, but there probably are some grey areas to other aspects of the data. You see, GDPR only deals with personal data. So that’s data that personally identifies me. Classically it’s name, address, phone number and so on, but it also includes such things as my GPS location at any given time. Other data such as whether I turned left on a green light, whether or not I indicated to do so or not, whether or not I changed lanes in the past five minutes. It’s unclear right now whether or not that sort of information is covered by GDPR because there’s no case law on it yet.”


Who can access this data? More people than you might think. The car company that made the vehicle for one. Plug the car into a diagnostic port and all of the data that has flowed through the can buses of the on-board computer systems will be available. The company that provides the cellular internet link for the sat-nav, for another. The company that made your mobile phone, connected to the car as it is, and the company that provides the mobile network through which that phone functions. Do you use an online music-streaming service while driving? They’re in the loop too.

GDPR, General Data Protection Regulation, that new EU-wide rule which we all got those annoying and constant emails about earlier this year, should cover most of this. If it's personally identifying data, you have to give your specific consent for any company to access or store that data, even if they make no direct use out of it. And it can't be buried in a sub-clause on page 17 of a contract that no one's going to read, either. The request for consent has to be up front, clear, and precise.

Event then, people don’t seem to be aware of just how big the trail of data crumbs they’re leaving behind is. “I’ve been talking to people in my own circle – friends, family, colleagues – about whether or not they know about this, are they happy about it, did anyone tell them about it?” McElligott said. “And the answer seems to mostly be: ‘No, I had no clue about any of this’.”

Brave new world

It seems to be that the tech is running, as it so often does, far, far ahead of the legal and societal understanding of it. “I’ve no doubt that is the case,” said McElligott. “Undoubtedly, this is a brave new world. There’s always been a sense of second screen, whereby your phone becomes a part of what you’re watching on the TV. Well there’s a very good argument that the screen in your car now becomes your third screen. There are lots of people who would love to show you ads on that screen. So take things such as radio advertising. Obviously, it becomes a lot better for the advertiser if, instead of us all listening to the one advert, in which only a small proportion of us might be interested, it could instead be Facebook-style, and directed at individual tastes and wants. So why wouldn’t car companies, which are effectively tech companies now, be interested in this?”

Why indeed? Simple; cash. According to a report by market analysts McKinsey, the potential amount to be earned from providing in-car data services, entertainment, and advertising could be as high as $750 billion (€661 billion) by 2030. Not for nothing are carmakers already changing their spots. "We see multiple business models coalescing to form a new ecosystem, centred on technology innovators, fleet operators, services businesses, and platform providers" said a recent report by Deloitte. "Vehicle manufacturing will likely continue to be important, but value will increasingly be generated by software and consumer data."

That’s why so many carmakers, these days, refer to themselves as “mobility providers” rather than manufacturers. Many have seen, on the horizon, the falling margins when it comes to building big metal boxes and selling them by the hundreds of thousands. It’s why Renault’s big announcement at the Paris motor show this year wasn’t a new Clio, but a collaboration with a French media company to produce and curate streamed entertainment and infotainment for those using shared, autonomous cars.

Such groundwork is already being laid. This week, Skoda Ireland announced that, so keen is it to get car buyers started on using connected and online systems built into the cars, that it’s going to provide a free SIM card, pre-loaded with a month’s worth of usable data, to all new buyers. Skoda clearly hopes that, by offering people a trial of such services, they can get drivers hooked, and start offering longer contracts, earning Skoda valuable subscription fees.

All of which sounds fine right now, but if there's data, then data can be a form of evidence, and evidence has a legal importance. We all remember how when Rachel O'Reilly was murdered by her husband Joe, it was data pinpointing the location of his mobile phone at the time of the killing that helped lead to a conviction. Equally, in the appalling recent case of the kidnap and murder of Justine Valdez, her killer, Mark Hennessy, was tracked down in part by the Garda being able to access navigation data from his car, a Nissan Qashqai.

Grey area

Theoretically, though, if you've generated data, through the use of your car or another device, then using that information in court could be viewed as compelling you to testify against yourself, which is of course not something that a court can legally do. When it comes to data, legally speaking, who can access and obtain that data comes down to the question of the case in hand. In the instance of a serious crime, a spokesperson for the Garda told The Irish Times that: "Under the Criminal Justice Act 2006 if a member of An Garda Síochána has reasonable grounds to believe that an arrestable offence has been committed or is being committed and there is in place evidence of, or relating to the commission of an arrestable offence, gardaí can take such steps necessary to preserve any evidence of, or relating to, the commission of that offence."

According to McElligott, though, it's not that straightforward. "It's a grey area," he says. "There's no answer to it at the moment. There was a report written by the Law Commission, but it's still a very grey area, as there's no case law to back it up yet. It is worrying."

Ultimately, much of this comes down to personal choice. If you’re happy with what’s being offered to you in return for ticking the box that says yes, then by all means go ahead. Just try to remember that data, your data, has far more intrinsic value now than the 15-cent discount on a cup of petrol station coffee that’s often offered in return for it. Beyond which, as recent political events have abundantly shown, data is all too easily weaponised for nefarious purposes. Your car generates reams and reams of it, and that is something that is only going to grow in the coming years. Your data can be used against you, as well as in your favour, so be careful to whom you entrust it.