Connected Cars and how to get past the privacy spike strips
May 26, 2015
The IoT, Connected Cars: what’s the deal?
The Internet of Things (“IoT”) is changing the world rapidly. IoT is a very broad concept and refers to an infrastructure in which devices (“things”) can record, process, store and transfer data. At the core of this concept lies the interaction of these devices with one another using networking capabilities.
Applying this technique of the IoT to vehicles (so that they become “Connected Cars”) leads to various practical applications and incredible opportunities. For example, Connected Cars use GPS data for safety reasons, such as keeping distance and limiting speed. But they can also transfer GPS data to a home domotics system so that certain appliances can be (de)activated right before your arrival. The opportunities are endless…
Connected Cars and the protection of personal data: when your car will know more about you than your spouse
Whether they are connected to emergency services (eCall), your car shop or your Facebook account, Connected Cars raise important legal questions in the field of privacy and the protection of personal data.
Connected cars continuously collect, store and transfer data. They interact with one another as well as with other types of infrastructure or devices. When this data relates to identified or identifiable private individuals, which is very regularly the case, the processing activities will fall under the scope of the EU Data Protection Directive 95/46/EC as well as all relevant national privacy legislation which transposed this Directive.
That’s when it becomes tricky as this matrix of data flows has to fit into legal concepts developed in times where we could not foresee today’s digital age.
First of all there is the question of who is in charge? Is it the car manufacturer building in the applications, is it your insurance company requesting the collection and transfer of the data, or is it you as the one configuring the car settings?
Secondly, the identification of the data subject is no longer a given. As a data controller you may have received consent from one person but you will always be facing the risk that you are processing personal data of another individual e.g. the car owner’s employee, his children or just a random passenger. From a data minimisation perspective, it would be disproportionate for a data controller to identify (and thus process more personal data) each individual sitting in the car for mere compliance purposes. On the other hand a data controller needs to ensure it does not undermine a citizen’s basic fundamental privacy rights either, such as the right to know who is processing which information about them.
Thirdly, we are facing the ever-returning question of applicable law and competent authorities. The IoT combined with the issue of cloud computing makes it difficult to pinpoint the competent authority and avoid the double application or even worse, the double non-application of privacy laws at the same time. We believe that policymakers all over the world have a standardisation role to play in this story, similar to the efforts done at EU level for the new EU Data Protection Regulation which perhaps does not include all the “nice-to-haves” in terms of common legislation for a market with more than 500 million consumers, but at least gives us a good head-start on the “must-haves”.
The road ahead…
Privacy and the protection of personal data in the context of Connected Cars does not only impact car manufacturers and application developers, but any social platform, insurance company, employer or other stakeholders “along the way” if and when they tap into the data flows between Connected Cars or connected devices in general.
Going back to the basics of project management, if your problem or deliverable is too complex, you need to break it down to smaller pieces. The same goes for complex data matrices; it all comes down to identifying and mapping-out the data processed, the type of processing done, the points of departure and arrival of each data flow, the purposes of the processing and the actors involved to know who needs to do what and who is liable if things go south.
In conclusion, data classification will always be the first step. There’s no point in waiting nor is there any way around it.
 Also have a look at the Article 29 Data Protection Working Party’sOpinion 8/2014 on the Recent Developments on the Internet of Things, 16 September 2014, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.