Connected car data protection generated significant discussion amongst people at the International Conference of Data Protection and Privacy Commissioners. The 39th annual conference brought together privacy and data protection authorities (DPAs) from around the world in Hong Kong in September. Consistent with prior tradition, the “closed sessions” produced three separate nonbinding resolutions.
There is rapid advancement in the development of automated and connected vehicles which will improve traffic efficiency and safety, but will also collected vast amounts of consumer data. The connected car nonbinding resolution both acknowledges the rapid advancement of vehicle automation and connected vehicle technologies and expresses concern about the possible lack of available information, user choice, data control, and valid consent mechanisms associated with the collection and use of vehicle and driving-related data.
For the most part, the resolution holds no surprises – the majority of the DPAs have repeatedly taken general positions that transparency regarding personal data use and user control with respect to those uses, will, in their perspective, be critical in connected vehicles.
The resolution calls upon all relevant parties to fully-respect the users’ rights to protection of personal data. This includes standardization bodies; public authorities; vehicle and equipment manufacturers, personal transportation services and car rental providers; and providers of data driven services such as speech recognition, navigation, remote maintenance or motor insurance telematics services. The resolution strongly encourages incorporation of privacy by design and default in each stage of the development and creation of new autonomous devices or services.
In addition, the resolution urges that the relevant parties, among other things:
- Give data subjects comprehensive information about what data is collected, for what purposes and by whom and provide granular and easy to use privacy controls for vehicle users enabling them to, where appropriate, grant or withhold access to different data categories in vehicles;
- Utilize anonymization measures to minimize the amount of personal data collected;
- Retain personal data no longer than necessary and provide technical means to erase personal data when a vehicle is sold or returned to its owner and restrict the collection of data;
- Provide secure data storage devices that put vehicle users in full control regarding the access to the data collected by their vehicles and provide technical measures to protect against cyber-attacks and prevent unauthorized access to and interception of personal data;
- Respect the principles of privacy by default and privacy by design;
- Guarantee that self-learning algorithms needed for automated and connected cars are made transparent in their functionality and have been subject to prior assessment by an independent body in order to reduce the risk of discrimination by automated decisions;
- Provide vehicle users with privacy-friendly driving modes with default settings; and
- Enter into a dialogue with the data protection and privacy commissioners to develop compliance tools to accompany and provide legal certainty to connected vehicles’ related processing.
While the resolution created a bit of buzz in Hong Kong, most observers believed that nothing surprising was provided. There was a general feeling that quite a bit of progress remains to be made with regulators and the expectations they may have regarding the connected vehicle industry.