Personal devices such as computers and smartphones are notorious for indiscriminately collecting user data – a tech practice that can often have an adverse affect on customer confidence and trust in brands. People may not realise this, but connected cars are no different in the way they collect driver and passenger data.
Traditional cars, electric vehicles and self-driving vehicles all gather massive volumes of data through communication networks, electronic systems and software, leaving personal information vulnerable to data trading, stealth and cyberattacks. Modern cars typically collect a few terabytes of data annually, while more advanced vehicles collect tens of terabytes of data every year.
In-vehicle data is divided into personal and non-personal information. Personal information is often associated with the drivers themselves, and includes journey details, driving style and data from synced phones. Non-personal information comes from car sensors, and includes weather data, roadside conditions and maintenance details.
Although data privacy is a main concern globally, it is more prominent in relation to internet browsing and the Internet of Things. Generally speaking, there is a low level of awareness among motorists about vehicle data, and most of them are not aware of the steps they may take to protect their privacy.
The responsibility to ensure a driver’s right to privacy mainly falls on car manufacturers. Dealerships should ensure transparency, informing customers clearly and concisely how their data will be processed, and giving them the choice to opt out. Data processing has to be based on the consent of car owners as well as other car users, which is where it gets tricky.
An additional worry is that connected vehicles are at risk of being hacked. This concerns both drivers and carmakers. Gaining illegal access to a driver’s personal information is worrisome not only from a data privacy perspective, but also from a physical danger point of view. If a hacker takes control of a connected vehicle, this could lead to loss of control in brakes, engine or steering, posing high risks to drivers, passengers, pedestrians and the general public.
A simple way to ensure vehicle data privacy is to seek consent from car owners for the collection and processing of their data, and let them decide whether they want their data removed. Few international car manufacturers allow customers to opt out, especially considering that many data protection laws globally are still in their early stages.
The vehicle data privacy challenge is twofold: the liability of automotive businesses and their responsibility to protect their customers’ personal information in line with local laws and regulations, and at the same time the privacy concerns among drivers and car users.
It is upon regulators to enact laws and take disciplinary action against carmakers, any other companies or people who engage in unfair or deceptive data practices, including car rental companies and automotive dealerships.
In the UAE, the government has enacted a Data Law that is seen as a pivotal pillar in the nation’s "Projects of the 50" series of developmental and economic projects. The new regulation went into effect across the UAE in January. The Emirates Data Office has also been established to address growing privacy concerns about data related to people and organisations, and to limit entities profiting from personal data. The Data Office is overseeing the Law’s implementation as the country’s federal data protection regulatory authority.
Until recently, technology has not been playing an active role to ensure data privacy in vehicles. Earlier this year, we collaborated with Privacy4Cars, an automotive repair solutions company in the Middle East, that provides patented software technology which enables the deletion of personal information from vehicles. Such technologies help safeguard motorist data in a fast, traceable and cost-effective manner and build a compliance log to meet privacy regulations. We are working with them to protect motorist when they rent, buy or sell a vehicle, ensuring their personal data remains secure.
While the Middle East’s privacy journey is still at a nascent stage, for automotive businesses across the globe, the issue of personal information getting into the wrong hands is a rising compliance and reputational risk. Failure to remove personal data from vehicles could have major legal implications and potentially expose sensitive data of motorists. In the years to come, especially with the advent of driverless cars and other autonomous technologies, more discussions around data privacy are needed so that policies and regulation can be put into place that benefit drivers and keep car owners and passengers safe.