These ‘connected vehicles’ have the ability to collect and process vast amounts of data. Perhaps, unsurprisingly, one of the central features of these cars is their ability to capture personal data (including directly identifiable data such as a driver’s name or fingerprint, and indirectly identifiable data such as details of journeys made, data relating to driving style or distance covered), in order that manufacturers might improve the customer experience generally.
While no specific Irish or EU legislation exists which addresses the range of potential legal issues applicable to connected cars, there is a patchwork of data protection, telecommunication and cybersecurity legislation which might apply, depending on the circumstances. For example, the General Data Protection Regulation (GDPR) applies to the processing of all personal data generated by a “vehicle equipped with many electronic control units that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle”.
Key challenges in regard to ‘connect vehicles’
Obtaining valid consent – Explicit customer permission is a core principle in GDPR. Therefore, manufacturers should ensure that data from connected cars is not captured, processed or shared without the data subject’s valid consent. The ability to secure this valid consent can prove a significant challenge.
Excessive data collection – The systems and sensors employed in connected cars have the ability to capture an estimated 25GB of data per hour. There is a risk that this data collection might be regarded as excessive, when viewed through the prism of the GDPR ‘data minimisation’ principle.
Security Issues –There is always the potential for the various systems and interfaces (USB, Wi-Fi RFID etc.) which are used to collect data to be exposed to attack or hacking. The personal data stored within the vehicles or on an external server may also be at risk of unauthorised access, for example by vehicle technicians.
Third Parties – A novel aspect of data processing and connected vehicles is the involvement of third parties. There are a number of different participants aside from the vehicle owner, such as the driver, second-hand owner, renting/leasing drivers, and passengers. Often these participants or users of the car will not have given consent to the collection of data or may not be aware that data is being collected at all.
How to respond?
Privacy and data governance should be considered carefully during product or project development, with legal advice secured and integrated into the strategy, design and development phase of connected car projects. A proactive approach to privacy will bring a better awareness of privacy issues and ensure that any issues are identified and solved early in development.
In addition, the role of third-party product manufacturers should be carefully managed as their products may be less rigorous in ensuring proper data management in their own systems and in the systems they design. This could lead to problems for the connected car manufacturer in the future should there be deficiencies in the services or products obtained.
Connected car manufacturers need to keep track of the data collected. They should also map the flow of data they collect. As data will often flow automatically and be transferred and stored across multiple different platforms, it is vital that manufacturers have robust tracking and storage systems for this data.
Article written and contributed by Philip Flynn of PF Solicitors
DISCLAIMER: This article should not be regarded as constituting legal advice in relation to particular circumstances. It is merely a general comment on the relevant topic. If specific advice is required in connection with any of the matters covered above, please speak to PF Solicitors directly.