Out-Law News | 14 Feb 2014 | 2:00 pm | 5 min. read
Munich-based technology law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said that it is unclear whether owners of connected cars, or those that manufacture them, could be said to be the owners of data generated by those vehicles.
"It is not clear, certainly under German law, whether the drivers, the owners or the manufacturers of vehicles can be said to own the data generated by them," Appt said. "For either standpoint there is some effort necessary to make the case that data belongs to drivers or owners rather than manufacturers and vice versa and either case would be arguable until a definitive statement is made on the issue by a court or in new laws. It is not as clear as it may seem."
The question of who owns data generated by cars is important because of the "gold mine of connectivity" that the age of 'connected cars' promises to bring, Appt said.
'Connected cars' is a term used to refer to vehicles that are fitted with SIM cards and which allow real-time information to be transmitted between information providers powering infotainment and driver assistance features and those vehicles or even between vehicles themselves over communication networks.
Most of the current discussion around connected cars is based around the health and safety benefits that such connectivity could offer. The European Commission, which has just announced the finalising of standards by the European Telecoms Standards Institute (ETSI) and European Committee for Standardisation (CEN) for vehicle-to-vehicle connections, has said that connected cars could allow for drivers to be notified about accidents, traffic problems and other road conditions.
However, Appt said that there is the potential for information providers to offer services to people in connected cars, from details about available parking spaces nearby to personalised advertising and entertainment and social networking services.
Car manufacturers are increasingly expressing an interest in tapping into the potential offered by connected cars, but Appt said there is uncertainty about data ownership.
"The SIM cards built into connected cars are able to transmit data generated from the use of the various systems connected," Appt said. "Manufacturers technically can collect the data as it is their IT infrastructure that is linked to the SIM card, however, it is not clear whether owners of the vehicles would themselves have ownership of the data. Even if manufacturers could be said to own the data, those companies would generally be required to obtain the consent of car owners and other drivers of the vehicle before sharing personally identifiable data with third parties, such as insurance companies, due to privacy laws."
Appt said that the manufacturers themselves as well as insurance companies may have an interest in some of the "technical data" generated in connected cars, such as about speed, driving habits, use of brakes and all sorts of other telematics data that sensors in the car collect. He said, though, that there is an ongoing debate about whether even some technical data could be said to constitute personal data, and therefore fall subject to rules set out under data protection laws.
"The unique identification number given to vehicles can be associated to the individuals who have registered as owners of those vehicles," Appt said. "The technical data generated by vehicles and associated with the unique vehicle identifier could, therefore, be linked to individual drivers and relay information about their driving habits, for example."
"Although there is a debate to be had about whether data generated in connected cars can be attributed to individuals where a number of different drivers use those vehicles, there is potential for data to be linked to individuals. The situation is to some degree analogous to the debate over whether IP addresses can be linked to individuals," he said.
"Where technical data is also personal data, manufacturers are likely to need the consent of individuals before they transfer such data to third parties such as insurance companies. Consent would almost certainly be needed from individuals before companies could collect and use other personal data that could be generated in connected cars, such as geolocation data or a log about those individuals' use of entertainment services, for example," Appt said.
The expert said that many connected car manufacturers also run websites where users can configure infotainment and driver assistance services. Those websites require users to register and set up an account, meaning that manufacturers may not even need the vehicle identification number to link technical data to the person using the car, he said.
Appt said that manufacturers could adopt 'privacy by design' to overcome privacy law concerns. They should consider whether they need to be able to link data generated through certain services to individuals and, for those services that do not, could deploy anonymisation techniques and other privacy by design measures to allow them to make use of the data generated without having to obtain individuals' consent to do so or having to comply with the other requirements of data protection law.
Where it is essential to use personal data, manufacturers and providers should consult with individuals over rights in the data and obtain consent for making use of the data where use goes beyond merely providing the services those individuals have requested or paid for together with the car. This may mean for purposes such as personalised advertisements or other marketing proposals, Appt said.
Appt also warned about the challenges that could arise in attributing liability for accidents involving connected cars.
"The law is currently quite clear in that registered car owners are, in the first instance, liable for accidents caused by their vehicle and require to be insured against such an eventuality," Appt said. "Car owners then might have the opportunity to pursue recourse against the vehicle manufacturer if it can be established that the accident occurred due to defect for which the manufacturer is responsible. If the accident was caused by a mechanical defect, this might be easily established."
"However, if an accident involves a connected car and is down to defective connectivity it may be difficult to establish precisely whether it was a software defect or a connection problem. This causes issues with determining where fault lies and who is liable for any damages to people or property," he said.
"For example, who would be liable for accidents caused by defects in software that lie in the interface between two connected cars?" Appt said. "Is the defect with software in the connected car involved in the accident or the car or information provider connected to it which was sending incorrect signals to it about road conditions but which was not involved in the incident? If there was a connectivity problem caused with network issues, can the network provider be held liable?"
In Germany there is a cap of €5 million on the damages that can be claimed for death or injury to people, and a €1m cap on damages that can be claimed for property. However, German law states that telecom providers can only be held liable for up to €12,500 of damages per damaged party. Appt said that uncertainty in determining the cause of accidents and the potential difficulties in recovering all the damages from those at fault may cause insurance companies to reconsider the terms of their policies.
"Even if liability for accidents can be attributed to telecoms companies for interruptions in connections, for example, drivers or their insurance companies could be left footing the bill for serious amounts of damages owed as a result of a crash," Appt said. "Law makers need to address these kinds of anomalies before the connected cars phenomenon really takes off."