US automakers agree new ‘privacy principles’ for connected car data

Out-Law News | 19 Nov 2014 | 4:06 pm | 3 min. read

Two US-based organisations that represent some of the world’s biggest car manufacturers say they have reached agreement on privacy standards for securing the large amounts of data generated by computers and tracking systems used in vehicles.

The Alliance of Automobile Manufacturers (AMM) and Global Automakers (GA) said new automotive technologies and services “are providing our customers with tremendous benefits”.

The two organisations have jointly unveiled a set of privacy protection ‘principles’ (14-page / 608 KB PDF) that commit car manufacturers to “take certain steps to protect the personal data generated by their vehicles” and instil data privacy confidence for motorists.

GA chief executive officer John Bozzella said: “The privacy principles reflect the reality that automobiles increasingly make use of innovative technologies designed to save lives, time and the environment. As modern cars not only share the road but will in the not too distant future communicate with one another, vigilance over the privacy of our customers and the security of vehicle systems is an imperative.”

According to GA, “the principles fundamentals are based on the US Federal Trade Commission’s (FTC) Fair Information Practice Principles (FIPPS) (1-page / 66 KB PDF), which, in turn, rest on privacy practice frameworks used in the US and around the world for over 40 years”.

Germany-based data protection specialist Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said: “From a European perspective the privacy principles should be regarded as a good starting point, as they indicate that the US automotive industry has recognised the risk involved with insufficient privacy standards and was able to agree on a common set of privacy standards, which is something that puts participating members ahead of their European counterparts.”

Appt said: “On the other hand the principles may fall short of what European data protection authorities would be able to accept. For example, the principles could arguably imply that implicit consent is sufficient for the use of personal data for purposes beyond what might be necessary for the performance of vehicle technologies and services. In terms of ‘respect for context’, another feature of the principles, it appears to be sufficient to keep data usage within the scope of the notice, as the carmakers have explained.  This is true at least for as long as it is considered ‘reasonable and responsible use’, which apparently includes using and sharing personal data for advertising.”

“The principles are meant to apply to US consumers, but if they were to be rolled out and applied to vehicles  produced for the European market, they would require a considerable degree of ‘fine tuning’,” Appt said. “Privacy regimes in European countries are amongst the strictest worldwide and data protection authorities, in particular in Germany, have put the use of data generated by connected cars high on their regulatory agenda. US carmakers are well advised to review the European picture and consider EU privacy requirements early in the design and development process.”

Appt said: “The Article 29 Working Party, which is the representative body of data protection authorities in each EU member state, recently made clear that any equipment used in an EU country triggers the applicability of European data protection laws. Consequently, US carmakers are subject to European data protection laws when processing data originating from connected cars on European roads. None of this should be expected to change under the proposed General Data Protection Regulation currently under discussion across the EU. In fact, under the proposals, the risks to firms who breach EU regulations are set to become higher as potential fines could be up to 5% of a firm’s annual worldwide turnover.”

GA said: “Consistent with the FIPPs approach, the principles treat sensitive information, such as geo-location, driver behaviour, and biometric information, with additional, heightened protections.”

GA said it met with FTC as the principles were developed and “the agency is supportive of the industry efforts”.

“These privacy commitments are part of a larger initiative by automakers to protect the privacy and security of the data necessary to support these advanced vehicle technologies,” GA said. “Despite the absence of reported hacking incidents affecting vehicles on the road to date, the industry also is taking proactive measures to prepare for threats by working to establish a mechanism for sharing vehicle cyber security information among the auto sector.”

AMM president and chief executive officer Mitch Bainwol said: “Automakers believe that strong consumer data privacy protections are essential to maintaining the trust of our customers.”

Bainwol said: “New automotive technologies and services are providing our customers with tremendous benefits. For example, alerts about traffic conditions help reduce congestion, while concierge services are able to unlock car doors and route drivers around the path of a storm.  Providing such features in a transparent way is important to both customers and automakers. Our privacy principles reflect a major step in protecting personal information collected in the vehicle.”