US car manufacturers violate privacy, mass tort claims dismissed
In our series of background articles about connected cars today a 'snack'. Five interrelated mass claims against car manufacturers in the US state of Washington caught our attention. These are notable because - as far as we know - these are the first (major) lawsuits against car companies worldwide that revolve around privacy violations.
What's the case? Once US owners of models from at least Ford, General Motors, Honda, Toyota and Volkswagen let their mobile phones connect to their cars' infotainment systems, those systems automatically download the phone's text messages and call history without permission. That data is stored in the car, but the on-board software then prevents drivers from accessing it themselves. If they request it, however, investigative agencies do get such access. Such agencies are in general disproportionately interested in vehicle data, we showed in our previous article see.
Transferring phone data to the car's on-board computer without people knowing about it was no exception, at least years ago in the US (see this startling fragment From an interview with an expert on car forensics). Provided you give permission for synchronisation, the data remains in the car and you can access it via the dashboard infotainment system can also just reach, there is not much to worry about.
In the EU, under the General Data Protection Regulation (AVG), the following then applies: you then use your own data purely on personal, ''household' basis. Those personal transactions fall outside the scope of the AVG. However, this exception does not relieve car manufacturers of the duty to ensure that on-board technical applications and default settings are secure and take privacy into account. The AVG does continue to apply to them in this sense (see paragraphs 33 and 75 in the AVG guidelines for connected cars).
Back to Washington, where judges in Seattle rejected the claims of the plaintiffs (residents of the same state) late last year rejected on appeal because they could not sufficiently demonstrate that themselves, their reputation or their business had been harmed. After all, this is required under the Washington Privacy Act for a breach of privacy to legally exist. In Privacy First's eyes, of course, this is an absurd provision, but dura lex, sed lex. So unless that flawed law is tightened, car manufacturers are free to continue with this rather ostentatious invasion of privacy.
Except for California, the United States is hopelessly behind the EU on privacy issues. Should carmakers do the same here, it would violate the AVG. In the event of a European court case, the manufacturers would therefore surely be knocked back by a judge.