Machine translations by Deepl

Connected cars and privacy - who's in the 'driver's seat'?

Against the backdrop of some recent developments, in this episode of our series on connected cars into the question of who is in charge of vehicle data. Is it the motorist or the car manufacturer? 

This piece in five points:

  • To whom does data originating from a car belong? From the car manufacturer or from the owner/driver of the vehicle? This has been the subject of debate for years. It is a tricky issue because there are often multiple drivers and the owner of a vehicle is by no means always the (permanent) driver, but, for example, a leasing company. Moreover, vehicles often have multiple owners during their lifetime.

  • The question of who vehicle data belongs to presupposes possession and ownership. In many cases, however, you cannot own data at all. Rather, it is about who has control over it. Who can direct the data and determine to whom it is available, and under what conditions? That is what needs to be legally regulated.

  • Consumers may own the car, but in practice it is really the car manufacturers who are (in most cases) in control of the data and decide whether and how to monetise that data for themselves.

  • With legally crammed terms of use and privacy statements, an app that comes with the car and all sorts of settings in the dashboard menu, it is also not easy for drivers to keep track of data flows and make use of their rights under the General Data Protection Regulation. Chances are they agree to things they don't actually prefer.

  • The AVG does not come off well in the automotive context, and car manufacturers that use strong privacy policies as an exclusive selling point for competitive advantage can as yet be counted on one hand. A ray of hope: new legislation is in the pipeline in Brussels that will mean a significant improvement for consumers in this respect.

So, as a startup, you skyrocket like a rocket and, with a value of more than $1 billion, you are referred to as a unicorn, so your capital injections dry up and you are forced to file for bankruptcy. That happened to Britain's Wejo: founded in Manchester in 2014 and thanks in part to collaborations with General Motors, Microsoft and Palantir Technologies become one of the largest vehicle data processors. At the end of May this year, to many people's surprise, the fairytale came to a (provisional) end.

As a listed company, Wejo was able to secure investment for a long time and closed a large deal with Ford which allowed it to access the personal data of Ford drivers, which it could then resell to insurance companies. However, due to soaring inflation, the cryptocurrency crisis, banks on the verge of collapse earlier this year (including Silicon Valley Bank) and sweeping rounds of layoffs within the tech sector, (venture) investors lost faith in fast-growing but loss-making companies like Wejo.

The company may have been almost 14 million cars can be tracked in real time, last year it suffered a loss of $160 million. Apparently, the vehicle data market is not necessarily a goldmine.

Wejo mentioned earlier in our piece on vehicle data hubs: companies that smooth vehicle data for third parties (see: Connected cars as a revenue model for data brokers). Studying such startups (they are, in most cases) is a useful way to get a good idea of what kind of data is coming out of connected cars.

Right of inspection

The German Netzpolitik treads a different and slightly more precise path in this respect. As yet another medium, it would like to knowing what carmakers are raking in in terms of data and calls on owners of new models from Audi, BMW, Mercedes, Opel, Volkswagen and Tesla to requests for access to their own data make, and then share the results of those requests. Every (curious) motorist - including in the Netherlands - has the right to make such a request under the General Data Protection Regulation (AVG), and every manufacturer is obliged to respond appropriately. Tips on this and a sample letter can be found at the Personal Data Authority.

Discovering what a car collects about you could also be easier, thought Privacy4Cars. That company became famous in 2018 for a free app of the same name to develop a tool that allows individual motorists and companies to quickly and efficiently remove personal data from car infotainment systems. Now it has built an online tool (Vehicle Privacy Report) through which - for now only US and Canadian - motorists can use their VIN number (the unique identification number of a car) to identify themselves. can easily find out what (personal) data their car manufacturers (may) collect and with whom that data is shared, if any. The tool bases this on a large number of car manufacturers' privacy statements, terms of use and other provisions Privacy4Cars has plucked from the internet.

In such statements, it often remains unclear whether, and if so, to what extent your car is automatically synchronised with your phone. When you plug your smartphone into the on-board computer, or connect via Bluetooth, is data from your mobile transferred, and does it stay within the car, or is it even forwarded? At least years ago, siphoning phone data without people realising it was no exception in the US (see this startling fragment From an interview with an expert on car forensics). Provided you consent to synchronisation and the data stays in the car, there is not much of a problem. Then, in Europe, the AVG only partially applies because the processing of the data is done only for personal or, as it is called, domestic use.

Many interesting reporting regarding connected cars comes from the US, where predominantly the same brands and, to a somewhat lesser extent, the same models are driving around as in Europe. But the question is whether what happens there in terms of data collection and (lack of) privacy also applies to the situation in the EU. On either side of the ocean, cars are of course technically capable of the same thing, but since almost all US states lack strong privacy laws, carmakers have more leeway there to do what they want with vehicle data, and consumers are more likely to suffer in this regard. Only the progressive state of California, with the California Privacy Rights Act since 1 January 2023 legislation that similar is with our AVG. The California Privacy Protection Agency (the only regulator in the US that focuses exclusively on privacy) has just issued a research launched into data gathering in the context of connected cars.

Somewhat briefly, legislation puts the citizen/consumer first in Europe, the (big) company in America and the government in China. Since 2016 mandatory China all car manufacturers, including Western ones, all kinds of vehicle data from electric cars sharing with the government. Its primary (economic) purpose is to allow its own car industry to catch up, but it should be clear that state surveillance is baked into this legislation.

Whose vehicle data?

Earlier, we wrote that connected cars generate huge amounts of data and mapped at which parties those data end up. The question of who vehicle data actually belongs to has not yet been addressed in detail. Does that data belong to the car manufacturer or to the owner/driver of the vehicle? This has been raging for years discussion and we are certainly not the first to raise this question. What complicates this discussion is the fact that there are often multiple drivers, and the owner of the vehicle is by no means always the (permanent) driver, but, for example, a leasing company. In addition, vehicles often have multiple owners during their lifetime.

The question of whose (vehicle) data belongs makes it immediately clear what is at stake, but is actually somewhat unfortunate. Apart from the fact that most drivers are technically incapable of accessing the encrypted data from their own vehicle at all, let alone working with it, this question assumes possession and ownership. In many cases, however, you cannot own data at all. At least, not by itself: an identical dataset can be simultaneously in many different hands and in many different places. Rather, the issue is who has control over the data. Who can direct the data and determine who they are available to, and under what conditions? That is what needs to be legally covered.

The message of the long-running campaign My Car My Data of the ANWB and the International Automobile Federation (FIA) is clear: motorists should be able to decide for themselves on all vehicle data, including those of a technical nature. The Finland-based but European-based NGO MyData thinks so - as do many other non-governmental organisations. More importantly, the European Data Protection Board (EDPB) - the umbrella organisation of all personal data authorities in the EU - is getting on board with this by publishing in specific guidelines stating, among other things, that technical vehicle data are indeed personal data as well. The EDPB recommends that manufacturers install a delete button on the dashboard so that motorists can easily delete personal data at once whenever they want.

Grey area

The theory is reasonably clear but the practice is more recalcitrant. The EDPB's guidelines were supposed to prevent authorities from asking personal data the same questions multiple times and car manufacturers from getting behind generic AVG would hide. Yet as far as connected cars are concerned, the AVG is not coming off well. Motorists, by and large, have gained very little from it.

For example, while the EDPB may argue that technical data are personal data, the large overlap between these two types of data (the state of brakes and braking behaviour) means that there is a grey area. This allows manufacturers, for example - under the guise of keeping the vehicle functioning properly and safely - to bend certain provisions to their will (e.g. the AVG basis 'legitimate interest' to be allowed to process data), and thus still collect certain data. It's not that car manufacturers are violating the AVG en masse - they are watching out. Some just cleverly exploit loopholes. Partly depending on the business model, some manufacturers go further in this than others.

A Harvard University study (Who owns the data generated by your smart car?) concludes that while the consumer may own the car, in practice it is really the car manufacturers (in most cases) who are in control of the data and decide whether and how to monetise that data for themselves.

With legally sealed terms of use and privacy statements (which are often repeatedly updated after purchase), an app that comes with the car and all kinds of settings in the dashboard menu, it is also not easy for drivers to keep track of their data flows. In principle, they do get the chance to take control of their data - to a certain extent, that is, because the necessary does come down to take it or leave it - but very clear and understandable is usually not it for them. Chances are they agree to things they don't actually prefer.

Cookie preferences

If you set your cookie preferences when you visit a website and look at the long list of advertisers, you fall off your chair. What would motorists think if they saw at a glance who all their data is shared with? Unfortunately, the analogy with online cookies does not hold true: in a car, you cannot set preferences at a detailed level for (the data streams behind) essential, functional and entertainment apps and services.

The shortcomings described above (there are more) are probably the reason why the question of whose vehicle data belongs is raised again and again. In any case, there is no court ruling upholding the EDPB's guidelines: neither a group of motorists nor the European Commission has ever filed a lawsuit against a car manufacturer for alleged misuse of personal data. Such lawsuits are an indication of the extent to which certain legislation is violated or circumvented. Whereas Facebook and Google, for example, have been repeatedly targeted by the Commission for their handling of personal data, the car industry has so far been spared this.

Incidentally, in the case of a mass claims case, consumers (motorists) would not only be up against an army of top lawyers, they would probably also face a large information backlog. After all, manufacturers know much more about their customers than the other way around. This was also discovered by complaining Tesla drivers who had taken Tesla to court over broken drive shafts. As evidence, Tesla cited driving behaviour and vehicle data from and against these suing customers, and based on that vindicated.

Exclusive selling point

Car manufacturers themselves are keeping a bit more to themselves in the data discussion: for image's sake, it is also not useful to shout that they are in charge of the data. We are GDPR compliant or We value your privacy - usually stick to neutral statements like that. Few would dispute that with connected cars, drivers' privacy is under pressure, yet with so many different makes and models, there are shades. German car brands, for example, are unlikely to be among the biggest privacy violators.

Some brands are clearly more accommodating to their customers in terms of data protection than others, such as Audi with its dashboard setting 'privacy mode' and Volkswagen with the 'maximum privacy' setting. Some brands state on the dashboard little more than that data collection is taking place (please accept or not) and refer to a website for more information. For some examples, see pictures at Auto Interfaces.

Car manufacturers using strong privacy policies as an exclusive selling point for competitive advantage can be counted on one hand anyway. Marketing is mostly focused on driving pleasure and functionality. The board of Porsche (part of Volkswagen) decided getting ahead of the troops two years ago by emphatically communicating that data governance (at least for the Taycan model) was entirely to the customer is and which has the ability to fine-tune or completely stop the sharing of (personal) data - either with the manufacturer or with third parties.

Fine, but yes, who can afford a Porsche? Yet within a few years, this policy will become standard for all car manufacturers in Europe. There goes the Data Regulation from Brussels for concerns. Business ethics and (voluntary) codes of conduct are useful, but ultimately only legislation and oversight can save consumers from privacy-invasive use of technology for commercial gain. Whereas the AVG was at best a good springboard in the automotive context, the Data Regulation - which covers all sectors of the economy - will settle the question of who gets to be in charge of (vehicle) data once and for all in favour of consumers.

In the next article, we take a closer look at this new legislation.