Connected car privacy

Customer trust is essential to large-scale adoption of connected cars

Image credit: Horiba MIRA

Manufacturers need to adopt a comprehensive approach to data privacy like the one prescribed by GDPR if they’re going to build public confidence in the intelligent, networked capabilities planned for vehicles of the future.

When the General Data Protection Regulation (GDPR) was introduced in May 2018, it was a step-change that overhauled the way in which businesses process and handle personal data. It also raised public awareness of the importance of privacy and the need to protect personal data.

This issue has only grown more significant with the accelerating pace of connected-technology deployment in vehicles, encompassing everything from connected applications, telematics and black-box insurance to mobile phone use.

In-vehicle data collection and processing has increased in terms of content type and volume, and now encompasses a vast array of personal information including phone numbers, address books, emails, location history, browsing history, preferences and driving habits. Collection and processing take place in a complex ecosystem, including not just the vehicle but also the phones, networks and, ultimately, the infrastructure it connects to.

Industry sources estimate that on average about 480 terabytes (TB) of data was collected by every automotive manufacturer in 2013, and it is expected that this will increase to 11.1 petabytes (PB) per year during the course of 2021. Looking into the future, it is predicted that connected vehicles will create up to 4,000GB of data per day – more than 1,400TB per year. With such large volumes of personal information being collected, it is inevitable that privacy will be a challenge. All the above will only increase with the rise of connected and autonomous vehicles.

Recognising the importance of user privacy in connected vehicles, Horiba MIRA carried out some pioneering research to enable us to explore the current state of user privacy and how it is presented to consumers in a modern vehicle.

The survey asked 1,038 car owners from the UK, Germany and Italy a series of questions based on GDPR principles to establish how they see privacy in their connected vehicles.

From a dealer’s perspective, compliance with GDPR is clear-cut. The findings indicate that a good proportion of recipients (70 per cent) across the three countries received a request for consent from their dealer to collect personal data, while around two thirds (68 per cent) received a request to store personal data.

However, once inside the vehicle, the need to comply with GDPR as it stands currently is less clear-cut. This is the case even if the operator of any of the connected features gathering personal data such as location could be considered a data controller. This was reflected in the numbers: less than half (45 per cent) received a request to consent to collect personal data once using technology inside the vehicle, a similar proportion (47 per cent) were asked about storing personal data, and only a third (35 per cent) were asked to agree to it being shared.

Only 60 per cent of the study's participants were given the option to choose whether their personal data could be shared with third-party companies and were informed of third-party companies that would have access to their data by the dealer and/or vehicle.

Default consent was also prevalent, with around one in three recipients (32 per cent) responding that they were opted in by default. Almost half (42 per cent) said they were not made aware that they could withdraw their consent from either the vehicle or the dealer.

Based on our findings, we’re recommending that manufacturers revisit their governance procedures and start to explore new approaches to ensure fair use of personal information. One such method is to look at increased transparency with regards to collection of personal data for the unique automotive use cases. An example is looking at where to place privacy notices such that two different owners can find them easily. Another recommendation would be to give consumers the power to completely erase private information from a vehicle so that there is no danger of leakage if it is sold or scrapped.

Implementing privacy best practice such as that espoused by GDPR would build on existing measures for protecting customers. This would ultimately lead to increased consumer trust in advanced technologies and is vital in ensuring mass adoption of future connected vehicles.

Garikayi Madzudzo is an advanced cybersecurity research scientist at Horiba MIRA.


Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles