UK drivers want more control over connected car data

GE and Caterpillar invest millions in autonomous vehicles start-up
GE and Caterpillar invest millions in autonomous vehicles start-up

Connected car data should be under owner control according to the AA

Drivers are concerned about who has access to data generated by connected car and believe ownership of such data should remain in the hands of the owners or drivers themselves, according to the AA.

The motoring organisation kicked off a campaign to raise public awareness on vehicle data and to call for privacy legislation and an impartial after-market for connected vehicle services.

Called “My Car, My Data”, the campaign is run by the FIA (Federation Internationale de l’ Automobile) alongside motoring clubs across Europe. One of the beliefs of the campaign is that access to data about drivers’ mobility habits should only be with their full, informed consent and that drivers should be the ones who decide if data is shared and with whom.

The AA said this would “ensure that drivers’ have the freedom to choose any service they like for their motoring over the car’s lifetime, and would allow service providers to compete freely to offer the most added-value for the data drivers agree to share”.

Edmund King, AA president, said: “Connected cars offer drivers a vast array of new and exciting services plus they can help with breakdowns and crashes.

“It is clear drivers may be unaware of just what information is collected, how it is used, who owns it and how is it protected.  We support the FIA’s campaign aimed at ensuring there is greater transparency with this rapidly developing motoring technology.   It is also clear that the majority of drivers in the UK think the car owner or driver should own the data and 90% would be willing to share that information in the event of a breakdown. Drivers have a right to demand ‘My car. My data’.”

Matt Pfeil, chief customer officer at DataStax, told Internet of Business that people are generating more and more data by using devices and services connected to the Internet and they have to  realise there is a monetary value assigned to the data we create over time.

“When we choose our products, we need to take into account what a company could potentially do with our data. What is important is the trust between us as customers and the company we allow to create that data on our behalf, whether it is within the car or not. Understanding what we are signing up to is therefore important – EULAs have to be more user friendly,” he said.

Mark Deem, a privacy and technology lawyer at Cooley (UK) LLP, told IoB that privacy is undoubtedly an important consideration in handling consumer data, any wholesale rejection to make the data more widely available on the grounds of privacy risks ignoring its intrinsic value for innovators. “It should, of course, be remembered that privacy concerns only arise to the extent that personal data or information is involved,” he said.

“Even if it is necessary to capture and retain personal data, businesses should allow such data to be collected and retained in such a way that it can be suitably anonymised at the earliest possible moment in its lifecycle,” he added.

Simon Moffatt, solutions director at identity management specialist, ForgeRock, told Internet of Business that while many car owners are happy to engage and utilise personalised services, many now require consent driven data sharing policies and infrastructures.

“Modern data sharing infrastructures, such as the User Managed Access (UMA) standard, can help organisations engaged in the car industry – from manufacturers, insurers, maintainers and more – to provide secure personalised services, with full transparency over who has access to what data and why,” he said.

Daniel Hedley, associate at Thomas Eggar, told IoB that when a connected car ‘phones home’ with personal data, the car manufacturer would have to treat that data accordingly.

There might be an interesting argument under the current law as to whether the data processing happens ‘in the context of an establishment or regular practice in’ the EU or on equipment located in the EU, and if so which member state’s laws apply,” he said.

“That said, in light of the very broad view of what constitutes an ‘establishment’ taken by the Court of Justice in the Google Spain case, it seems unlikely that a car manufacturer based in, say, the US would be able to argue that EU data protection law does not apply to the processing.  Such an argument would also be completely unsustainable once the new General Data Protection Regulation comes into force (probably 2018 now).”