Connected cars crave for data
Connected cars mainly collect technical details, such as oil consumption and engine performance. Manufacturers use this information to what they describe as ‘making better products’. Some brands also mention marketing, security and crime prevention (Volkswagen) or insurance (BMW).
But personal data are collected as well: routes, speed, driving style, etc. Volvo says this information is linked to the car’s unique code. This means the data can be linked to the driver.
Tom van Engers, professor IT law at UvA, is one of the researchers on the project. He says car manufacturers show a form of misuse of power: “The car is yet again a case of data hunger by the industry.” Engers sees a point in collecting some data, a distress signal for example, but often it is unclear what is collected, why and who has access to it. “It sometimes seems they collect as much data as possible in the hope of ever being able to use it.”
The query is based on a test sample of Amsterdam car dealer customers. Previously, a similar inquiry was conducted by the Dutch mobility organization, ANWB, and its European sister organizations. The number of respondents was the same as that of the UvA study and results were similar. 12% felt well informed, the rest not or not at all.
information and opt-out
According to van Engers, the problem is the unequal relation between individuals and companies: “The manufacturer knows exactly what data are collected, the driver has to discover it.” He feels purchase contracts should mention what is collected and why.
Also, the buyer should easily be able to opt out. At the moment, the only choice to avoid sharing data is not to buy. Tesla says data collection can be switched off, but issues a strong warning that the car can break down.
Manufacturer privacy statements
Car manufacturers refer to their privacy statements, a European GDPR obligation when car data can be traced back to persons. Tesla has the most detailed legal declaration. Its cars send almost all measurable data to the manufacturer, from browser history to the number of times the driver uses the horn. Tesla buyers get a detailed instruction on the data policy, but only when they ask for it.
Other car manufacturers have car owners install an app to see what data are collected. In its privacy statement, Volvo often mentions ‘etc.’, leaving a lot of possibilities open. BMW’s statement is even more summary, mentioning general categories like ‘vehicle functions and configuration data’ or ‘technical vehicle data’.
An extra delicate point is the data exchange with ‘third parties’. They are mentioned in all legal privacy statements but never specified. Further research only delivers general descriptions like ‘service providers’ or ‘software developers’.
BMW also shares data with BMW financial services, its insurance branch. However, the contract doesn’t state if this is done automatically. The union of insurance companies is an advocate for vehicle data collection. Last year, they pleaded to have each vehicle equipped with an Event Data Recorder. They say this would help decide who is at fault in case of a car accident.
A Peugeot spokesperson states personal data are never shared with third parties unless with explicit consent of the customer. This is contradictory with Peugeot’s own general terms for Teleservices. These mention data are shared with Peugeot subsidiaries, the commercial Peugeot network or service providers. When probed, Peugeot admits its privacy statement is not the most recent information.
The Dutch ministries of Infrastructure and Economic affairs will publish a report on the matter in April. The report, made by consultant Ecorys, investigates all data collection by car manufacturers with privacy as one of the aspects. The goal of the study is to see how the market works. The government wants to know if car manufacturers don’t have too much power over car dealers and service suppliers.