Cyber security for cars – the impact of connectivity on security and privacy
The UK is fast becoming a global hub for the development of connected and autonomous vehicle technologies including testing of driverless vehicles in the urban environment.
But how is the industry being affected by legislation governing privacy? asks Rocio De la Cruz, principal associate at Gowling WLG.
Millions of vehicles worldwide are being implemented with in-vehicle computer systems and connected devices, raising many concerns concerning privacy.
Autonomous and connected vehicles (ACVs) collect data from numerous sources in order to deliver both the basic mobility function and broader societal benefits.
Personal data relating to insurance, taxes, locations, mileage, fees and bookings will all need to be processed to provide the service. If customers opt into other services such as Wi-Fi, entertainment, telephony and marketing services—such data will be processed by a number of different operators.
Some of these operators may want or need to share data between themselves, therefore forming a complex scenario where the implementation of data protection and e-commerce requirements will have different implications.
The data protection regime under the Data Protection Act 1998 and General Data Protection Regulation (EU) 2016/679 (GDPR), which will become enforceable from
25 May, 2018, presents a number of key challenges to the ACVs industry. Those causing more concern are:
Personal data has to be collected for ACVs to work properly. Any journey would enable identification and tracking of individuals by multiple organisations. This personal data could be used by the car itself, insurers, other vehicles, traffic planners, the police, commercial organisations and infrastructure.
Unless there are valid reasons for processing such data without obtaining consent, for example, where processing is necessary for the performance of a contract, or for sensitive personal data where processing is necessary to protect the vital interests of individuals by the police, users’ consent must be obtained and kept secure.
This need for clear consent is making data controllers think about how privacy notices could be redesigned to ensure that users fully understand them before giving consent. Regulators including the Information Commissioner have mooted the possible use of standardised icons to represent different parts of the privacy notice.
Sharing personal data
Mapping the flow of data between the multiple organisations processing it and determining the security measures to be in place will be crucial to complying with the GDPR.
Where joint controllers, processors and sub-processors are involved in dealing with personal data the role and responsibilities of each party will have to be defined and agreed. Organisations would benefit from collaborating to identify identical and compatible purposes, which might help centralise processing to reduce the number of privacy notices given to each user.
The right to object
Enhanced individual rights in the GDPR such as the right to object will impact considerably on automated decision-making taken by ACVs. The industry needs to work out how users can object or withdraw their consent and build in systems to ensure that these rights are complied with.
Tracking and marketing
This will also be affected by the forthcoming e-Privacy Regulation (the draft Regulation) for which a draft proposal was published on 10 January, 2017 by the European Commission. While the draft Regulation is at a very early stage, its default position is that all content, metadata and information stored on users’ devices is confidential – regardless of whether or not it is personal data.
The draft Regulation increases the scope of existing legislation and applies to ‘over the top providers’ like WhatsApp, Facebook Messenger and Skype, and applies a higher level of privacy rules for all electronic communications. It takes account of the Internet of Things, which the ACV industry falls into, ensuring privacy of machine-to-machine communications.
Industry bodies are pushing for this sector to be allowed to self-regulate to avoid stifling innovation with red tape and having to deal with legislation that cannot keep pace with the rate of change. To date, legislators and regulators seem to be alive to those requests and are keeping a watchful eye on the progress.
The industry should also consider whether it needs any special positive treatment to ensure that privacy requirements do not strangle the societal benefits that ACV could bring, for example looking for statutory permission to share some level of data for road maintenance, traffic management, route planning or emergency service response.
As ever with privacy, the issue is striking the correct balance that permits innovation without putting any individual’s identity at risk.
The author of this blog is Rocio De la Cruz, principal associate at Gowling WLG
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow