Cyber security for cars – the impact of connectivity on security and privacy

Rocio De la Cruz, principal associate at Gowling WLG

The UK is fast becoming a global hub for the development of connected and autonomous vehicle technologies including testing of driverless vehicles in the urban environment.

But how is the industry being affected by legislation governing privacy? asks Rocio De la Cruz, principal associate at Gowling WLG.

Millions of vehicles worldwide are being implemented with in-vehicle computer systems and connected devices, raising many concerns concerning privacy.

Autonomous and connected vehicles (ACVs) collect data from numerous sources in order to deliver both the basic mobility function and broader societal benefits.

Personal data relating to insurance, taxes, locations, mileage, fees and bookings will all need to be processed to provide the service. If customers opt into other services such as Wi-Fi, entertainment, telephony and marketing services—such data will be processed by a number of different operators.

Some of these operators may want or need to share data between themselves, therefore forming a complex scenario where the implementation of data protection and e-commerce requirements will have different implications.

Aerial view of Shanghai Highway at Night

The data protection regime under the Data Protection Act 1998 and General Data Protection Regulation (EU) 2016/679 (GDPR), which will become enforceable from

25 May, 2018, presents a number of key challenges to the ACVs industry. Those causing more concern are:


Personal data has to be collected for ACVs to work properly. Any journey would enable identification and tracking of individuals by multiple organisations. This personal data could be used by the car itself, insurers, other vehicles, traffic planners, the police, commercial organisations and infrastructure.

Unless there are valid reasons for processing such data without obtaining consent, for example, where processing is necessary for the performance of a contract, or for sensitive personal data where processing is necessary to protect the vital interests of individuals by the police, users’ consent must be obtained and kept secure.

This need for clear consent is making data controllers think about how privacy notices could be redesigned to ensure that users fully understand them before giving consent. Regulators including the Information Commissioner have mooted the possible use of standardised icons to represent different parts of the privacy notice.

Sharing personal data

Mapping the flow of data between the multiple organisations processing it and determining the security measures to be in place will be crucial to complying with the GDPR.

Where joint controllers, processors and sub-processors are involved in dealing with personal data the role and responsibilities of each party will have to be defined and agreed. Organisations would benefit from collaborating to identify identical and compatible purposes, which might help centralise processing to reduce the number of privacy notices given to each user.

The right to object

Enhanced individual rights in the GDPR such as the right to object will impact considerably on automated decision-making taken by ACVs. The industry needs to work out how users can object or withdraw their consent and build in systems to ensure that these rights are complied with.

Tracking and marketing

Marketers and other operators will use cookies and other tracking technologies when interacting with ACVs users, either because this might be necessary (e.g. use by the police), or to send targeted marketing to individual users.

Rush Hour Traffic on the M6 Motorway

This will also be affected by the forthcoming e-Privacy Regulation (the draft Regulation) for which a draft proposal was published on 10 January, 2017 by the European Commission. While the draft Regulation is at a very early stage, its default position is that all content, metadata and information stored on users’ devices is confidential – regardless of whether or not it is personal data.

The draft Regulation increases the scope of existing legislation and applies to ‘over the top providers’ like WhatsApp, Facebook Messenger and Skype, and applies a higher level of privacy rules for all electronic communications. It takes account of the Internet of Things, which the ACV industry falls into, ensuring privacy of machine-to-machine communications.

Industry bodies are pushing for this sector to be allowed to self-regulate to avoid stifling innovation with red tape and having to deal with legislation that cannot keep pace with the rate of change. To date, legislators and regulators seem to be alive to those requests and are keeping a watchful eye on the progress.

The industry should also consider whether it needs any special positive treatment to ensure that privacy requirements do not strangle the societal benefits that ACV could bring, for example looking for statutory permission to share some level of data for road maintenance, traffic management, route planning or emergency service response.

As ever with privacy, the issue is striking the correct balance that permits innovation without putting any individual’s identity at risk.

The author of this blog is Rocio De la Cruz, principal associate at Gowling WLG

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more