Cyber security for cars – the impact of connectivity on security and privacy

Rocio De la Cruz, principal associate at Gowling WLG

The UK is fast becoming a global hub for the development of connected and autonomous vehicle technologies including testing of driverless vehicles in the urban environment.

But how is the industry being affected by legislation governing privacy? asks Rocio De la Cruz, principal associate at Gowling WLG.

Millions of vehicles worldwide are being implemented with in-vehicle computer systems and connected devices, raising many concerns concerning privacy.

Autonomous and connected vehicles (ACVs) collect data from numerous sources in order to deliver both the basic mobility function and broader societal benefits.

Personal data relating to insurance, taxes, locations, mileage, fees and bookings will all need to be processed to provide the service. If customers opt into other services such as Wi-Fi, entertainment, telephony and marketing services—such data will be processed by a number of different operators.

Some of these operators may want or need to share data between themselves, therefore forming a complex scenario where the implementation of data protection and e-commerce requirements will have different implications.

Aerial view of Shanghai Highway at Night

The data protection regime under the Data Protection Act 1998 and General Data Protection Regulation (EU) 2016/679 (GDPR), which will become enforceable from

25 May, 2018, presents a number of key challenges to the ACVs industry. Those causing more concern are:


Personal data has to be collected for ACVs to work properly. Any journey would enable identification and tracking of individuals by multiple organisations. This personal data could be used by the car itself, insurers, other vehicles, traffic planners, the police, commercial organisations and infrastructure.

Unless there are valid reasons for processing such data without obtaining consent, for example, where processing is necessary for the performance of a contract, or for sensitive personal data where processing is necessary to protect the vital interests of individuals by the police, users’ consent must be obtained and kept secure.

This need for clear consent is making data controllers think about how privacy notices could be redesigned to ensure that users fully understand them before giving consent. Regulators including the Information Commissioner have mooted the possible use of standardised icons to represent different parts of the privacy notice.

Sharing personal data

Mapping the flow of data between the multiple organisations processing it and determining the security measures to be in place will be crucial to complying with the GDPR.

Where joint controllers, processors and sub-processors are involved in dealing with personal data the role and responsibilities of each party will have to be defined and agreed. Organisations would benefit from collaborating to identify identical and compatible purposes, which might help centralise processing to reduce the number of privacy notices given to each user.

The right to object

Enhanced individual rights in the GDPR such as the right to object will impact considerably on automated decision-making taken by ACVs. The industry needs to work out how users can object or withdraw their consent and build in systems to ensure that these rights are complied with.

Tracking and marketing

Marketers and other operators will use cookies and other tracking technologies when interacting with ACVs users, either because this might be necessary (e.g. use by the police), or to send targeted marketing to individual users.

Rush Hour Traffic on the M6 Motorway

This will also be affected by the forthcoming e-Privacy Regulation (the draft Regulation) for which a draft proposal was published on 10 January, 2017 by the European Commission. While the draft Regulation is at a very early stage, its default position is that all content, metadata and information stored on users’ devices is confidential – regardless of whether or not it is personal data.

The draft Regulation increases the scope of existing legislation and applies to ‘over the top providers’ like WhatsApp, Facebook Messenger and Skype, and applies a higher level of privacy rules for all electronic communications. It takes account of the Internet of Things, which the ACV industry falls into, ensuring privacy of machine-to-machine communications.

Industry bodies are pushing for this sector to be allowed to self-regulate to avoid stifling innovation with red tape and having to deal with legislation that cannot keep pace with the rate of change. To date, legislators and regulators seem to be alive to those requests and are keeping a watchful eye on the progress.

The industry should also consider whether it needs any special positive treatment to ensure that privacy requirements do not strangle the societal benefits that ACV could bring, for example looking for statutory permission to share some level of data for road maintenance, traffic management, route planning or emergency service response.

As ever with privacy, the issue is striking the correct balance that permits innovation without putting any individual’s identity at risk.

The author of this blog is Rocio De la Cruz, principal associate at Gowling WLG

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow


Smart metering: Load balancing leads to annual savings of almost £5,000 for a large UK bakery

Posted on: August 10, 2022

Energy management is becoming an increasingly important component of business strategy for today’s FMCG companies, aimed largely at reducing energy costs, improving sustainability, and achieving ESG goals. According to the 2020 Deloitte Resources Study, half of industrial companies report incorporating energy management at the corporate strategy level, says Matthew Margetts is director of sales and

Read more

Digi-Key exclusively stocks new XPLR-IoT-1 Kit from u-blox for purchase globally

Posted on: August 10, 2022

9 August 2022 – Digi-Key Electronics, which offers the selection of electronic components in stock for immediate shipment, announced that the XPLR-IoT-1 explorer kit from u-blox, a global technology specialist in positioning and wireless communication, is now available for purchase globally, exclusively from Digi-Key.

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox