Many new cars models are linked to the Internet. But according to a new study, drivers are often not aware of where their personal data ends up.
Consumer group Federation Internationale de l’Automobile (FIA) exposed about a dozen kinds of data that are collected from new types of connected cars and shared with auto manufacturers.
Connected cars have been in the spotlight this year, after a number of manufacturers announced deals with telecommunications companies to supply cars with services that require internet connectivity.
The number of cars in Europe that use services connected to the internet will spring up within the next few years. In April, the European Parliament approved the eCall regulation, which starting in March 2018 will require all new cars sold in the EU to be outfitted with a connected emergency system that automatically calls for help once sensors detect that a car has been in a serious accident.
But consumer groups and privacy advocates have warned that more personal data will flow back to manufacturers if a car uses services that connect to the Internet.
FIA and its partner, German car club ADAC, are calling on manufacturers to be transparent about what data they collect following the groups’ tests on car models BMW320d and the BMW i3. FIA said it plans to analyse cars from other manufacturers.
According to FIA’s test results, those models send data back to BMW that can expose a person’s driving style, number of trips made, destinations programmed into the GPS and information synced from mobile phones.
Electric model BMW i3 records data about the drive battery, the car’s 16 most recent charging locations, and about 100 of its last parking spots.
When the ignition of the electric car is turned off, its geographical coordinates, transmission time and other data are automatically sent to the manufacturer.
FIA warns that some data that’s collected can give manufacturers a profile of driving behaviour. The BMW320d measures when a driver’s seatbelt tightens from sudden braking.
Most of the data collected by those two car models are stored for repairs or to track usage and can’t be accessed by the driver, according to the study.
A spokesperson for the European Automobile Manufacturers’ Association (ACEA) said in a statement sent to EURACTIV that the car industry intends to comply with the upcoming EU data protection directive, currently making the final rounds in negotiations expected to end this year. The spokesperson added that legislation beyond that is unnecessary.
“Manufacturers do not believe it would be appropriate for the EU to lay down additional rules for how data protection should be ensured specifically in relation to connected vehicles and services. No other sector or product, not even smartphones or computers that process a lot of personal data, are subject to specific legislation,” he said.
>>Read: Autonomous driving takes back seat as connected car rules prepared
FIA argued that consumers should be able to choose providers of the digital services built into new connected car models instead of being locked into deals that a manufacturer made with one specific telecommunications operator.
According to FIA, the European Commission’s reactions to that demand haven’t been promising.
In July, FIA sent EU Digital Commissioner Günther Oettinger a letter warning against “business-to-business contracts [..] entirely bypassing consumers and denying them the ability to freely choose service plans and providers”.
Since then, car manufacturers have gotten closer to telecommunictions companies.
Oettinger brokered an agreement at the Frankfurt Road Show in September between the European Automobile Manufacturers’ Association and large telecommunications companies.
Over the summer BMW, Audi and Daimler bought Nokia’s maps business Here. Manufacturers are eager to obtain digital mapping software for their driverless or autonomous cars, which are not yet commercially available in Europe.
“Connected cars are already on the market, tracking and able to communicate private information about consumers. Now is the time for policymakers to take a strong stand and defend consumers,” said Thierry Willemarck, president of FIA’s operations in Europe.
FIA also conducted a public survey in 12 EU countries as part of its study. Ninety-five percent of people who responded said there should be legislation on car and driver data. Most wanted to own their driver data and be able to turn off internet connectivity in cars.
Other consumer groups echoed FIA’s calls for car manufacturers to be transparent about what data they collect from drivers.
“It is crucial consumers have control over their personal data such as location information transmitted by the car but also who can access the data and for what purpose,” said David Martin, senior legal officer at the European Consumer Organisation (BEUC).
The EU cybersecurity agency ENISA announced last month that it would bring together an industry group of car manufacturers to put together cybersecurity recommendations for connected cars.
>>Read: EU agency hones in on cybersecurity and connected cars
Positions
Here is the full statement from the European Automobile Manufacturers' Association (ACEA) that was sent to EURACTIV:
“In September, the European Automobile Manufacturers’ Association (ACEA) adopted a statement setting out five principles of data protection to which the industry will adhere. These principles include transparency, customer choice, ‘privacy by design’, data security and the proportionate use of data. Data protection is an issue that Europe’s automakers take very seriously, as they are committed to providing their customers with a high level of protection and maintaining their trust.
There are many ways in which manufacturers can apply these data protection principles in practice. Since they have a contract with all customers who buy a connected vehicle or service, manufacturers can inform users about the personal data and categories of personal data (including geolocation and driver behaviour data) processed in that contract. In addition, manufacturers can include this information in the user manual, or can use in-vehicle solutions such as a special menu in the infotainment system, specific icons or pictures to make this information available in a clear, meaningful and easily accessible way.
It is important that each manufacturer maintains the freedom to do this in the way he sees fit – as long as he complies with his legal obligations, obviously. These obligations are set out in the EU Data Protection Directive, which is currently being reviewed. Once this is done, the European Union is likely to have one of the most stringent data protection regimes in the world.
While the automobile industry has every intention of complying fully with this new regime, manufacturers do not believe it would be appropriate for the EU to lay down additional rules for how data protection should be ensured specifically in relation to connected vehicles and services. No other sector or product, not even smartphones or computers that process a lot of personal data, are subject to specific legislation.”
Background
Connected cars use internet connectivity to perform various functions, including measuring location, road conditions and car performance.
Autonomous or driverless cars do not need driver intervention to function. Car companies have been calling for laws that would allow autonomous cars to drive more freely in Europe.
The EU has been leading initiatives to promote road safety and traffic management by pooling information provided by cars that are hooked up to the digital network infrastructure, as early back as 2010. In particular, the EU executive wants wants the industry to convert their efforts into "a global market success" via enhanced co-operation and standarisation of ICT-aided cars. Car manufacturers have also invested heavily in these.
"With connected cars, we need co-operative research to help develop global standards," said Neelie Kroes, the EU's former Digital Agenda Commisioner.
The European Commission has announced that it will propose legislation in 2016 that will impact connected cars.