Mobility and the GDPR: An important but uneasy partnership

In November 2015, Allgemeiner Deutscher Automobil-Club (ADAC), the German motoring organisation, discovered that large amounts of data was being captured by the on-board diagnostics (OBD) system of a BMW320d without the permission of the user. This included sensitive personal data such as driving destinations and phone contacts.

At that time these files could only be accessed by directly connecting to the OBD, but now data is transmitted wirelessly – and the amount of information being collected is growing by the day, and so too, the need for the regulation of data collection, storage and processing.

In the new age of mobility, empowered by increasingly connected and automated vehicles, data is the name of the game. The majority of new cars come with a variety of internet connected features, which collect, use, and share vast amounts of information about the car and its passengers.

The range of data collected includes diagnostics (e.g. speed, tire pressure, fuel economy, engine temperature), event data recorders (e.g. navigation and distances from other cars, connection to emergency services), infotainment systems, as well as embedded SIM cards.

According to Intel a connected L5 automated vehicle could produce about 4,000 GB of data per day, much of it deemed personal. In safeguarding this personal information OEMs and service providers are now required by law to conform to the General Data Protection Regulation (GDPR) which came into effect on May 25^th 2018. Replacing the EU's Data Protection Directive of 1995, the GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals residing in the EU.

Image Source: Telecoms.com

Since the GDPR is all about personal data, any information that can be used to identify a person falls within its scope, meaning that any sensitive personal data will require the express consent by users before being collected. This includes biometric data (such as voice or fingerprint recognition), behavioral data (such as driving patterns, routes and destinations or infotainment preferences), or personally identifiable information (such as a name, phone number, or username and password).

While this regulation is certainly welcome, the connected, autonomous and shared future of mobility relies heavily on OEMs, their dealers and infotainment service providers obtaining and processing Big Data generated by vehicles and their passengers. Thus, all stake holders will need to re-evaluate their strategies regarding data acquisition and processing, which could significantly impact on existing business strategies.

A joint publication of the German Automotive Manufacturers’ Association (VDA) and German Data Protection Authority defines all data associated with a vehicle identification number (VIN) as personal data. This includes almost all data held by service workshops, including diagnostic results and trouble codes, repair data and warranty information.

The fine line between the GDPR and customer convenience

Currently, in the aftermarket, connectivity plays a significant role in enhancing the customer’s experience while providing the OEM and the dealer network with valuable data.

For instance, searching for a dealership and booking an appointment can be made from the vehicle, whereby the dealer electronically gets, not only the scope of the work and diagnostic information pertaining to the vehicle, but also the name and contact information of the person.

Moreover, before the dealer receives the vehicle, all pertinent information can be downloaded from the manufacturer. And on completion of the work, the manufacturer can be informed what was done, thereby updating a central vehicle history and even enable a predictive analysis.

Thus, personal data has been:

• Collected: Even before meeting the person, the dealer has already collected a significant amount of information
• Used: To do the repair, report taxes and get paid
• Generated: By doing the repair, more data related to the individual was “created” - the visit itself, activities done, spare parts replaced, invoice, payment details, etc.
• Shared with a third party to be used for other purposes such as ‘Customer Satisfaction’ follow-up

During this process many dealers profile their customers and handle what the GDPR considers sensitive (special category) data without even knowing it. The GDPR considers something as simple as a note saying that a customer has children or a dog to be profiling. Customers also often provide dealers with sensitive information such as health details, or details about their religious or political beliefs, when they join special groups for purchasing vehicles at discounts.

In future the GDPR will require the more than 200,000 car dealers, repairers and workshops in the EU to securely and properly manage personal information and to keep records of how this data is processed. In the beginning, many small workshops will struggle with record keeping, which requires a deep understanding of their own processes.

To complicate matters even further, although the repairer is often the data controller, there are several circumstances in which the OEM, or the bank or leaser, or service provider is the data controller, while the repairer simply processes the information.

The GDPR examines the control over the personal data, rather than its possession, creating two types of roles that affect the extent of responsibilities:

• Data controllers are companies that determine the purpose for which or the way in which personal information is processed
• Data processors are companies that process personal information on behalf of the data controller

GDPR states that controllers must make sure that personal information is processed lawfully, transparently, and for a specific purpose, meaning that people must understand why their data is being processed, and how it is being processed, while that processing must abide by GDPR rules.

'Lawfully' has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their information being processed.

Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject; if processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.

Conversely, if a company wants to process data, the data processor requires the subject’s consent. The law also requires companies to make it easier to transfer information between services (known as the “right to portability”) and delete personally identifiable information (PII) in the right circumstances (“right to erasure”).

This means OEMs, dealers and service providers will have to make sure the drivers’ data can be transferred to other entities, making it easier to change brands while keeping PII out of the hands of advertisers unauthorized by the drivers.

In an industry already in the throes of disruption, the successful implementation of the GDPR will require a fine balancing act between customer convenience, conformance to legislation and data acquisition.

The legislation’s definition of personal data extends to connected and autonomous vehicles. Owners of such vehicles must be clearly told how their information could be accessed by the OEM, and they must have the ability to restrict such access.

Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.

The GDPR: A paradigm shift for OEMs

Under the EU’s new Privacy and Electronic Communications (e-Privacy) Regulation, the OEMs will be forbidden from selling “connected cars” if the cars do not comply with the EU’s data sharing standards.

This regulation restricts how much data an OEM can share with other organizations by excluding any third party from using the data generated by connected vehicles without the user’s consent.

If either the GDPR or the e-Privacy Regulation is breached, the OEM can be fined up to €10 million, or 2% of a car manufacturers’ total worldwide annual turnover, whichever punishment is higher.

What's more, as connected cars evolve and increase their reliance on the IoT, it is becoming progressively more important to design resilient security networks and strengthen the preparedness of cybersecurity teams to respond to a breach.

In so doing the GDPR seeks to promote security, requiring that manufacturers and service providers pay attention to the implementation of privacy by design and privacy by default. This is expected to encourage companies to design systems with data protection in mind (e.g. amount of information collected, the extent of processing, storage period and accessibility).

Importantly, access to customer data won’t just be confined to external digital service providers. The regulation will also apply to machine-to-machine communications, or between vehicles (V2V) or between vehicles and infrastructure (V2I).

Apart from the enhancement of the driving experience, data collected can also create added value for the OEM in the form of big data. Collecting information on driving habits, a multitude of locational information, driver and passenger preferences, pedestrians and more can make a significant contribution to the bottom line of the business. According to a report by McKinsey & Company the global “overall revenue pool from car data monetization could be valued at between USD 450 to 750 billion by 2030”.

In this rapidly evolving environment vehicle manufacturers are scrambling to find their place in a highly dynamic ecosystem of connected-car services – having to determine which services to provide to customers, and with whom they should partner to achieve this.

This has major implications for the privacy strategy of manufacturers.

Only through compliance can the industry unlock the value of data

While this monetization of connected services opens up new revenue streams for manufacturers and service providers, the increase in the number of interconnections will require heightened vigilance to safeguard the privacy of the consumer: Yet another reason to develop a holistic privacy framework that ensures compliance and avoids the loss of revenue in the form of ineffective data monetization, or exposure to administrative fines.

Adding to the challenge of monetizing data, where the collection of vast amounts of information is set to drive revenues, the GDPR prescribes data minimization as one of its key principles. Data minimization is possibly the greatest challenge OEMs have to face in the connected car environment. It requires a product designed to collect as much data as possible, to only collect personal information deemed necessary, and in the smallest amount possible.

Impossible? Not necessarily. When privacy by design is observed from the beginning of the manufacturing process and legal instruments, such as privacy policies, are in place, the data minimization principle should certainly not mean the end of the connected car.

Moving forward, implementation of the GDPR will require OEMs to apply effective security measures to protect the information they collect and process. This includes the need to effectively handle data loss, privacy leak and fraud attempts, as well as set up crisis management and reporting procedures to the authorities and affected individuals.

To accomplish this, manufacturers may have to set up ‘monitoring’ systems that provide real-time visibility on the status and functions of the vehicle fleet. These systems would need to be capable of flagging a range of events relating to security, privacy, fraud, and malfunction. This would facilitate the integration of risk assessments and mitigation plans into the OEM’s overall operations, boosting data privacy protection, and ensuring GDPR compliance.

Sources:

• Joe Curtis; IT Pro; What is GDPR? Everything you need to know post-compliance deadline; May 2018; http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
• Alexander Soley; RT Insights; Data Ownership in the Age of the Connected Vehicle; May 2018; https://www.rtinsights.com/data-ownership-in-the-age-of-the-connected-vehicle/
• Roland Gagel; SGS; EU GDPR – Its effect on automotive OEMs and their networks; May 2018; https://www.sgs.com/en/news/2018/05/eu-gdpr-its-effect-on-automotive-oems-and-their-networks
• Jiri Chejn; Security and privacy bytes; Time is Running Out… is Your Car GDPR Compliant?; May 2018; https://www.securityprivacybytes.com/2018/05/time-is-running-out-is-your-car-gdpr-compliant/