The digital revolution is radically transforming the automobile. Connected vehicles are becoming information hubs that generate, process, send and receive vast amounts of data while on the move.
There are cars on the road that are warned of impending dangers by the vehicles ahead. Rescue teams already have access to real-time data about the location and circumstances of an emergency. There are vehicles in development that autonomously find available parking spots in cities and bypass jams by reviewing traffic data to find the quickest routes to their destination. Traffic routing in urban centres can be optimised using information collected from connected cars. Apps, emails and media content are being brought into the cockpit, and maintenance and repair providers benefit from remote diagnosis and can offer services tailored to a driver’s needs.
Interconnected vehicles generate countless possibilities for products and services, stretching from the already widespread on-board use of digital media to the new realities of tomorrow such as autonomous driving.
All these developments will generate vast amounts of data, raising a number of key underlying legal questions.
Data protection rules will be a critical business issue as connected cars become more widespread. Relevant issues include:
- Who is responsible for protecting the data generated by a connected car? Who has access to this data, particulary if it is the product of a strategic co-operation (eg between an auto manufacturer and telecoms operator)?
- What kinds of data may be generated, stored, analysed and used (and how will they be used, eg to co-operate with insurance companies)?
the value of the global market for connected cars by 2020, according to estimates from Booz & Company
- Which vehicle data are personal or could be linked to an identifiable individual? Must data be anonymised or pseudonymised? If so, what sort of encryption method should be used?
- What requirements must be fulfilled in order for data to be collected and used in different countries (EU and non-EU)? What happens when the vehicle crosses a border? Can collected data be sent to other countries, and if so, under what restrictions?
- Under what circumstances can providers be required to provide data collected by the vehicle to third parties? What obligations to provide information exist in relation to collected vehicle data (eg requests by law enforcement authorities to access information about the identity of a user/driver)?
- What requirements must be fulfilled for a user to consent to data collection? How can third-party user consent be achieved if necessary?
- What level of data security should be required and what measures should be obligatory to ensure that this level is maintained?
Equipping cars with mobile communications technology in order to transfer data usually takes place in co-operation with mobile network operators. Further third-party providers of telecommunication services may also be involved. This raises the question whether the car manufacturer is to be considered a provider of electronic communication services under national telecommunication laws and/or the EU Framework Directive 2002/21/EC. Relevant issues include:
- To which constellations do the telecommunication laws apply?
- How can contracts (as well as the technical and commercial implementation) be drafted with regard to applicability of telecommunication laws?
The sum that could be saved on car safety every year given full penetration of car-to-x functions, according to Matthias Wissmann, president of the VDA, the German automobile association
If telecommunications laws apply to the car manufacturer, several regulatory obligations will have to be observed. These include notification obligations, particular data protection requirements and security safeguards. Relevant issues include:
Which specific obligations apply to car manufacturers under telecommunications laws?
How can compliance with these obligations be ensured in collaboration with the co-operation partners?
What needs to be considered for the technical implementation and commercial model with regard to telecommunication laws?
Which liability and compliance issues arise? How can they be excluded or reduced?
What are the consequences for the contractual relations with customers and co-operation partners and how should they be addressed?
Cars were once closed systems. Now, their connectivity opens potential doors for cyber crime.
The European Union and the German government are both developing legislation to improve cyber security. Depending on the technical structure of the data connectivity between vehicles, automotive manufacturers could become subject to these planned regulations resulting in additional reporting obligations, IT security standards and stricter compliance rules. The EU Cybersecurity Directive is expected by the end of 2014, while the German IT Security Act will probably be passed in the summer. In addition, the US-based National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity in February, based on an executive order from 2013. The framework is voluntary and sets out best practice for IT risk management to improve the security and resilience of companies in the critical infrastructure sector. Companies involved in these markets should review their cyber-security protocols to avoid future legal risks. These developments raise several issues relating to connected cars, namely:
Under what conditions will connected cars be subject to cyber-security regulations?
What cyber-security measures must be implemented to meet legal requirements?
Will the establishment of IT security standards and best practices impact other industries not directly subject to the regulation?
Manufacturers of connected cars have to plan for data loss incidents. Data leaks can occur as a result of hacking or negligence by employees. To minimise the impact of a data breach, it is essential that companies prepare and implement appropriate crisis management procedures. They will also need to be prepared for the internal investigations that often follow a data breach to determine the cause of the incident. The manufacturers of connected cars will need to consider:
In the event of a data loss, are there procedures in place that cover reporting to the authorities and affected individuals?
Does the company have the right structures to make the correct decisions from a strategic, legal and economic standpoint under great time pressure?
Do corporate guidelines ensure that the root causes of a data loss can be immediately and efficiently analysed through an internal investigation?
Consider telecommunications law issues right from the start
The structure of agreements between automotive companies and their consumers and partners has implications for the applicability of telecommunications law. Implementing the best possible structure from the start will minimise regulatory obligations.
Analyse the data protection implications of any planned collection, analysis, use and transfer of data
The scope of data collection and transfer, the type of data in question and its intended use all determine compliance with data protection laws. Different options must also be evaluated – for example what might be beneficial from a business or technical perspective might have data protection implications. Businesses should always use the strictest local laws (eg German data protection rules for Continental Europe) as a benchmark in order find solutions that work on a broader scale.
Plan for the worst case scenario data loss
The car as a data hub automatically gives rise to data loss and cyber-crime risks. Companies should think about potential weak spots, prepare crisis plans and rehearse what would happen in the event of a data loss. It is also vital to consider potential liability risks and reporting obligations.