The automotive industry is experiencing a transformation with the rapid development and evolution of autonomous and "connected cars". Connected cars can function not only as personalized on-demand entertainment systems, navigators, and personal assistants, but may soon be able to monitor and help safeguard the safety, health and well-being of drivers, passengers and others. The possibilities for the connected car appear endless. Consumer demand for new and innovative features in cars remains strong.
The connected car is altering not only the relationship between individuals and their cars, but also the relationships among auto industry stakeholders - original equipment manufacturers, telecom providers, hardware and software suppliers, and others - and their customers. With the connected car as platform, the auto industry and its partners are in the enviable position of developing and facilitating previously unimagined products, features and revenue streams.
The breadth and depth of potential data collection capabilities in connected cars is unparalleled in many other industries, and represents a tremendous new opportunity. In this short article, we touch on some of these opportunities, as well as cybersecurity, privacy and risk management considerations.
Information sources in relation to vehicles
There are myriad data sources in relation to connected vehicles, including event data recorders (EDRs), internet of things (IOT) and connected devices, and telematics systems. The following is a brief explanation of some of the primary data sources and possible uses of data collected from those sources:
- Telematics systems include the computer and electronic technologies found in vehicles, including GPS systems, wireless communications systems, as well as service and content provider systems. Stakeholders can use data generated by telematics systems to track performance problems by location and/or user behaviour. Compiling this data allows stakeholders to generate “actionable insights” that facilitate product and service improvements for customers, fleet management, and related purposes. It is also possible to personalize services based on individual user profiles and to categorize customers for marketing purposes. Aftermarket telematics systems, such as insurer telematics systems, may be installed into vehicles to track driver behaviour. A potential use for data derived from aftermarket telematics systems is to customize insurance premiums on the basis of individual driver behaviour.
- Internet of things (IOT) and other connected devices (e.g. smartphones) have seen considerable development in recent years. IOT technology in particular involves the embedding of computing and communications capacity in physical infrastructure, appliances and other devices. It involves the flow of data between network connected devices, without the need for human interaction. Possible data collected includes device identity, location, status, and condition.
- Electronic data recorders (EDRs) have been used for some time to collect crash related data including vehicle speed, engine throttle, brake activation, crash forces, air bag deployment and seat belt use. EDR data is typically used to assess the effectiveness of safety systems as well as to reconstruct accident scenarios in litigation. Law has developed to address production of such information in disputes, and in relation to potential privacy issues. Regarding the latter issue, there is a threshold question of whether EDR data is "personal information" at all, or if it is more appropriately characterized as information about a vehicle.
Privacy implications vary among the various devices and information above, and accountability for privacy may rest with different stakeholders in different scenarios.
Legal privacy considerations
From a legal and business perspective, many of the core opportunities and risks in relation to the connected car are rooted in the fact that data collection and use will often involve "'personal information" about individuals' activities, characteristics and preferences. While this information can be extremely useful for marketing, research and development, and other purposes to generate revenue, it must be collected, used and disclosed with a view to privacy, safeguards and related legal requirements and risks.
In light of the above dynamic, in the United States, the Alliance of Automobile Manufacturers has pledged to ramp up protection and respect for customer privacy through the Automakers' Pledge. The Automakers' Pledge was issued recently in response to a patchwork of federal and state privacy related laws and was intended to provide standardized protections to customers. More recently, the U.S. Auto Information Sharing and Analysis Centre (ISAC) issued a comprehensive set of best practices in relation to cybersecurity and vehicle failsafe considerations in particular: Automotive Cybersecurity Best Practices.
In addition, in Canada, organizations face the need to adhere to a privacy statute of general application in the private sector - the Personal Information and Protection of Electronic Documents Act (PIPEDA) - as well as substantially similar statutes which are applicable within British Columbia, Alberta and Quebec. All privacy laws in Canada regulate the collection, use and disclosure of personal information (i.e. information about identifiable individuals), including in the automotive sector and related stakeholder industries.
Subject to limited exceptions, these laws generally require express or implied consent from individuals in respect of such activities. An organization must identify to a customer the purposes for which they are collecting their personal information at or before the time of collection. Consent may be given express or implied, depending on the sensitivity of the data and the obviousness of the necessity of its collection.
While the requirements of privacy laws typically can be met in a manner which permits business objectives to be achieved and even enhanced, presently, there are three main considerations in play regarding the application of privacy law in the context of the connected car: determining what information is "personal information", determining appropriate purposes, and implementing adequate technical and other safeguards to protect information against unauthorized access, use and disclosure. These are addressed in turn below.
Under privacy laws, the term "personal information" is defined broadly, and includes any information about an identifiable individual. Identifiability is a key concept. Information will typically be considered "personal information" where there is a serious possibility that the information, either alone or in combination with other available information, could be linked to an identifiable individual.
This feature of privacy law is important because it permits organizations to engage in a wide variety of activities involving anonymized or de-identified data, usually without having to address the requirements of privacy laws. However, the question of identifiability is highly fact-specific, particularly in the context of the connected car which may collect information about not only drivers, but also passengers and others, and can sometimes raise key questions. For example, if an organization parses out a data set of personal information and de-identifies it solely for a particular marketing or other purpose, but technically could re-identify the individuals using other information, there will be a question about the extent to which privacy laws may still apply.
One of the overarching requirements of Canadian privacy laws is that organizations may collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate. In other words, even if an individual consents to the activity, it may nonetheless be impermissible under privacy laws.
A number of regulatory and court findings have helped to shape an assessment of the appropriate purposes requirement. Although it is to be expected that practices in relation to connected cars will be compliant with this requirement when implemented in the appropriate manner, careful consideration must be given to the information being collected (particularly sensitive information), as well as the effectiveness, need and benefits for collecting the information, among other factors.
Safeguards and cybersecurity
Canadian privacy laws require organizations to implement reasonable physical, technical, administrative and other measures to protect personal information. These requirements have become a particular focus, including in the automotive sector, as a result of the increased prevalence of data breaches and cyberattacks in recent years. Given the potential proliferation of the collection, use and disclosure of personal information in relation to the connected car, it is imperative that the industry and related partners take appropriate steps to prevent, detect, and respond to potential data security incidents.
In the area of safeguarding information, the legal and reputational risks are very real. In recent years, Canada has witnessed a tremendous increase in privacy-related litigation and class actions, both in respect of data breaches and cyberattacks, but also for ordinary business practices involving personal information. With the potential for significant financial and other consequences, the case for strong safeguards and care regarding personal information has never been higher.
In addition to implementing appropriate measures, organizations can also take steps to mitigate legal risks by, for example, carefully reviewing privacy policies and related disclosures to ensure that they do not contain any unnecessary "promises" regarding safeguarding. Such promises may create legal risk (for breach of contract) that may otherwise not be present in a given case.
The auto industry is at the cusp of transformative change through the evolution of the connected car. While core business and functionality will remain largely as they have been, the new and innovative features of connected cars can raise important privacy considerations as described above. With privacy related matters and risks taking on ever-increasing importance in commerce, including in the auto industry, the industry and related stakeholders must address such issues with foresight in order to identify risks and opportunities, and ultimately to fully achieve business objectives.
The author acknowledges with thanks the contribution of Gillian Round, Student-at-Law.