Last week, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong, data protection authorities from around the world issued non-binding guidance on the processing of personal data collected by connected cars (the “Guidance”). Noting the ubiquity of connected cars and the rapidity of the industry’s evolution, the officials voiced their collective concern about potential risks to consumers’ data privacy and security. The Guidance identifies as its main concern the lack of available information, user choice, data control and valid consent mechanisms for consumers to control the access to and use of their vehicle and driving-related data. Building on existing international guidelines and resolutions, the Guidance urges the automobile industry to follow privacy by design principles “at every stage of the creation and development of new devices or services.”

The Guidance sets forth the following recommendations, among others:

  • Provide drivers with notice regarding the types of personal data collected by their connected car, for what purpose and by whom;
  • Minimize the amount of personal data collected by connected cars, using anonymization or pseudonymization where appropriate;
  • Retain personal data collected by connected cars only for the amount of time necessary to perform the legitimate purpose for which the data was collected (or otherwise in accordance with applicable law or consent);
  • Erase personal data when a connected car is sold or returned to its owner;
  • Create “granular and easy-to-use” privacy controls to grant or withhold connected cars’ access to certain categories of personal data, where appropriate;
  • Develop connected car technologies that prevent unauthorized access to personal data and provide safeguards against the unlawful tracking and identification of drivers;
  • Give drivers the ability to restrict the personal data collected by connected cars;
  • Employ appropriate technical measures to protect drivers’ personal data against cyber attacks and unauthorized access;
  • Make transparent the algorithms used by connected cars, to reduce the risk of discriminatory automated decisions;
  • Perform privacy impact assessments for “new, innovative or risky” connected car technologies; and
  • Communicate with the data protection and privacy commissioners to develop compliance tools for the connected car industry.

While non-binding, the Guidance is being interpreted by many as a set of global standards to guide data protection enforcement efforts, and may signal a wave of enforcement actions to come. The Federal Trade Commission did not participate in issuing the Guidance.