In this hoganlovells.com interview, partner Winston Maxwell discusses how Hogan Lovells helps connected car manufacturers to develop simplified frameworks that internal stakeholders can use to understand business and operational needs balanced against data protection legal requirements.
How does Hogan Lovells help auto manufacturers map data usage scenarios to their business and operational needs?
Maxwell: At Hogan Lovells, we advise auto manufacturers on how to think about embedding data protection and other data governance rules into their platforms for vehicle-related data. The manufacturers know that they are going to be collecting massive amounts of data from different sources. And they are all acutely aware that in the future the name of the game will be selling recurring, value-added services to customers. They need to be able to take advantage of the privileged relationship that they have with the car owner to propose additional services to the full extent permitted by the data protection legislation.
I think one of the most valuable services we offer right now is to help general counsel develop internal business-friendly communication tools for the various project teams within an automotive company. These tools help identify the regulatory constraints that affect how a company thinks about data. We also help them develop a conceptual picture that includes where the data comes from — for example, website visits from the customer or a customer hotline. Then you have to think about what you are going to use the data for.
If the data is needed to save the car occupant’s life, of course you are not going to ask for their consent. Saving a life comes first. The European Parliament has introduced an eCall requirement for new cars for this purpose. If the data is necessary in connection with deciding whether you have to notify the occupant about critical maintenance — then the use of the data may be linked to the maintenance contract. But as you go along the spectrum to more value-added services like — can I use the data to propose a hotel? — you’ll have stricter policies that require consent.
A recent report by a German Ethics Commission says that user consent is required to use car data for anything beyond safety. But where does safety stop? OEMs focus on safety in all aspects of the car, and are likely to see data as an important tool to improve safety, including through analyzing driver habits. Data protection officials might have a more restricted view on what is necessary for safety.
We've developed a product called Getting to Data Nirvana, which helps automobile manufacturers create holistic data governance plans for connected car data.
How do you break down data usage scenarios so that each component can be tied to an actionable data protection rule?
Maxwell: We help clients make a map of the different variables so that the business people can understand. Once the business people understand, then you’ve won half the battle. The idea is to build the privacy rules and the other data sharing requirements into the system — engineers know how to work with that. What’s difficult is when privacy lawyers or the general counsel come with big principles like — "we must respect our customers’ privacy." It’s too general and disconnected from the engineers’ design responsibilities. What we are trying to help clients do is transform the principles into actionable rules that can be understood by the business and the engineering community at the auto company.
What I sense we do better than some of our peers is translating those principles into actionable design rules. A car manufacturer could be collecting data about falling asleep at the wheel — there are systems that watch your eyes and can tell if you are blinking too much, a sign that you are tired. If those systems detect that you are falling asleep at the wheel, an alarm will be activated. Those systems could reveal drug abuse issues or other sorts of health data — it’s okay to use that data to save an occupant’s life but it would be hard to argue that sort of data should be used for anything else.
How many data usage scenarios should automakers be planning for?
Maxwell: At this point, there are so many different scenarios and data use cases, it’s almost limitless. The data about my eye movement, can it be shared with an insurance company if there is an accident? The data about my GPS location, can law enforcement access it to see whether I was involved in a crime? You can go down the list and create use cases that are almost endless.
Because all usage scenarios could not possibly be envisaged by auto manufacturers at this time, we help them to manage their data lake by implementing a data lake management policy preventing the "garbage in, garbage out" phenomenon.