Here are the main legal topics on connected cars covered during the Connected Automobiles conference where I gave a presentation named “Privacy and regulations: state-of-the-art and future issues” on legal issues relating to connected cars whose slides are available here.
We already discussed in this post about some of the legal issues affecting connected cars, but the discussions at the conference raised additional topics of concern and here is my top 5 of the legal topics covered during the event:
1. Who is the owner of the data?
Car manufactures often don’t have the technology necessary to support connected cars’ devices and therefore they have to rely on third parties’ suppliers of hardware and software components. Such suppliers might be in a better position to handle the data collected through the devices, but car manufacturers might not be willing to let them have the control of such data.
It is good to mention that under European data protection law the owner of the personal data is always the individual to whom the data pertain while there is the category of the so called “data controller” who is in charge of defining the modalities and purposes of processing. The qualification as data controller and the roles of the other entities involved in the processing of personal data is based on a factual situation and cannot be contractually amended at the discretion of the parties. And with reference to specific sectors, the competent data protection authorities even gave their position as to the roles on the entities involved.
The above has to be reviewed on a case by case basis and the entities involved shall be quite careful in creating privacy structures which might be challenged in case of privacy audits.
2. Can connected cars be hacked? What liabilities for automated cars?
The massive amount of data that are collected and processed by connected cars will make them a potential target for cybercrime attacks. We discussed of the issue in this post, but the peculiarity in the case of connected cars is that a cyber attack might cause also accidents and potential harms to the individuals in the connected cars.
For instance, if the system managing distance sensors of connected cars is hacked and drivers will assume to be able to rely on them, a very large number of accidents might occur. This circumstance will place a considerable burden on car makers and manufacturers of connected cars devices as to the security measures to be put in place in connected cars’ technologies which will be required both by
- privacy regulations whose breach under the new EU Privacy Regulation will be sanctioned with fines up to 5% of the global turnover of the breaching entity and
- car certification requirements which might also oblige car makers to put in place an insurance policy covering both the malfunctioning of connected cars technologies and cyber crimes as a condition for the certification of connected car devices.
3. Insurance black boxes are spies or resources?
There was a very interesting presentation from a representative of a worldwide leading insurance company on insurance black boxes who confirmed that Italy is the worldwide leader in the sector with over 5% of cars equipped with such kind of technology and the figures are considerably increasing.
The insurance black boxes can monitor the location of cars, the speed, the driving skills, the time of usage of vehicles and, in the future, additional parameters. The issue with such kind of technologies is not on the processing of personal data necessary for the purpose of calculating the car insurance prize that shall be in any case adequately covered with a privacy information notice and consent, but on the risk that collected personal data is used for additional purposes without their knowledge.
For instance if the data collected from a vehicle under the terms of the car insurance policy are used for the calculation of the life insurance policy thsi might be arguable if the individual did not provide an adequate consent also to this purpose of processing. At the same time, if the vehicle’s owner declares that his car is driven by his family members as well, will it be necessary to obtain also their consent to the processing of their personal data? Also, how shall this data be stored against cybercrimes?
4. How to handle second hand connected cars?
While at the moment our cars do not contain much information about us apart from maybe our favorite songs, in the future our vehicles will be able to store a detailed profile of their owner that in case of sale of vehicles will be transferred to a third party. And such third party might not have signed any privacy information notice and terms and conditions (including liability clauses) with the car maker or the producer of the connected car device.
Such circumstance triggers issues of
- illegal processing of personal data relating to the seller of the vehicle by the buyer;
- illegal processing of personal data relating to the new buyer of the vehicle by the car manufacture or connected car device producer and
- lack of contractual protections for car manufacturers/connected car device producers towards the new owner of the vehicle.
5. Shall connected cars’ platforms be open source?
We covered in this post the issues relating to the interoperability of Internet of Things technologies and the same issue arises with reference to connected cars. Actors in the market argue that open source platforms are necessary to ensure the growth of the sector as otherwise we will have a number of “vertical” platforms that do not communicate between each other unable to merge the data generated by them.
This led to the creation of a number of devices interconnecting different platforms, but the issue is whether it will be the market itself to lead towards open source platforms or regulators/regulations will force manufacturers/developers to make their platforms more open in order to foster the growth of the sector.