19 makers of cars and trucks sold in the US committed to preserve the privacy of their customers in the view of the massive amount of personal data that are going to be processed through connected cars.
I have already reviewed privacy issues affecting connected cars in this post and more recently I reported in this post about the findings on legal issues affecting connected cars from the Connected Automobiles conference. But the relevance of such issues has been now acknowledged by the Alliance of Automobile Manufacturers, the Association of Global Automakers, and their members that adopted the ‘Consumer Privacy Protection Principles‘.
The companies that are signatories of these principles include Chrysler, Ford, General Motors, Volkswagen, Toyota which reppresent over 91% of US sales of vehicles.
Principles for connected cars manufacturers
The principles adopted can be summarized as follows:
- Transparency: owners and registered users shall be provided with ready access to clear and meaningful notices about the collection, use and sharing of their information;
- Choice: owners and registered users shall be provided with certain choices regarding the collection, use and sharing of their information;
- Respect for Context: information shall be collected and shared in ways that are consistent with the context in which it was collected taking account of the likely impact on owners and registered users;
- Data Minimization, De-Identification & Retention: information shall be collected only as needed for legitimate business purposes and shall be retained no longer than they determine necessary for legitimate business purposes;
- Data Security: reasonable measures have to be implemented to protect information against loss and unauthorized access or use.
The reaction in Europe
The above principles sound quite familiar to European data protection experts and indeed are in line with what previously discussed. In particular the need to provide information about the mechanics of processing of personal data collected and to provide a free choice to users on the processing of their data is a fundamental principle of EU privacy law. Likewise the compliance with security measures in the processing and storage of data that has to be limited to what necessary to achieve the purposes of the processing notified to users is a consolidated milestone of EU data protection law.
The major difference between the US and Europe for connected cars is however that the breach of similar principles in Europe will lead to fines under the new EU Privacy Regulation will be equal to 5% of the global turnover of the breach entity.