This report updates FIPA’s 2015 ground-breaking report, The Connected Car: Who is in the Driver’s Seat? As may be expected, there have been major developments both in technology and policy since our first Connected Car report.
Technology that was once exclusively available in high end vehicles has become commonplace. According to one estimate, 98 per cent of vehicles in North America and Europe will be connected by 2021. Car companies are constantly seeking new ways to profit from the collection of data taken from their vehicles, often in partnership with large technology companies like Apple and Google.
As technology advances, there have been more studies undertaken on what these changes mean for privacy rights. There have been pushes for stronger and more comprehensive legislative activity. Perhaps the most significant legislative change to date is the General Data Protection Regulation in the European Union. Other jurisdictions have also been mooting improved legislation as well as codes or standards to govern particular sectors of the economy or society, including Canada.
The privacy policies of the various car companies have also changed since 2015, generally for the better. One major improvement over what we found in 2015 was that with two exceptions, companies selling connected cars in Canada had their privacy policies available on their Canadian websites.
This allowed us to do a comparison of the privacy policies of the various companies (Original Equipment Manufacturers or OEMs) selling large numbers of cars and trucks in Canada (more than 1000 sales per annum).
We reviewed the privacy policies of 36 different vehicle brands of manufacturers from all over the world. The scope of the research focused on the policies’ treatment of protected data, the openness and accountability of protected data, the accountability to third party processors, whether the policy recognizes the right of access for an individual to his or her own data, the accuracy and security of the data, the purpose specification and notice of changes, the limitations of the use, collection and retention of data, and the types of consent mechanisms that are being used by the manufacturers. In addition, we considered if there are any options for the individual to opt-out. We compared our findings to our 2015 findings in our original Connected Car report to see what had changed.
We found that OEMs’ terms of service and privacy policies respecting connected car services showed significant improvement over 2015. Still these policies are still inadequate when compared to all major data protection principles and requirements under Canadian data protection law.
Although some manufacturers have made an effort to be specific about their uses of personal data and to explain their policies more clearly, key elements of OEM policies are still often unclear or expressed in very broad language. The worst examples are the very broad purposes OEMs continue to provide for collecting, using and sharing personal information, sometimes alongside specifics and sometimes not. While there is now a wider disparity among OEMs in terms of the adequacy of their connected car privacy policies, certain gaps and problems remain across the board.
In light of these shortcomings, and the federal Privacy Commissioner’s repeated statements that he has not received a complaint about this issue, we have decided to remedy this situation. A complaint to Commissioner Therrien is attached to this report, and we hope it will give him the opportunity to bring clarity in an authoritative ruling on this issue.
For more than twenty years, the B.C. Freedom of Information and Privacy Association has relied on the support of our community to provide resources, educational programming, and one-on-one advice. By making a contribution to the Association in exchange for this resource, you’re helping us provide another two decades of service to Canadians and supporting more publications like this in the future. There is no minimum donation amount. Every bit helps.
Click here to make a donation. We hope you consider supporting the Associations.
Let us know what you think: If you have comments, questions, or concerns about the report, please send them to FIPA at firstname.lastname@example.org or tweet to us @BCFIPA.