New report by BC FIPA takes a hard look at how our cars are watching us
Our cars have changed. Once simply a means of traveling from point A to B, cars are increasingly capable of astonishing computerized feats. New “Connected Cars” are essentially computers on wheels whose functions include navigation, diagnosing vehicle health, monitoring driver behavior, offering shopping suggestions and providing customized on-board entertainment.
But the same technologies that allow for safer, more convenient and more entertaining cars enable the collection and processing of enormous amounts of data. Much of this data is personal information, and some of it reveals intensely private details of a person’s life.
Who has access to this data, on what terms, and whether collecting, storing and transmitting information from cars to outside computers complies with Canadian privacy laws are the subject of FIPA’s new report, The Connected Car: Who is in the Driver’s Seat. The report is the culmination of a year-long study that took a detailed look at the privacy implications of these new technologies. With Connected Cars poised to saturate Canadian markets in the coming years, the report concludes that now is the time to get serious about setting industry privacy standards and putting them in place.
We launched The Connected Car: Who is in the Driver’s Seat on March 25th at the site of the Vancouver International Auto Show, and it quickly caught the attention of national media. Written by well-known privacy lawyer Philippa Lawson and generously funded by the Office of the Privacy Commissioner, the Connected Car report is the first of its kind in Canada.
The report outlines how data culled from vehicle telematics and infotainment systems can be used for safety, monitoring, customer relationship management and the new usage-based insurance programs offered in some Canadian provinces. Yet we also found that some data harvested from cars can be used to track and profile customers for marketing and other purposes.
The breadth and depth of personal data that can be culled from Connected Cars goes significantly beyond what is already available via mobile devises. Customer data generated by Connected Cars are seen as a major new source of revenue for automakers and many of their partners. But the monitoring of a person’s vehicle use, driving routes, destinations, entertainment preferences, contacts, and schedules – for example – provides information that is not just useful for marketers and insurance companies. The data may also be of great interest to identity thieves, voyeurs, stalkers and others with malicious intent. The collection and retention of personal data for secondary purposes such as marketing and data mining not only exacerbates security risks, but creates an architecture of surveillance into which the tentacles of the state can reach, with or without required authorization.
At the heart of the issue is the limited choice consumers are being offered when it comes to the use and disclosure of their personal data. Our review of Connected Car terms of service and privacy policies shows that automakers are failing to meet their legal obligations under almost every principle of Canadian data protection law. A privacy pledge signed by a large group of major automakers in 2014 is promising but falls far short of Canadian legal standards in numerous respects. Deficiencies include lack of consent and forced agreement, inadequate openness and accountability, and a lack of consumer choice with respect to unnecessary data collection, use or disclosure.
Our review finds that the usage-based insurance programs now offered in Ontario and Quebec generally comply with Canadian privacy law mostly because insurance regulators put privacy protections in place before allowing companies to offer these programs. Usage-based insurance is currently voluntary, but over time it could become the industry standard. Even if the programs remain voluntary, there is a risk that insurers may at some point choose to penalize drivers who do not ‘voluntarily’ choose to participate. If stronger guidelines are not in place, drivers could one day be faced with the difficult choice between obtaining affordable insurance and surrendering their right to privacy.
The good news is that Connected Cars are still in development. There is still time for Canadians to demand that the privacy of their personal information be respected by the industry and that individuals be given control over the data harvested from their vehicles. Policy makers can still establish data protection regulations for the Connected Car industry and usage-based insurance. Privacy experts can be brought into the process to ensure that “Privacy by Design” principles and tools are applied. This would include establishing a privacy management program, identifying and avoiding unintended uses of data, building-in openness and transparency, respecting user privacy, and working with industry players at all levels to integrate controls and data minimization techniques.
We were encouraged by the help we received from the New Car Dealers Association of BC from the very beginning of our study, and by the attendance of the heads of both major automotive manufacturing associations at the launch of the report. Hopefully this bodes well for a cooperative effort to ensure proper protection for Canadian car buyers personal information and freedom of choice.
There is no reason our personal information in the automotive context should not be protected in the same way our safety is protected by government standards. We hope that you will join us in working to keep car drivers in the Connected Car driving seat.
What you can do: