On 6 December 2017, EDRi member Privacy International published research about data on connected cars. The report “Connected Cars: What Happens To Our Data On Rental Cars?” presents concerns about the way connected transportation facilitates the generation and collection of information about drivers in ways that most people are not able to understand, question, or access.
When you rent a car at the airport or use a car-share for a family day trip, one of the first things you are likely to do before setting off on your journey, is to connect your phone to the car. Doing so can allow information such as your name and navigation history to be stored on the car. When the car is returned, this information is usually not deleted, and can therefore be accessible to the next driver. During the course of the research, Privacy International rented multiple cars and found that on every car past drivers’ personal information was readily accessible.
Beyond this information, connected cars can generate, collect, and store information about the car’s location and about how the driver interacts with the car – for example whether the driver often brakes suddenly. Privacy International is concerned that these types of information, which are of interest to third parties such as insurers, will be sold or shared with third parties without drivers being aware of it.
This first stage of Privacy International’s research focuses on data on rental cars, specifically the “infotainment system”, the in-car communications and entertainment system. Multiple rental companies, based in Europe, the UK, and the US, helped the researchers to understand their internal policies and procedures around driver data that is stored on infotainment systems, as well as how they view their position in data protection terms. The research was also conducted by renting a number of cars and looking at what data is collected and retained by the rental cars’ infotainment systems. Off the back of this research, Privacy International has written to rental companies to ask for further internal policies around data retention and deletion, as well to car manufacturers to ask about plans to build data deletion into cars. Various civil society organisations in the US and Europe joined in writing to the companies, including ANCE – The European Consumer Voice in Standardisation, Campaign for a Commercial-Free Childhood, Consumer Action, Consumer Federation of America, Consumer Watchdog, EPIC, Hermes Center for Transparency and Digital Human Rights, and the Norwegian Consumer Council. Privacy International has also written to the UK’s Information Commissioner’s Office.
Report: Connected Cars: What Happens To Our Data On Rental Cars? (06.12.2017)
Coalition of consumer and privacy-rights groups send letters to rental companies and car-share schemes mentioned in new Privacy International report (06.12.2017)
Video: Connected Cars: What Happens To Our Data On Rental Cars? (06.12.2017)
(Contribution by Sara Nelson, EDRi member Privacy International)