Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

The Auto Industry Is Serious About Connected Car Privacy

shutterstock_203285494 [Converted]-01This article was originally posted on March 4, 2015 to The Hill’s “Congress Blog.” To access the original posting, click here.

This week, two thousand members of the International Association of Privacy Professionals (IAPP), will gather in Washington, D.C. to discuss the most pressing privacy and data security issues of the day. One issue that has started to appear on the privacy agenda is privacy and the “connected car.”

And that is not surprising. Connected cars by definition connect cars with data centers that provide services to enhance auto safety and convenience, and provide entertainment services. And some of that data is personal data, deserving of privacy protections.

There are estimates that connected car services are expected to grow to over $14.5 billion by 2020 as consumers demand more personalized services and smarter, safer, and more seamless in-car features. That means more data and more questions about privacy.

Despite recent calls for privacy laws and the Obama Administration’s efforts to push a privacy bill, the current atmosphere in Washington means that a new privacy law is unlikely. But that doesn’t mean no progress.

Automakers here in the United States have taken the lead on privacy, and have answers to many of the inevitable privacy questions. Late last year the major automakers voluntarily agreed to a set of privacy and data security principles that will regulate how automakers collect, use, and share information. These principles are binding public commitments enforceable through Section 5 of the Federal Trade Commission Act, requiring companies to fulfill their publicly stated policies and practices. It is an important step forward for privacy and the connected car and provides baseline protections that automakers can build upon.

First, the principles enhance transparency. Companies that adopt the principles must provide clear, meaningful notices about how they will collect, use, and share covered information. All privacy notices will be available on automakers’ websites in addition to other locations depending on the nature of vehicle technologies and the circumstances in which they are offered.

Second, the principles provide consumers choices about the collection, use, and sharing of certain information. Participating companies have taken an important step by committing to obtain affirmative consumer consent prior to 1) using precise location information, biometrics, or information about driving behavior for marketing purposes; and 2) sharing such information with unaffiliated third parties for their own use. Relatedly, the companies agreed not to share geolocation information data with the government unless pursuant to a warrant or court order, absent exigent circumstances or statutory authority.

Third, the principles enshrine commitments by automakers to respect context. This means that the companies commit to using and sharing information in ways that are consistent with the context in which the information was collected, taking account of the likely impact on owners and registered users of vehicle services.

Fourth, the companies committed to implement reasonable security measures to protect information against loss and unauthorized access or use.

Fifth, the companies committed to take reasonable steps to ensure that the personal information they hold is accurate. Owners and registered users of vehicle services are entitled to access and correct their personal subscription information.

No other industry in the “Internet of Things” ecosystem of which connected cars are a part has done as much or has gone as far as automakers. The automakers understand that without the trust of consumers, new technologies will not be as readily embraced. The Privacy Principles provide a strong basis for such trust.

This week, as members of the IAPP grapple with difficult privacy and data security choices related to new technology, whether it be unmanned aircraft systems, the smart home, or connected health and fitness devices, it is worth taking stock of the automakers experience. The standards they have put in place incorporate widely-regarded Fair Information Practice Principles in ways that are fit vehicle technologies and services. By working together on baseline protections, automakers have demonstrated to consumers, regulators, and policymakers that the industry takes its privacy commitments seriously.

Timothy Tobin, Partner in Hogan Lovells Privacy and Information Management Practice, will moderate a panel on Connected Cars entitled “Driving Privacy Forward” at this year’s IAPP Global Privacy Summit. The panel is on March 6 from 11:30 a.m. – 12:30 p.m. For a full listing of Hogan Lovells appearances at this year’s IAPP Global Privacy Summit, click here.