In the same week that the automotive industry gathers in Washington, D.C. for the 2018 Washington Auto Show, a cross-section of automotive stakeholders, government officials, and consumer and privacy advocates came together at Hogan Lovells’ Washington office to discuss privacy issues facing connected vehicles. The half-day conference, co-hosted by Hogan Lovells and the Future of Privacy Forum, convened on January 23, with the theme of “Privacy and the Connected Vehicle: Navigating the Road Ahead.”
Panels focused on the privacy landscape surrounding automobiles and connectivity generally, regulatory developments and areas of government interest, and the effect of emerging technologies on business models and privacy practices in the automotive space. With lively discussion throughout and a wide array of perspectives, several key themes emerged.
What Sets Vehicles Apart
While connected vehicles share functionality with many other connected devices, several of the day’s panelists considered whether vehicles pose different issues. One distinction highlighted by several speakers is the importance of vehicle safety, including driver distraction. Another distinction raised was the somewhat unique and personal relationship individuals have traditionally had with their vehicles, which are often viewed as an extension of the home or a pathway to freedom. And yet, in spite of the differences, some panelists believed that vehicles pose many of the same challenges as other technologies, like smartphones. There was an acknowledgment, including by some of the government panelists, that the traditional notice and choice framework presents challenges in the vehicle context. These challenges arise due to limitations of vehicle interfaces, driver distraction issues, and circumstances that may render the sharing of data impractical or unsafe, such as geolocation sharing in the context of a connected vehicle fleet.
Not All Data Are Created Equal
A point that came up repeatedly throughout the panels was that connected vehicles generate many types of data, some more sensitive than others and that the data may be used for a range of purposes. However, some vehicle data is never transmitted outside the vehicle, and some transmitted data is not stored after services are provided. Moreover, automakers that have signed onto the industry’s Consumer Privacy Protection Principles must obtain affirmative consent to use certain sensitive data as a basis for marketing or to share such data with unaffiliated parties for their own purposes. Some contrasted Vehicle-to-Vehicle (V2V) communications use cases, which may involve the transmission of data for vital safety functions with data related to in-vehicle infotainment offerings, which may warrant greater privacy protections.
Role of the Government
During the second panel, representatives from the FTC, Government Accountability Office (GAO), and the Department of Transportation (DoT) addressed the roles their respective agencies play regarding vehicle privacy. Of particular interest, panelists discussed a potential uncertainty highlighted in the 2017 GAO report on vehicle privacy: which agency has the authority to regulate vehicle privacy. The consensus was that the FTC regulates privacy and that DoT and the National Highway Traffic Safety Administration (NHTSA) only regulate privacy to the extent it overlaps with vehicle safety regulation, though that may not be a bright line. In terms of security, the panelists acknowledged areas of potential regulatory or enforcement overlap, but explained that the FTC generally focuses on data security, whereas DoT and NHTSA focus on cybersecurity, particularly as it relates to vehicle safety.
Many Challenges and Questions Remain
Panelists generally acknowledged that, despite the incredible potential of connected vehicle technology, many challenges and questions remain. Some notable challenges include:
- How should government and industry address the privacy of vehicle passengers who may not have a relationship with the vehicle manufacturer?
- Can industry and government continue to rely on the longstanding Fair Information Practice Principles (FIPPS) as we move towards increasingly complex connected and autonomous vehicle systems, and if not, what would be an appropriate alternative? There was discussion about the need to “blow up existing norms” to find ways to protect privacy while still allowing for the technological innovations that can transform society for the better. Some suggestions included a model wherein individuals preselect privacy options, deciding in advance how they want to engage with companies generally, as a way of eliminating the need for traditional just-in-time notice and choice requirements. Other panelists considered whether data minimization is incompatible with the types of vehicle functionality we can expect to see soon, particularly in the context of autonomous vehicles.
- How should automotive stakeholders, government, and society at large strike the appropriate balance between these multifaceted concerns, including but not limited to vehicle safety issues and growing uncertainty about the risks of data collection, use, and sharing? Each panel recognized the need to strike a balance between competing interests, but it was clear there are no easy or obvious solutions.
As technologies change and consumer expectations and desires change with them, stakeholders on all sides will have much to discuss for years to come.
The conference agenda and information about the speakers is available here.
Aaron Lariviere, in our Washington, D.C. office, contributed to this post.