Backseat Driver: Data Privacy, Your Car, and You

This week POLITICO’s Digital Future Daily published a piece called “What your car knows about you.” Very little has changed since Dr. Colin McCormick, a physicist and Adjunct Professor of Science, Technology and International Affairs at Georgetown wrote a white paper for DCI in December 2019, “On-road and Online: Data Privacy for Connected Vehicles.”

As Dr. McCormick explained then, “In the absence of federal legislation establishing rights and responsibilities around the ownership and privacy of connected car data, the legal prohibitions against this type of use are unclear.” That’s still true. POLITICO’s piece reviews the need for an update to the 2015 Driver Privacy Act and pending, broader data privacy legislation. It seems less and less likely that anything significant will happen in the current Congress, given many competing priorities and the complexity of the underlying issues.

McCormick’s paper approaches our increasingly technologically sophisticated and connected cars as surveillance platforms not fundamentally different from phones or computers, and examines both data ownership and data privacy in that context. As we approach the incoming Congress, particularly if leadership changes, legislators might consider a number of related issues: (1) user approval for cars to collect certain kinds of data; (2) the control that users (drivers) have over how car data is collected, used, and shared with other entities; (3) any special issues related to collecting data about children in cars; (4) transparency about the underlying algorithms involved in the above.

And for all the vilifying by some of large tech companies like Google, Apple, Facebook, Amazon, and Microsoft (“GAFAM”), legislators might also start considering companies such as Tesla, Ford, GM, and VW, and Toyota to be “big tech” where relevant. While the likes of GAFAM are currently in the proverbial hot seat on antitrust and other issues, major vehicle manufacturers (and even smaller but more “digitally native” companies such as Lucid Motors and Rivian) should be cognizant that the spotlight will eventually turn on them.

In December 2020, we conducted a threat analysis and risk assessment of vehicle manufacturers increasingly using high-tech/exponential tech in their vehicles. Amazingly, most of it still holds true a couple years down the road. Among real risks that brands in this space face related to data privacy are an automotive data breach of thousands or even millions of customers data, and the risk of a government investigation, whether by Congress or a regulatory body at the federal or state level. As the Alliance for Automotive Innovation and other groups and stakeholders weigh in on these issues, we’re curious to see which choices get made at the forks in the road.