Navigating data privacy: don’t be taken for a ride!

Managing IP is part of Legal Benchmarking Limited, 4 Bouverie Street, London, EC4Y 8AX

Copyright © Legal Benchmarking Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

Navigating data privacy: don’t be taken for a ride!

Sponsored by

remfry-sagar-400px.png
Red car standing on the road near mountains at daytime

In the third article from an exclusive series on the automotive industry, Cyril Abrol and Dhruv Goel of Remfry & Sagar discuss data privacy in India

Today, technology is an inextricable part of human life. The Internet of Things [IoT] allows our devices to connect and “talk” to each other by sending and receiving data via the internet. Artificial intelligence (AI) (the simulation of human intelligence in machines) enhances the capabilities of devices by studying human behavioural patterns. It is not just laptops and phones. Cars and other vehicles too are commonly IoT enabled and AI dependent. Telecommunication companies provide in-vehicle Wi-Fi, and data services and statistics indicate that an average luxury auto has the computing power of 20 personal computers, 100 million lines of code, up to 100 inbuilt processing units and the capability to process 25 GB of data every hour. In fact, several automobiles can make the claim of having more lines of code than a Boeing Dreamliner 747. Notably, in 2019, MG Motor unveiled Hector as India’s first internet car which comes with over-the-air software update capabilities, meaning that much like a smartphone, it can upgrade its software via wireless internet connectivity. 


Telematics

Telematics is the new age term for Global Positioning Systems (GPS) and on-board vehicular data. Put another way, a telematics system is the black box of vehicles. This system, much like an airplane’s black box, allows sending, receiving and storing of telemetry data, which includes the location of a vehicle, its speed, idling time, fuel consumption, tyre pressure and engine faults. Repair shops with remote access to sensors and systems on a vehicle can predict and diagnose maintenance and repair events. Insurance companies can rely on speed, acceleration and navigation data to provide accurate premium estimates for individual users as well as usage-based insurance products. Analysis of driving patterns can help develop new features and services ranging from connected infotainment to remote vehicle diagnostics and emergency breakdown automated calling. Altogether, such data helps in three value-creation models for industry players, namely, revenue generation, cost reduction, and enhancement of safety and security features. On the flip side, the generation and processing of such enormous amounts of valuable data is not without the risk of compromise.


Location tracking and data privacy


Anyone with access to a car’s navigation, bluetooth or Wi-Fi generated data is privy to enormous locational and other personal data such as, location of one’s home or workplace, frequency and timing of visiting a particular destination, the preferred route, current whereabouts and even contact lists containing personal information. This raises serious concerns relating to personal data privacy.

The European Union General Data Protection Regulation (EU GDPR), currently the strongest set of rules on personal data protection, includes location data as part of personal information. Additionally, recognising that collection and processing of location data can sometimes introduce high risks to privacy, particularly when an individual’s movement is tracked over time by monitoring bluetooth or Wi-Fi data, the EU has proposed an e-Privacy Regulation which is under consideration by the European Council. If passed as proposed, providers engaged in collecting location data would need to display prominent notices informing end-users, prior to their entering a defined area, of the technology in operation within a given perimeter for the purposes of tracking/data collection, as well as the existence of any measures available to the end-user to minimise or stop collection of his or her data.

Examining a question pertaining to breach of locational data, the US Supreme Court, in United States v Jones, discussed the expectation of privacy in GPS monitoring and observed that law enforcement agents and others should not secretly monitor and catalogue every single movement of an individual’s car for a very long period. Thus, unconsented and prolonged GPS monitoring has the potential to intrude on the sphere of privacy and personal data. In Mobley v State, the US Supreme Court, in the year 2019, again recognised the reasonableness of an individual’s expectation of privacy in digital data collected from a vehicle and held that collection of such data, without due authorisation, was unconstitutional. On a related note, the new California Consumer Privacy Act includes geolocation data within its ambit with certain exceptions – for example, sharing vehicle ownership information is deemed permissible for effecting a vehicle repair under warranty or a recall.

Location data is not covered within the ambit of personal or sensitive personal information under current data protection laws in India, particularly, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Interestingly, location data is also not protected under the proposed personal data protection legislation framed as the Personal Data Protection Bill 2019.  

The importance of consent

With the Indian automobile industry ready to offer high-end technology driven cars, there is a need to incorporate provisions on personal data protection similar to corresponding regulations in jurisdictions with more advanced data protection laws. Until then, it is imperative to cast contractual obligations on automobile manufacturers, original equipment manufacturers (OEMs), and dealers of self-driven cars equipped to store personal information of  owners, to ensure safety of data. Another step towards ensuring privacy of vehicle owners’ information, could be seeking specific consent for collection and processing of data or providing auto owners the right to opt out of sharing personal data, and enabling an option for deletion of data, akin to the right to be forgotten promulgated in personal data protection legislations across jurisdictions, including the European Union and India. A few international car manufacturers do allow customers to opt out of data collection; nonetheless, the path to ensuring privacy of such data in India is sure to be a long one given that personal data protection laws in India are still at a nascent stage.

more from across site and ros bottom lb

More from across our site

In-house counsel and teams can now submit information for the 20th annual Managing IP Awards programme
Ahsan Shaikh at McDermott reveals how the firm is using three AI tools, including one for drafting patent applications
As K&S Partners celebrates its 30th anniversary, founder Jyoti Sagar looks back at the firm’s journey and explains why corporate and IP practices should be kept separate
Counsel reveal the lessons learned from a rejected amicus brief concerning Monster Energy that alleged ‘trademark bullying’
We provide a rundown of Managing IP’s news and analysis from the week, and review what’s been happening elsewhere in IP
New guidelines from Canada's IP office will outline how specific IP owners must be when listing goods and services in applications
Panasonic aimed to coerce Xiaomi into accepting terms the court would not determine to be FRAND, according to two judges
A case heading to the England and Wales Court of Appeal raises interesting questions about the nature of the average consumer in trademark law
Barclay Damon has announced the appointment of six lawyers to its IP team, as Burns & Levinson shuts down operations
A Federal Circuit case could lead to more clarity on damages, but practitioners differ over how far constraints should go
Gift this article