Navigating data privacy: don’t be taken for a ride!
In the third article from an exclusive series on the automotive industry, Cyril Abrol and Dhruv Goel of Remfry & Sagar discuss data privacy in India
Today, technology is an inextricable part of human life. The Internet of Things [IoT] allows our devices to connect and “talk” to each other by sending and receiving data via the internet. Artificial intelligence (AI) (the simulation of human intelligence in machines) enhances the capabilities of devices by studying human behavioural patterns. It is not just laptops and phones. Cars and other vehicles too are commonly IoT enabled and AI dependent. Telecommunication companies provide in-vehicle Wi-Fi, and data services and statistics indicate that an average luxury auto has the computing power of 20 personal computers, 100 million lines of code, up to 100 inbuilt processing units and the capability to process 25 GB of data every hour. In fact, several automobiles can make the claim of having more lines of code than a Boeing Dreamliner 747. Notably, in 2019, MG Motor unveiled Hector as India’s first internet car which comes with over-the-air software update capabilities, meaning that much like a smartphone, it can upgrade its software via wireless internet connectivity.
Telematics is the new age term for Global Positioning Systems (GPS) and on-board vehicular data. Put another way, a telematics system is the black box of vehicles. This system, much like an airplane’s black box, allows sending, receiving and storing of telemetry data, which includes the location of a vehicle, its speed, idling time, fuel consumption, tyre pressure and engine faults. Repair shops with remote access to sensors and systems on a vehicle can predict and diagnose maintenance and repair events. Insurance companies can rely on speed, acceleration and navigation data to provide accurate premium estimates for individual users as well as usage-based insurance products. Analysis of driving patterns can help develop new features and services ranging from connected infotainment to remote vehicle diagnostics and emergency breakdown automated calling. Altogether, such data helps in three value-creation models for industry players, namely, revenue generation, cost reduction, and enhancement of safety and security features. On the flip side, the generation and processing of such enormous amounts of valuable data is not without the risk of compromise.
Location tracking and data privacy
Anyone with access to a car’s navigation, bluetooth or Wi-Fi generated data is privy to enormous locational and other personal data such as, location of one’s home or workplace, frequency and timing of visiting a particular destination, the preferred route, current whereabouts and even contact lists containing personal information. This raises serious concerns relating to personal data privacy.
The European Union General Data Protection Regulation (EU GDPR), currently the strongest set of rules on personal data protection, includes location data as part of personal information. Additionally, recognising that collection and processing of location data can sometimes introduce high risks to privacy, particularly when an individual’s movement is tracked over time by monitoring bluetooth or Wi-Fi data, the EU has proposed an e-Privacy Regulation which is under consideration by the European Council. If passed as proposed, providers engaged in collecting location data would need to display prominent notices informing end-users, prior to their entering a defined area, of the technology in operation within a given perimeter for the purposes of tracking/data collection, as well as the existence of any measures available to the end-user to minimise or stop collection of his or her data.
Examining a question pertaining to breach of locational data, the US Supreme Court, in United States v Jones, discussed the expectation of privacy in GPS monitoring and observed that law enforcement agents and others should not secretly monitor and catalogue every single movement of an individual’s car for a very long period. Thus, unconsented and prolonged GPS monitoring has the potential to intrude on the sphere of privacy and personal data. In Mobley v State, the US Supreme Court, in the year 2019, again recognised the reasonableness of an individual’s expectation of privacy in digital data collected from a vehicle and held that collection of such data, without due authorisation, was unconstitutional. On a related note, the new California Consumer Privacy Act includes geolocation data within its ambit with certain exceptions – for example, sharing vehicle ownership information is deemed permissible for effecting a vehicle repair under warranty or a recall.
Location data is not covered within the ambit of personal or sensitive personal information under current data protection laws in India, particularly, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Interestingly, location data is also not protected under the proposed personal data protection legislation framed as the Personal Data Protection Bill 2019.
The importance of consent
With the Indian automobile industry ready to offer high-end technology driven cars, there is a need to incorporate provisions on personal data protection similar to corresponding regulations in jurisdictions with more advanced data protection laws. Until then, it is imperative to cast contractual obligations on automobile manufacturers, original equipment manufacturers (OEMs), and dealers of self-driven cars equipped to store personal information of owners, to ensure safety of data. Another step towards ensuring privacy of vehicle owners’ information, could be seeking specific consent for collection and processing of data or providing auto owners the right to opt out of sharing personal data, and enabling an option for deletion of data, akin to the right to be forgotten promulgated in personal data protection legislations across jurisdictions, including the European Union and India. A few international car manufacturers do allow customers to opt out of data collection; nonetheless, the path to ensuring privacy of such data in India is sure to be a long one given that personal data protection laws in India are still at a nascent stage.