Is your connected car spying on you infinitely more than you can imagine?

Is your connected car spying on you infinitely more than you can imagine?
Is your connected car spying on you infinitely more than you can imagine?

Cars, through connectivity, have become real centers for collecting personal data.

Julien Pillot: Let’s start by remembering that cars, through connectivity, have become real centers for collecting personal data. This is the result of the multiplication of sensors and on-board cameras, which will record a whole bunch of information relating to the state of the vehicle, but also more sensitive information concerning your uses (driving style, journeys, etc.), even data relating to your conversations, the identity of your carpoolers or your practices inside the passenger compartment. The Mozilla Foundation’s “Privacy not included” report is quite enlightening on the subject.

Some manufacturers offer their customers the ability to collect their data for two purposes. The first is to regularly access vehicle data to ensure predictive maintenance. This allows the owner to be alerted when the vehicle requires intervention to change a wearing part or to rectify a possible malfunction. The second consists of transmitting data relating to driving (driving time, sudden acceleration, speeding, emergency braking, etc.) in order to establish a “driver profile”. Good drivers are thus rewarded with a reduction in their insurance policy, and vice versa. We understand that the underlying business model is based on the sale of this personal data to third-party insurance companies which, in turn, will pass on this acquisition cost, increased by the bonuses granted to good drivers and a bonus of risk, on bad drivers.

This is the meaning, since you cite it, of General Motors’ “On Star Smart Driver” program. The idea is to rely on “gamification” to encourage customer-drivers, by allowing them to have real-time access to their driving data, to improve their driving behavior in order to reduce their insurance policies. insurance. It is also necessary that the customer-driver is fully informed of the outlines of the program, the partner companies, the possible positive or negative consequences, and has explicitly given his consent to participate in the program. And on this subject, some manufacturers do not always seem impeccable.

What are the ethical and legal implications of collecting and sharing driving data without explicit consent from drivers?

On an ethical level, it is first of all a question of trust which can be definitively broken between the manufacturer and the customer, if the latter realizes that the manufacturer is reselling his data without his knowledge. Even more so if this less than transparent behavior ends up harming it if it results in an increase in the insurance policy. This question of transparency is crucial and is not limited to the classic question of T&Cs which customers, it is true, almost never read. It is also a question of process throughout the vehicle sales process. Sellers and dealers are required to clearly explain the contours of this type of program, to obtain explicit and informed consent. Do they do it? We have the right to doubt it, especially since dealership salespeople are interested in registering for the program. In other words, manufacturers don’t just want to sell cars, they want to sell connected cars and as many services as possible that take advantage of this connectivity.

Legally, the consequences may vary from one jurisdiction to another. For example, where the GDPR applies, financial penalties can amount to 4% of turnover depending on the assessment of the seriousness of the violation, its scale or the duration. This sanction may be accompanied by corrective measures, but also criminal sanctions and the payment of damages as well as publicity of the violation, which can lead to a loss of image.

In the case that interests us, these sanctions could be aggravated to the extent that, in 2014, the Alliance for Automotive Innovation (alliance of the largest automobile manufacturers in the world, including GM) committed to the Federal Trade Commission to issue customers with “clear, meaningful and visible” information regarding the collection of data, as well as the purposes for which they are collected, and the entities with which the data may be shared. Obviously, these commitments – which were renewed in 2022 – have not been systematically respected, which may constitute an aggravating circumstance.

Are there specific regulations or standards in place to govern the collection and sharing of driving data by automobile manufacturers, and how effective are these regulations?

Again, this depends on the jurisdictions and applicable law.

The GDPR, where it applies, meets this objective of completely transparently regulating the collection and sharing of driving data. Car manufacturers are subject to it and must therefore comply.

As for whether the regulation is effective, it depends on many parameters which are not always observable. What we can objectively observe is the total amount of sanctions imposed for violation of the GDPR since its entry into force in the EU: 4.5 billion euros. Unsurprisingly, it is the digital giants and data brokers who are particularly targeted. What is not observable is the extent to which the implementation of GDPR has pushed companies to be transparent where they would not have been in its absence. Generally speaking, apart from ethical considerations, companies will often behave rationally at this level: they will estimate the gain linked to a violation of the rule (which also includes the cost savings linked to compliance), and reduce it by the potential sanctions multiplied by the probability of being sanctioned. Which often leads me to say that the effectiveness of a rule depends closely on the capacity of the authorities to detect infringements and to apply a truly dissuasive sanction.

How might recent revelations regarding General Motors’ collection and sharing of driving data influence the practices of the auto industry as a whole?

It is very difficult to provide an answer to this question, especially since we do not know to what extent GM’s practices are generalized in the industry, or if it is an isolated case.

Several scenarios are possible. In the event that GM were subject to a particularly high financial penalty, and saw its image significantly damaged, then this precedent could serve as an example to discipline the entire industry. The idea is not so much to prohibit the resale of driving data to insurers, but to do so in accordance with the rules of good consumer information, in complete transparency, and by explicitly obtaining their informed consent beforehand. Which is exactly what the Alliance of Automotive Innovation committed to before the FTC in 2014.

What technical and legal challenges do automakers face when trying to collect and share driving data while respecting consumer privacy?

It is important that manufacturers only collect data related to the proper functioning of the vehicle and its use. Data relating to private life (nature and frequency of travel, private conversations, number and identity of people in the passenger compartment, etc.) do not need to be known by them.

As for driving data, as we have seen, it is first and foremost a question of ethics which requires ensuring, throughout the customer journey, that the customer is perfectly informed of the nature the data collected, the entities to which it can be resold, and the consequences – positive and negative – for him. This requires reviewing the entire sales process, starting with the way in which dealership salespeople are well (in)trained in the sale of connected products and services, and reviewing the incentive compensation mechanisms that can easily turn into a “crime pusher”.



PREV Butane gas: the price of the cylinder increases to 50 DH this Monday, May 20
NEXT “I don’t understand what I’m doing behind the wheel if I don’t have music on during a journey” – Libération