As vehicles become more connected, data privacy and security have become a more critical focus of the automotive industry. Connected vehicles can collect a wide range of data, including GPS histories and vehicle performance data; those that provide Internet connectivity and integration with smartphones can collect even more information about financial transactions, shopping preferences, and other data.
Individual states have passed data privacy legislation (California’s is the most stringent), but there has been some effort at the federal level as well. In 2017, Congress passed the Safely Ensuring Lives Future Development and Research in Vehicle Development (SELF DRIVE) Act that requires creation of cybersecurity plans for automated driving systems, and the U.S. Department of Transportation has also issued federal guidance. However, most of these efforts have been targeted at security and safety. There has not been much direction on the use of data that is willingly provided by consumers in order to use an app or a connected vehicle.
In the aftermarket, access to vehicle diagnostic and maintenance data is a continuing battle, as OEMs attempt to close off more of the information in order to gain back service business. At the heart of that conflict is ownership of the vehicle data – does it belong to the automaker or the driver? How much control should consumers have over their personal data, as they give up more and more privacy in order to utilize technology and software applications?
Those questions were top of mind at a recent Senate hearing on consumer data privacy. On May 1, the U.S. Senate Committee on Commerce, Science & Transportation held a discussion titled “Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework. Testifying at the hearing were a number of consumer and privacy advocates.
“The consumer benefits of a data-driven economy are undeniable. These benefits are what fuel the vibrancy and dynamism of today’s Internet marketplace,” said committee chair Roger Wicker (R-Mississippi) in his opening statement. “Despite these benefits, however, near-daily reports of data breaches and data misuse underscore how privacy risks within the data-driven economy can no longer be ignored.”
Committee members at the hearing noted that data privacy problems are generating consumer mis-trust, and that self-regulation has so not been up to the task of ensuring data privacy. Witnesses at the hearing talked about the effects of California’s Consumer Privacy Act (CCPA) and the European Union General Data Protection Regulation (GDPR), which recently went into effect, as well as the need for a more comprehensive approach to data security.
“The United States currently does not have a baseline set of legal protections that apply to all commercial data about individuals regardless of the particular industry, technology, or user base,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “For the past decades, we have taken a sectoral approach to privacy that has led to the creation of federal laws that provide strong protections only in certain sectors such as surveillance, healthcare, video rentals, education records, and children’s privacy. As a result, U.S. federal laws currently provide strong privacy and security protection for information that is often particularly sensitive about individuals but it leaves other ‒ sometimes similar ‒ data largely unregulated aside from the FTC’s Section 5 authority to enforce against deceptive or unfair business practices. “
Consumers need better ways to control their personal information without losing access to the apps and services they want. Currently, many privacy agreements are lengthy and difficult to understand, and are primarily focused on consent using either opt-out or opt-in approaches.
This notice and consent approach has its limits, though. In many case, consumers can either consent to sharing data, or lose access to the app or service. “Notice and consent is not enough, in part because in a lot of cases people don’t have meaningful choice,” said Neema Sing Guliani, senior legislative counsel for the American Civil Liberties Union (ACLU). “If the option is between not having a service at all or turning over massive amounts of data, a lot of consumers consent but it’s not really consent… We have to go beyond notice and consent to get at terms that really take advantage of people’s privacy and exploit their lack of choice.”
“A federal privacy bill must build on the notice and consent framework by explicitly prohibiting certain types of data use,” said Senator Edward Markey (D-Mass.), who wrote the new privacy Bill of Rights currently under consideration in the Senate, which would establish rules for data use and ban the use of personal information for harmful, or discriminatory purposes.
While acknowledging that standards would be helpful, witnesses at the hearing were not enthusiastic about federal legislation that might weaken existing state privacy laws. As such, the prospect of federal preemption was the focus of much of the testimony.
“The last thing we want to do is weaken the ability of [states] to have a seat at the table to enforce and create new laws,” Guliani said.
“I would oppose any effort that preempts state laws [that would] weaken protection for consumers,” said Senator Richard Blumenthal (D-Connecticut). “Nobody believes the people of the United States deserve less privacy protection than the people of California.”