How to handle data privacy issues in the car industry Björn Kjellén Chief information security officer (CISO)
introduction The Automotive industry is now delivering vehicles with connectivity for exchange of information, provision of services, emergency assistance, support of road safety and traffic planning, etc.. Many of these services require the location being sent from the cars which is regarded as sensitive information in many cases. In addition, it s possible to calculate the speed along the trip which is a concern as well. What kind of data do the car companies collect and how must this information be handled? Customer provided personal data You as a customer provides contact, vehicle, purchase, preferences information to the car companies via dealers, customer centers, websites, etc. Vehicle generated and recorded data The vehicle is automatically collecting data from the car and the surroundings, and is mainly of technical nature. This data is connected to the identification number of the car and might be traceable to you. It can include data about safety, in car system status, driving data, location, etc. 2
Why Vehicle data privacy principles is needed! The connectivity technology will give a lot of opportunities to provide convenience and services to the customers which requires collection of personal related data from the cars and from the consumer directly. Customer trust is essential to the success of vehicle connectivity technologies and services. It s about not only following legal requirements but also being an ethical company. Vehicle data will also support common services such as traffic status and planning, road safety, parking optimization, etc. The car industry must ensure that these vehicle technologies and services can deliver benefits to the customers while respecting their privacy. Vehicle data might be collected and sent from the car in an emergency situatation (E-call) or used in a legal process. The car industry must, besides the vehicle legislation, also take laws about Data Privacy into account when developing cars. 3
Consumer Privacy protection principles Transparency Choice Consent Data use Data Security Disclosures to third parties Marketing On request, provide the customer with clear notices about what data for which purposes the car company processes (collection, use and sharing). The customer, Owner or Registered Driver, is in the possession of the car and by that owns the data in the car. It s the customer s choice to share the data or not. The request for consent to process the customer s data must be clear and explicit. The consent must always be possible to revoke when the customer wants to do so. In some cases data must be collected from the car without having the consent in order to provide car maintenance, enhance quality, manage warranty issues and for legal reasons. The collected personal data is used for providing information about products, services, updates, support, offerings, etc. The data is also used for improving vehicle performance, quality and safety, and to comply with legal requirements. The data must only be retained as long it s necessary to fulfill the purpose as outlined at collection. The car company must implement reasonable measures to protect the processed customer information against unauthorized access, maintain the integrity and ensure availablity when needed. The car company must only disclose the personal data to a third party, after the customer s consent, when needed to provide maintenance, product information, offerings, etc. It might also be required due to a legal process. The car company should not sell or trade the customer s personal data without a consent 4
references Volvo Cars Customer Privacy Policy Auto Alliance Privacy Principles bjorn.kjellen@volvocars.com 5