Many digital services and products intensively collect user data. However, we usually don’t think that a car can do this, even if many of them are already connected to the Internet without problems. The Mozilla Foundation has released a report warning about the enormous amount of personal data collected by manufacturers, based on an investigation into the privacy policies of 25 major automotive brands. The study uses the United States as a reference, although the Mozilla Foundation clarifies that it also reviewed the European Union’s data protection guidelines (with a particular focus on Germany). The organization’s researchers examined all major brands on the market, such as Toyota, Volkswagen, BMW, Ford, Kia, Hyundai and Tesla.
More information
The conclusions are striking. According to the study, automakers may be collecting more personal data than necessary to improve their vehicles. This includes demographic data (name, age, gender, home address), but also the username in a social network or the contacts in your calendar. Additionally, some brands could even capture the owner’s ethnicity, facial expressions, information about their health and even their sex life.
After learning of the report, EL PAÍS contacted the Spanish subsidiaries of several automotive brands to find out how their privacy policies adapt to the national territory. Only Nissan Iberia has responded and stated that the company strictly complies with European regulations (GDPR) and does not collect or process sensitive personal data. “The statements made in this report about the collection and processing of personal data are unrelated to the data protection practices at Nissan Europe, to which we report all countries in this market,” the company explains. Nissan did not specify to this newspaper what personal data its cars collect or what kind of consent it obtains from the owner.
Samuel Parra, a lawyer specializing in technology law, recalls that informed consent is required for the processing of our data to be valid. “If they want a client to agree to four different treatments [el término tratamiento incluye la recogida y posterior procesamiento o cesión de la información] which they have to offer you in four different boxes. Mass adoption of the entire Privacy Policy will invalidate consent.”
Cars therefore cannot collect personal data. This includes all information that allows the person or vehicle to be identified. “If you add that your car traveled from Murcia to Madrid, the vehicle will be geolocated there in space and time. And this information can be personal,” emphasizes Parra.
The Mozilla Foundation report is part of the “Privacy Not Included” research series. [la intimidad no está incluida], which analyzes the state of privacy in various areas. The foundation’s researchers spent 600 hours on the work, they say. It took 24 hours for each brand. And their findings apply to modern cars that can connect to the Internet or digital services via a smartphone.
“As cars become more connected and computerized, they have become more of a privacy nightmare,” says Jen Caltrider, researcher and director of the Mozilla Foundation’s Privacy Not Included program. And he adds: “Cars now have many integrated sensors, such as microphones and cameras.” Cars collect personal data when people interact with the vehicle. According to the researchers, this happens through these sensors, integrated digital services or the car application, which becomes the gateway to the contents of our phone.
There are not many concrete calculations about the volume of business data can drive from the automotive industry. But in 2016, consulting firm McKinsey & Co estimated that they could be so profitable that they could generate $750 billion by 2030. A current forecast from Statista calls for sales of more than $20 billion for the same date.
Although they dance, these numbers help understand car brands’ eagerness for personal data. Added to this is their nature as players in a traditional industry, forced to operate in a sector completely different from their own. “There are car manufacturers that are fundamentally getting into the data business and developing into technology companies,” argues Caltrider.
The GDPR as a protective shield for European users
European regulations, the GDPR (General Data Protection Regulation), provide for the protection of users from the main abuses highlighted in the Mozilla Foundation report. The collection of sensitive data, such as ethnic origin, information about health or sexual life, is generally prohibited under this legislation.
Parra also points out that eavesdropping through sensors should be banned in Spain, as it enters the area of communications surveillance and communications secrecy, two categories guaranteed by the legislation. However, the lawyer believes that there may be deficiencies in the processing of vehicle owners’ data both in Spain and in other EU countries.
The collection of data for which consent is not expressly given and accepted must be anonymous. However, this is not always the case. “Some brands know how you accelerate and how you drive the car and can predict tire wear without having a sensor that measures it. If you have severely worn tires, the car will send you an alert recommending that you change the tires. “Did you receive anonymous information in this case?” Parra asks rhetorically. “No, they had to get it specifically through your car because if not, how do they know it was you who drove like that? “They had to know it was your car to send you the appropriate notice.”
The problem, according to the technology law specialist, is that automakers may not know how to anonymize the information: “Often they believe that certain information is anonymized because it is not accompanied by a first and last name or an email address .” But it is not like that. The license plate, the VIN or even the IP to which the car is connected to process the shipment, if stored, are also personal data.”
You can follow EL PAÍS technology on Facebook and Twitter or sign up here to receive our weekly newsletter.
Subscribe to continue reading
Read without limits