Many digital services and products collect user data intensively. However, this is usually not expected to be done by cars, even though many cars can easily connect to the internet. The Mozilla Foundation has released a report based on an examination of the privacy policies of 25 major car brands, warning of the vast amounts of personal data that manufacturers collect. Although this study uses the United States as a reference point, the Mozilla Foundation also considers the European Union’s privacy policies, with a particular focus on Germany. The organization’s researchers looked at major brands on the market, including Toyota, Volkswagen, BMW, Ford, Kia, Hyundai, and Tesla.
The findings of this report are surprising. According to the study, automakers may collect more personal data than is necessary to operate and improve their vehicles. These include demographic data such as name, age, gender and home address, as well as usernames and address book contacts on social networks. Additionally, depending on the brand, information about the car owner’s ethnicity, facial expressions, health and sex life can also be collected.
After learning of this report, EL PAÍS contacted the Spanish subsidiaries of several car brands to find out how their privacy policies are applied in the country. Only Nissan Iberia responded, saying it strictly complies with the European General Data Protection Regulation (GDPR) and does not collect or process sensitive personal data. “The statements in that report regarding the collection and processing of personal data are independent of Nissan Europe’s data privacy practices, which we comply with in all countries in this market,” the company said. Nissan does not say what kind of personal data its cars collect or what consent is required from owners.
Samuel Parra, a lawyer specializing in technology law, points out that for data processing to be effective, informed consent is required. “If he wants a customer to agree to four different treatments, [the term treatment includes the collection and subsequent processing or transfer of information] They must provide 4 separate boxes [to tick]. Blocking your consent to the entire Privacy Policy will revoke your consent. ”
Therefore, the car cannot collect personal data, including information that can identify individuals or vehicles. “If they add that your car traveled from Murcia to Madrid, they are determining the spatial and temporal location of that car. And this information could be considered personal ” points out Parra.
This report forms part of the Mozilla Foundation’s ‘Privacy Not Included’ research series, which analyzes the scope of privacy in a variety of sectors, including mental health apps and entertainment. The Foundation researcher spent 600 of his hours on automotive reports, of which 24 of his hours were spent on each brand.
“As cars become more connected and computerized, they are becoming increasingly privacy nightmares,” said Jen Kaltrider, director of the Privacy Not Include program. “Cars now have many sensors built into them, such as microphones and cameras.” Personal data is collected when people interact with their vehicles. The researchers say this is done through these sensors, integrated digital services, or an app in the car that acts as a gateway to content on the phone.
There aren’t many hard numbers on how much business data in the auto industry can drive, but consulting firm McKinsey & Company estimated in 2016 that the auto industry could generate enough profits to generate $750 billion by 2030. I estimated that I could get . Recent projections from Statista predict that the company could generate more than $20 billion in revenue by that date.
While these numbers vary, they can help you understand how car brands seek your personal data. Added to this is the nature of automakers as players in traditional industries, forcing them to operate in areas very different from their own. “Some automakers are essentially getting into the data business and becoming technology companies,” he says.
GDPR as a shield for European drivers
Europe’s GDPR regulations provide protection for users against the main abuses detailed in the Mozilla Foundation report. The collection of sensitive data such as ethnic origin, health, and sex life information is generally prohibited by this law.
Parra also points out that eavesdropping through sensors should be prohibited. This is because this activity falls under the area of wiretapping and confidential communications, which are protected by law. However, lawyers believe there may be flaws in the processing of vehicle owners’ data, both in Spain and in other EU countries.
Data collection where consent is accepted rather than explicit should be anonymized. However, this is not always the case. “Some brands know how you accelerate and drive your car and predict tire wear without having sensors to measure it. sends an alert inviting exchange. Did they receive anonymous information in this case?” Parra asks rhetorically. “No, they should have received specific information about your car, because if not, how would they know you were driving like that? They needed to realize that it was your car.”
The problem, according to technology law experts, lies in the fact that automakers may not know how to anonymize the information. “In many cases, certain information is believed to be anonymized because it is not accompanied by a first name, last name, or email address.” But that’s not the case. A license plate, vehicle identification number or, if stored, the IP address that the car connects to in order to send a package is also personal data. ”
sign up Get more English news coverage from EL PAÍS USA Edition with our weekly newsletter.