Data has become currency in a digital economy that incentivises the collection of more and more personal data, and that concentrates power in the hands of those who know the most about us.
Some of you may have heard me talk about how privacy is about power.
Information about us is core to who we are, and it is closely linked to our ability to determine who we are and what we do in life. When we have control of our personal information, we are empowered.
Equally, when others can access and use our information, they are wielding power.
It is becoming more and more evident how companies can wield and exert power over individuals by collecting, using, selling or tracking their personal information.
This is particularly the case in the digital realm, but connected cars is an example of how it is extending into the physical realm too.
Are connected cars driving us into danger?
Of course, there are benefits to connected cars.
They might make driving safer, for example, by enabling the flow of information between cars, the car user, emergency services and road infrastructure.
Connected cars also offer convenience and personalised experiences, such as through providing the car user the ability to remotely view details of and control their car via an app.
But there are also significant privacy risks that carry the potential for harm.
Going back to privacy being about power, one of my key concerns is the knowledge gap between manufacturers and connected car users and the power asymmetry and potential for harm this creates.
Broad collection of personal information – sometimes excessive
Our cars are increasingly collecting data about us. This data can include:
- vehicle data, such as odometer, door status, internal temperature
- driving data, such as speed, acceleration, braking, direction of travel
- location data, including recent trips and geolocation
- voice data, such as voice recognition and voice commands
- images from internal and external cameras, including of people
- data from connected phones and apps.
This can include some very personal and even sensitive data, and it can paint an intricate picture of our lives and movements.
Location data in particular is a very important and revealing category of information that raises clear privacy concerns. In our 2023 Australian Community Attitudes to Privacy Survey, the community identified location data as one of the biggest privacy risks faced today (52% of people). Eighty-seven per cent of people felt it was not reasonable for an entity to track an individual’s location where it was not required for a location-based service. The overwhelming majority expressed particular concern about location tracking of children, with 84% expressing support or strong support for location tracking to be switched off by default.
A lack of transparency
Many Australians may not expect that this data is even being collected, and they may not expect or understand some of the ways it may be used and disclosed.
Research by the Australian Automotive Aftermarket Association found that in 2021, only 2 in 10 drivers were aware that their vehicle was transmitting data back to the car manufacturer about their car and driving behaviour.
The same research found 7 in 10 motorists were extremely or very concerned by the risks associated with data sharing, and around 8 in 10 wanted the ability to choose who has access to their vehicle data.
A key reason for this lack of awareness and high level of concern is the opaqueness of car manufacturers’ data handling practices.
Dr Kemp found in her Driving Blindreport that consumers would need to read on average around 3 documents per car brand, adding to just under 14,000 words, to discover the privacy terms. For the average person, that is around 45 minutes to an hour of reading – of information that might not be all that clear or useful.
The absence of informed and meaningful consent
A broad range of information being collected (often invisibly), plus the difficulty in comprehending the consequences of this information being collected, used and disclosed due to the lack of transparency, add to a situation where it is hard for consumers to provide fully informed and meaningful consent.
A lack of individual control and choice
In many cases, car users are opted in automatically to connected car features when they buy the car or download the car’s app.
If they want to opt out, it is either difficult or there is no ability to do so.
In their review of the data collection practices of popular car brands, Choice found that in some cases, removing connected features disabled other functions of the car, such as maps and weather, or may void warranties.
Limiting people’s choice and control is a clear example of how companies can wield power over individuals.
Security risks
The overcollection of data gives rise to security risks. By collecting so many data points, connected cars provide as many opportunities for malicious or rogue actors to access and misuse that information.
Where a car has a shared use or has been sold, it is often left to the past users to delete their accounts to prevent any unauthorised access – future users might be able to access data about the past user, such as information on the dashboard obtained from pairing a smartphone, previous ‘home’ addresses or past trips.
There have also been cases where alleged perpetrators of domestic violence have used connected services to track their former partners.
With some connected cars, people are able to perform functions remotely, such as initiate a camera recording or unlock a parked car. It is possible these functions might also be exploited by malicious cyber actors
There are also potential risks to national security, whether that is in the terms manufacturers apply to their data practices, or the risks associated with the data being collected.
Misuse of personal information
A widely reported risk has been the use of information in ways people might not expect.
Choice’s research found certain connected car manufacturers collected voice recognition data, which they sold to an AI software training company.
In January, the US Federal Trade Commission announced action against General Motors and OnStar over allegations they collected, used and sold drivers’ precise geolocation data and driving behaviour from millions of vehicles without adequately notifying consumers and obtaining their consent.
The FTC’s allegations include that the companies sold the data to consumer reporting agencies, who used the information to compile credit reports on consumers, which were in turn used by insurance companies to deny insurance and set rates.
In 2023, a Reuters investigation found Tesla employees were sharing sensitive footage cars captured in internal messaging forums.
Connected car practices of concern
There are many aspects of connected cars that I think as a society we should pause on and consider now.
As Australia’s Privacy Commissioner, there are some specific issues I am considering, and acts and practices of concern.
The Australian Privacy Act is a principles-based and technology-neutral law – this was by design to ensure the law was flexible to the circumstances of specific entities and relevant in the case of technological change.
At the centre of the framework are the Australian Privacy Principles – there are 13 of them; they set out standards, rights and obligations around the handling of personal information.
One of the issues in the case of connected cars is the definition of personal information.
Under the Privacy Act, the term ‘personal information’ includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.
The data collected by connected cars can be used in isolation or combined with additional data collected to draw conclusions or form an opinion about an individual, which may include sensitive information.
For example, location data can be used to infer a person’s place of work, religious beliefs, or visits to medical providers.
There are complexities and unresolved issues relating to the definition of personal information – for example, whether vehicle data and driving data are about the car, as opposed to the individual.
The Privacy Act says organisations may only collect information that is reasonably necessary for their functions or activities, and personal information must only be collected by lawful and fair means.
I have spoken about the extensive data collected by connected cars, sometimes for broad purposes.
This raises questions about:
- whether it is necessary for all this data to be collected
- whether it is fair for all this data to be collected – for example, where a user might have opted not to use specific features of the car and those features still collect data.
When exploring new products and services that involve handling personal information, businesses should consider whether collecting the data is necessary and whether the reason for it is proportionate to any impacts on privacy. This should involve asking: Are there less privacy-intrusive options available that achieve the goal at hand?
The proliferation of sensors in connected cars increases the risk of collecting excessive information beyond what is required.
Sensors may collect data in a continuous and automatic way, with the user having limited or no ability to effectively opt out.
There are additional requirements for organisations that collect sensitive information.
Unless an exception applies, the organisation must satisfy the earlier criteria that the collection is reasonably necessary – that is, that it is proportionate. And the individual must consent to their information being collected.
Connected cars might collect biometric information for identification, such as voice and face prints. This is sensitive information. As might be geolocation data, which indicates the user’s geographical location and paints a rich picture of their life. While geolocation data is not explicitly classified as sensitive personal information, where it reveals aspects of sensitive personal information – for example, health information by virtue of an individual’s proximity to a specialist practitioner or abortion clinic – the waters become muddied.
Issues around consent are exacerbated where data is collected not just about the driver, but other users of the vehicle too, which might include children or vulnerable people who do not have the capacity to consent.
The Privacy Act set outs how organisations may use or disclose personal information. Generally, they can only use or disclose personal information for the purpose for which it was collected, and only for a secondary purpose if an exception applies.
I have concerns where data collected is disclosed to third parties for a secondary purpose, beyond the provision of connected services to the car user.
Examples of this include where data is provided to dealers, or to insurers to assess claims.
There are complexities when it comes to cars. These include that:
- Many people may get their car through a dealer and never deal directly with the car manufacturer.
- Unlike many devices, cars are often shared. The car might have passengers or be a rental car. Perhaps it is a fleet car provided by the employer, or a company car authorised for both business and personal use.
- Cars often carry passengers. For example, children and young people are likely to be active users of car entertainment systems and voice assistants. As a side note: businesses should be aware that the OAIC is developing a Children’s Online Privacy Code that will impose a higher level of privacy requirements for online services accessed by children, which may include connected cars.
This can create added difficulty for organisations seeking to provide privacy information and comply with the law.
Ultimately, accountability is a key pillar of doing privacy well, and all businesses involved in the car market have a role to play in protecting and promoting privacy.
It is critical that everyone who uses the car understands how their personal information is being used, so they can enact their individual rights.
The road ahead
Empowering individuals against big data holders is a key focus area.
Connected cars will dominate the market in future – it is anticipated in Australia they will account for 93% of new car sales by 2031.
It is an area of increasing public interest and concern, and while the Australian connected car market is not as advanced as overseas markets, we have seen significant privacy issues in other jurisdictions, including instances where driver data is used to build risk profiles about individuals, and in some circumstances, sold to insurance brokers.
Car manufacturers and other third parties that are subject to the Australian Privacy Act have strict obligations that they must comply with, and the OAIC will be ensuring that there is compliance to the fullest extent as we look into issues concerning connected cars.
This is an area that aligns strongly with our regulatory priorities and statement of regulatory approach. We have an opportunity in Australia to set industry standards and prevent some of the concerning practices we’ve seen overseas from occurring here.
As part of our work, the OAIC will be looking to consult with key stakeholders. We commend and welcome workshops such as this today that support the exchange of ideas and collaboration.
In the meantime, we encourage businesses to recognise that not only are good privacy practices the right thing to do, they also make good business sense.
Our research shows Australians place a high value on privacy when choosing a product or service, with it ranking only after quality and price. They are even prepared to experience some inconvenience if their privacy is guaranteed