Many digital services and products collect user data intensively. But we normally don’t think that a car does this, even though many of them already easily connect to the Internet. The Mozilla Foundation has published a report that warns of the enormous amount of personal data collected by manufacturers, based on the study of the privacy policies of 25 major automobile brands. The study takes the United States as a reference, although the Mozilla Foundation clarifies that it has also reviewed the privacy policies of the European Union (with a special focus on Germany). The organization’s researchers have examined all the major brands on the market, such as Toyota, Volkswagen, BMW, Ford, Kia, Hyundai or Tesla.
The conclusions are striking. According to the study, car manufacturers may collect more personal data than necessary to improve their vehicles. Among them are those of a demographic nature (name, age, gender, residential address), but also the username on a social network or the contacts in your calendar. In addition, some brands could collect even the owner’s ethnicity, facial expressions, information about his health and even his sex life.
After learning of the report, EL PAÍS has contacted the Spanish subsidiary of several automotive brands in order to find out how their privacy policies adapt to the national territory. Only Nissan Iberia has responded stating that it strictly complies with European regulations (GDPR) and that it does not collect or process sensitive personal data. “The statements made in that report about the collection and processing of personal data are not related to the data privacy practices at Nissan Europe, to which we report all countries in this market,” the company states. Nissan has not specified to this newspaper what kind of personal data its cars collect or what type of consent they ask for from the owner.
Samuel Parra, a lawyer specializing in technological law, remembers that for the processing of our data to be valid, consent must be informed. “If they want a client to consent to four different treatments [el término tratamiento incluye la recogida y posterior procesamiento o cesión de la información] that they have to offer you in four different boxes. Bulk acceptance of the entire privacy policy renders consent invalid.”
Cars, therefore, cannot collect any personal data. And this includes any information that could identify the person or vehicle. “If they add that your car has gone from Murcia to Madrid, there they are geolocating the vehicle in space and time. And this information can be personal,” Parra emphasizes.
The Mozilla Foundation report is part of the research series Privacy Not Included [la intimidad no está incluida], which analyzes the state of privacy in different areas. The Foundation’s researchers have dedicated 600 hours to the work, they say. Each brand has taken them 24 hours. And their results apply to modern cars, those that can connect to the internet or connect to digital services through a smartphone.
“As cars have become more connected and more computerized, they have become more and more of a privacy nightmare,” says Jen Caltrider, researcher and director of the program. Privacy Not Includedfrom the Mozilla Foundation. And he adds: “Cars now come with many integrated sensors, such as microphones and cameras.” Cars collect personal data when people interact with the vehicle. According to the researchers, they do it through these sensors, integrated digital services or the car application, which becomes a gateway to the content of our phone.
There are not many specific calculations on the volume of business that data from the automotive industry can move. But in 2016, the consulting firm McKinsey & Co estimated that by 2030 they could become so profitable as to generate 750 billion dollars. In a recent forecast, published by Statista, there is talk of revenues of more than $20 billion for the same date.
Although they dance, these figures help to understand the eagerness of car brands for personal data. Added to this is their nature, as actors in a traditional industry forced to maneuver in a sector very different from their own. “You have car manufacturers that are basically getting into the data business and becoming technology companies,” Caltrider argues.
The GDPR as a shield for European users
European regulations, the GDPR (General Data Protection Regulation), contemplate user protection against the main abuses detailed in the Mozilla Foundation report. The collection of sensitive data, such as ethnic origin, information on health or sexual life, is generally prohibited by this legislation.
Parra also points out that listening through sensors should be prohibited in Spain, since here one enters the field of interception of communications and the secrecy of communications, two categories where the legislation guarantees. However, the lawyer believes that both in Spain and in other EU countries there may be deficiencies when it comes to processing the data of vehicle owners.
The collection of data whose consent is not explicit and accepted must be anonymous. But this is not always the case. “Some brands, knowing how you accelerate and how you drive the car, predict tire wear without having a sensor to measure it. When you have worn the tires a lot, the car sends you a warning to recommend that you change the tires. In this case, have they received anonymous information?” Parra questions rhetorically. “No, they had to receive it specifically about your car, because if not, how do they know that it was you who was driving like that? “They had to know it was your car to send you the corresponding communication.”
The problem lies, according to the technological law specialist, in that car manufacturers may not know how to anonymize the information: “Many times they believe that certain information is anonymized because it is not accompanied by a first and last name or an email address. But it’s not like that. The license plate, the chassis number or even the IP to which the car is connected to make the shipment, if they store it, is also personal data.”
You can followEL PAÍS Technology in Facebook andTwitter or sign up here to receive ourweekly newsletter.
Subscribe to continue reading
Read without limits
