Keep your car data safe

Cars are constantly collecting huge amounts of data that is being used for many different purposes. These purposes include; driving and parking assistance or navigation systems. While this data is used in convenient and efficient ways, the collection of personal data in cars – such as location, speed and braking habits – could also be considered a privacy threat that you can’t escape. Data protection commissioner of Baden-Württemberg, Germany, Dr. Stefan Brink, knows how to handle this as a car owner, what issues you should be aware of and how to protect your data best.

By Leonie Rothacker
Photo by Michael Gil / CC


According to the Future of Privacy Forum, four types of data are being collected in cars. Which do you consider to be the most sensitive?
I do not think that a differentiation between these categories would be appropriate. Whenever data gives reference to a person, this data is sensitive and should be handled carefully. Even technical data can be personal data which needs to be protected. When technical data – for example the information showing whether the seat belt is fastened – is combined with the vehicle identification number (VIN), this results in personal data. The VIN allows a conclusion as to the vehicle owner, which makes the data personal data.

Do you expect even more data to be collected in the future?
This depends highly on future technical developments and customer behaviour. We see a tendency that customers increasingly want to use connected car technology. They appreciate the safety aspects, for example a predictive brake assist system or a traffic warning assistant, and are willing to ‘pay’ for some of these services with their personal data. My assumption is that data will become even more important in the context of cars and transportation generally in the future.

Who do you see responsible of keeping the data private and finding data protection solutions? Original Equipment Manufacturers (OEMs), suppliers, car dealers, the car owners themselves, others?
The GDPR (General Data Protection Regulation), which will apply as of the 25 May 2018, clearly determines the responsibility for personal data. The OEMs are under an obligation to respect data protection rules when they develop new products. Obviously, they are obligated to monitor their suppliers to adopt the data protection rules accordingly. Regarding the current reports and discussions about the ‘transparent driver’ you will recognise that customers are becoming more conscious about this issue. The customer of the future will ask which services are included in a car and which data he discloses by using these services.

He wants to be informed about the processed data before buying or using a car. For this reason, it is important to properly inform the customer about the data protection mechanisms included in the car. Furthermore, it is important to inform the customer to whom the data are transmitted. He must not find out after purchase what kind of data is used and if the data is transmitted to a third party. Therefore, the issue of ‘data protection’ must be observed even more in the future but it can also be a competitive advantage for the OEMs. I am convinced that the ‘data protection’ will play a significant role in the purchase decision of customers in the future. Against this background it is especially important for the OEMs to also properly inform their car dealers. The car dealer is the first contact for the customer. He must be prepared for questions concerning data protection. The OEMs have to transform the GDPR’s call for transparency and better knowledge into practice. Finally, the data protection authority will closely monitor their compliance with the GDPR.

The collected data is being sent to several entities such as other cars, car manufacturers, infrastructure elements, emergency services or are being uploaded to clouds to be accessible for other third parties.

As car owners, how can we keep our data private nowadays and in the future?
It is obvious that personal data is necessary in certain cases or for certain devices. For example; navigation systems. Navigation without GPS-data will not work. Yet, the customer has to consider the total effect of disclosing this data as well. He has to develop the awareness of data protection and must not automatically put a check on each suggested field. A given permission can also be cancelled in the future. A condition for the awareness is, however, the information about the use of data. This information must be transparent, extensive and comprehensible. The client must be able to choose for himself which information is transmitted where, and therefore retain personal control over the exchange of the data.

What impact does the collection of data in cars have on our (everyday) life? Which parts of our life might it affect in the future?
You have to consider both sides: On one hand, connected cars offer more safety. For example, in the case of an accident the implementation of the E-Call should improve receiving help faster. Emergency services can get to the accident site quickly and are informed about the circumstances (how many people are involved, are there serious or minor injuries, etc.).

On the other hand, it would be utopic that the personal data is just collected for ‘charity’ use; I think that all the players in the field of connected car technology (OEMs, suppliers, third-party-providers) want to benefit from the given personal data. We as a data protection authority consider it our task to have a critical view on the whole process.