Does your car collect your personal data?

Many digital services and products collect user data intensively. But we don’t normally think of this as being done by a car, despite the fact that many of them are easily connected to the internet. The Mozilla Foundation has published a report that warns of the enormous amount of personal data collected by manufacturers, based on a study of the privacy policies of 25 major automobile brands. The study takes the United States as a reference point, although the Mozilla Foundation has also reviewed the privacy policies of the European Union, with a particular focus on Germany. The organization’s researchers examined the major brands on the market, such as Toyota, Volkswagen, BMW, Ford, Kia, Hyundai and Tesla.

The report’s findings are striking. According to the study, car manufacturers can collect more personal data than is necessary to operate and improve their vehicles. Among these are demographic data — name, age, gender, home address — but also user names on social networks or the contacts in your address book. In addition, some brands can even collect a car owner’s ethnicity, facial expressions, and information about their health and sex life.

After learning of the report, EL PAÍS contacted the Spanish subsidiary of several automotive brands to find out how their privacy policies are adapted to the national territory. Only Nissan Iberia replied, stating that it strictly complies with the European General Data Protection Regulation (GDPR), and that it does not collect or process sensitive personal data. “The statements made in that report on the collection and processing of personal data are not related to data privacy practices in Nissan Europe, to which we adhere in all countries in this market,” the company said. Nissan did not specify what kind of personal data its cars collect or what kind of consent is requested from the owner.

Samuel Parra, a lawyer specializing in technology law, notes that for the processing of our data to be valid, consent must be an informed process. “If they want a customer to consent to four different treatments [the term treatment includes the collection and subsequent processing or transfer of information] they have to offer them four separate boxes [to tick]. Block acceptance of the entire privacy policy renders the consent invalid.”

Cars, therefore, cannot collect any personal data, including any information that can identify the person or the vehicle. “If they add that your car has traveled from Murcia to Madrid, they are geolocating the vehicle in space and time. And this information can be considered personal,” Parra points out.

The report forms part of the Mozilla Foundation’s “Privacy Not Included” research series, which analyzes the extent of privacy in different areas, such as mental health apps and entertainment. The Foundation’s researchers spent 600 hours on their automobile report, with 24 hours dedicated to each brand.

“As cars become more connected and more computerized, they have become more and more of a privacy nightmare,” says Jen Caltrider, director of the “Privacy Not Included” program. “Cars now come with many built-in sensors, such as microphones and cameras.” Personal data is collected when people interact with their vehicle. According to the researchers, they do this through those sensors, integrated digital services, or the car’s app, which becomes a gateway to the content on our phone.

There are not many specific numbers on the volume of business that data from the automotive industry can move but in 2016 the consulting firm McKinsey & Co estimated that by 2030 they could become profitable enough to generate $750 billion. A recent forecast, published by Statista, talks of revenues of more than $20 billion by the same date.

Although they are disparate, these figures help to understand the hunger of automobile brands for personal data. Coupled with this is the nature of carmakers as players in a traditional industry, forced to maneuver in a sector very different from their own. “You have car manufacturers that are basically getting into the data business and becoming technology companies,” says Caltrider.

GDPR as a shield for European drivers

The European GDPR regulation provides for user protection against the main abuses detailed in the Mozilla Foundation report. The collection of sensitive data, such as ethnic origin, health, or sex life information, is generally prohibited by this legislation.

Parra also points out that eavesdropping through sensors should be banned, as this practice falls into the field of interception of communications and secrecy of communications, two categories in which the legislation is protective. However, the lawyer believes that both in Spain and in other EU countries, there may be shortcomings in the processing of vehicle owners’ data.

The collection of data where consent is not explicit and accepted must be anonymized. But this is not always the case. “Some brands, knowing how you accelerate and how you drive the car, predict tire wear without having a sensor to measure it. When you have worn the tires, the car sends you a warning to recommend that you change them. In this case, have they received anonymous information?” Parra asks rhetorically. “No, they had to have received it specifically about your car, because if not, how do they know it was you driving like that? They had to know it was your car to send you the corresponding communication.”

The problem lies, according to the technology law specialist, in the fact that car manufacturers may not know how to anonymize the information: “Often they believe that certain information is anonymized because it is not accompanied by a first and last name or an email address. But this is not the case. The license plate, the Vehicle Identification Number or even the IP address to which the car connects to send the shipment, if they store it, is also personal data.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition