The issue of data ownership in the coming generations of connected vehicles will be thorny. Owners, drivers, OEMs, insurers, and others may have claims.
Most people do not know what data reside and are generated by vehicles. In fact about 90% of Europeans think the drivers own the data in their vehicles and some American lawyers believe there are legal arguments in favor of having the vehicles’ owners keep the data held within their cars.
In the current landscape, most of the drivers’ vehicles’ data are owned by the car manufacturers (OEMs) in the United States and Europe, not the vehicles’ owners. People are becoming aware of the data issues involved in cases such as the Cambridge Analytica scandal.
This scandal revolves around the fact that Cambridge Analytica obtained data through a Facebook survey, and these data not only pertained to the people who took the survey but to all those survey-takers’ friends as well without their consent or knowledge.
New EU regulation coming online this month
The European Union (EU) will implement the new pro-privacy General Data Protection Regulation (GDPR) on May 25, 2018, to better protect user data. We should understand how “our” information is being handled and who owns the data in the U.S. and European markets because it is important to protect the data and the data have monetary value.
Drivers should be aware of who actually owns and controls the data. The OEMs own and control the data because when most people purchase vehicles they have to sign contracts which give the new owners the right to the vehicle- but not the data within the vehicle. Because of this the car data is owned by the OEM, not the driver.
Some drivers do not care because they assume they can get the data whenever they need it (although there have been instances where the OEMs refuse to give the drivers access to raw accident data). If the drivers own the data, they will have control over who can access their data. In fact, they could require anyone who wanted access to their information to give products, services, or money in exchange.
Vehicle data have real value. The average vehicle contains a great deal of personally identifiable information (PII) such as home addresses, phone numbers, and in some cases biometric data such as fingerprints; locations and routes; the condition of the vehicles over time, and in some cases information from applications saved on to the vehicle itself. While there are no clear metrics as to how much the data are worth, they are worth enough for the OEMs to insist on owning the data.
The OEMs legally own most of that information and accrue benefits from the information while most of the costs (such as unauthorized use of one’s information and tracking) fall on the driver. If an insurance company or a marketing firm wants the data, they have to talk to the OEM and can ignore the driver. Just as the Cambridge Analytica scandal highlighted how one’s data can be sent to another company without one’s knowledge or consent, the OEMs are free to transfer much of one’s vehicle data without the driver’s involvement. They choose how the data is shared and protected; the drivers themselves have little choice in either regard in the current regulatory environment.
OEM data ownership model not immutable
While the OEMs own most of the data, this is not necessarily a permanent situation. In the United States the information in the black boxes (Event Data Recorders or EDRs which store a vehicle’s data right in the seconds before, during, and after a crash) is owned by the driver or “leasee,” although most other non-medical data stored in the vehicle, such as phonebooks synced with the vehicle added to the vehicle and location data and other vehicle-generated data is still unregulated.
In the European Union, the situation is complicated. Under the new GDPR, if one wants to process data then the data processor requires the subject’s consent. The law requires companies to make it easier to transfer information between services (known as the “right to portability”) and delete personally identifiable information (PII) in the right circumstances (“right to erasure”). This means the OEMs will have to make sure the drivers’ data can be transferred across other OEMs, which makes it easier to change brands (similar to how Apple and Google try to make it easy for one to switch away from a competitor’s smartphone) and keep PII out of the hands of certain advertisers without the drivers’ consent.
Under the EU’s new Privacy and Electronic Communications (e-Privacy) Regulation, the OEMs will be forbidden from selling “connected cars” if the cars do not comply with the EU’s data sharing standards. This regulation could restrict how much data an OEM can share with other organizations by requiring any third party from using the data generated by connected vehicles without the user’s consent. If either the GDPR or the e-Privacy Regulation is breached, the OEM can be fined up to €10 million, or 2% of a car manufacturers’ total worldwide annual turnover, whichever punishment is higher.
This regulation will also apply to machine-to-machine communications, or between vehicles (V2V) or between vehicles and infrastructure (V2I). Under this law, the OEMs will be liable for any interference with the communications data done through accessing the data or tampering with it. These legal regulations are further complicated by whether the EU regulations differentiate between data that is inputted into the vehicle (such as home addresses) or data generated by the vehicle (such as speed data). Pinsent Masons has a good write-up on the legal questions involved, which are worth reading.
Overall, we should care about who owns the data. Whoever owns it is responsible for protecting it, controlling it, and earning profit from it in the form of currency, goods, or services. Most drivers should worry about data ownership since vehicles now contain a great deal of PII and geolocation data, and those data are of great interest to a variety of parties, both corporate and criminal.
Insurers may also have an ownership case
Just as we have difficulty securing our vehicles’ data and determining the monetary value of that data, the question of who owns or who should own the data is a complicated issue. It is not only a conflict between drivers and OEMs; other corporations have their own views on the matter. For example, some insurance companies would like to use car data to set premiums and would prefer to sell insurance on a driver-by-driver basis instead of negotiating with the OEMs.
Cybersecurity companies may prefer that drivers own the data so they can sell their services on a more individual basis instead of negotiating with each OEM or car part supplier such as Waymo or Mobileye. The OEMs may try to insist that data generated by the vehicle remain with the OEM, even though the vehicles themselves are no longer owned by the OEMs. The shift towards driver-owned data will also transform the market as advertisers will have to negotiate with the drivers directly instead of negotiating with the OEMs.
As vehicles gain more sensors and new companies create new business models, the market will only grow in value and the drivers, OEMs, and other companies will compete for the right to own these data.