Written by Paul Mountford, CEO, Protegrity

Connected technology is everywhere and influences every part of our lives. On average, there are nine connected devices in every UK household, and according to the UK Department of Culture, Media, and Sport.  This is estimated to grow to twenty-four billion connected devices by 2050.

While connected devices provide a range of benefits, there are now growing concerns around the data they are collecting, and the subsequent loss of consumer privacy. One very real example is the recent announcement from the California Privacy Protection Agency (CPPA), which advised that its enforcement division will review the data privacy practices of connected vehicle manufacturers, stating that they are “connected computers on wheels” and should be treated as such.


Data collected from cars is leading to a lack of trust

Today, cars are effectively mobile IoT devices that collect, use, and send staggering amounts of valuable data. Unfortunately, they are failing their users when it comes to data protection and data privacy, as consumers have little to no control over the sensitive data their vehicles collect, share, or sell.  In fact, US car companies have reported sharing data to third party organisations without driver consent and, as a result, only 12% of Americans trust the automotive industry. A recent report by the Mozilla Foundation reviewed different car brands for data privacy and security, and all 25 car brands researched earned the Mozilla ‘Privacy Not Included’ warning label – making cars the worst official category of products for privacy that Mozilla has ever reviewed.

Now, by probing the privacy practices of car manufacturers and vehicle technology companies, the CPPA is setting a new precedent for data security for the entire automotive industry, from manufacturers to OEM parts suppliers, technology partners to dealerships, and rental businesses to governments and consumers.


Valuable data helps to create improvements

The value of this data is important to the entire value chain including R&D, supply chain, safety, sales and marketing, city planning, and more.  The data collected offers an array of potential benefits for nearly all business partners in the automotive industry. For example, vehicle connectivity can help OEMs reduce warranty expenses and shorten reaction time to product flaws. Access to better data can also provide better insight into the reliability of suppliers, helping OEMs to select the best partners for their needs. Suppliers, in turn, can potentially optimise lead time and gain value from better-planned supply chains. For fleet owners, connectivity enables fleet health to be tracked to better predict potential imminent failures. It can also decrease breakdown time and improve control over vehicle maintenance.

Locking down data in an industry that is built to be mobile doesn’t necessarily work, but clearly the current access controls are not sufficient to protect sensitive data. If car manufacturers were to give drivers control over their personally identifiable information (PII) and make data privacy policies, including third party apps, a selling feature of the car – not an afterthought – this could go a long way to rebuilding trust.


Sharing data is no different than being tailed by a private detective

Ultimately data protection must evolve to protect automotive data wherever it is, including within the vehicle itself. Having information on where a car goes, where it has been, and what other cars were in the vicinity, may expose all kinds of PII and be a safety issue, as well as a human rights issue.

The details of where an individual drives their car could be some of the most sensitive personal information they might hold and could be used in all manner of ways. In effect, without more robust data privacy controls, it’s no different than being tailed by a private detective.

Add to this equation not only the apps within the vehicle, but EV charging data.  With 2.46 million EVs expected on the road by 2028, their data will be shared across the grid from charging point operators to utility companies and governments. Again, this is where there is a requirement to tighten data security controls across the EV charging infrastructure, which is crucial to ensure data is safeguarded from unauthorised parties or bad actors.

The EU has committed to regulate data shared between connected cars and is currently in the process of devising the remit of its Data Act, which will “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.   However, the European Automobile Manufacturers’ Association (ACEA) has warned: “Europe’s auto industry is committed to giving access to the data generated by the vehicles it produces. However, uncontrolled access to in-vehicle data poses major safety, (cyber) security, data protection and privacy threats.” Indeed, if vehicle data was more freely shared, these issues would certainly be at the front of our minds.

There will be 470 million connected cars on the road worldwide by 2025. To add to the challenges already highlighted, data moving between the car and the cloud is not always encrypted or regulated.  This is where encrypting, anonymising and/or tokenising driver data helps to ensure it is both protected and secure, ensuring the data is safeguarded wherever it goes.


Balancing the ability to tap into data with data privacy

At the end of the day, those in the automotive industry looking to embrace the potential of data analytics and AI systems across multiple cloud environments – which requires an exponential increase in the amount of sensitive data captured, stored, and analysed – shouldn’t be penalised. This is where technologies that enable enterprises to tap into the power of data to innovate and stimulate revenue growth, while also meeting consumer privacy and cross-border data flow compliance obligations, will become pivotal.