Unified Connected Cars Privacy Framework Is Possible

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

May 10 — Multinationals moving to produce connected cars face a global legal and regulatory labyrinth, but self-regulatory standards may help create a harmonized international framework, industry professionals told Bloomberg BNA.

The “legal framework on data protection has to be harmonized to make connected cars and automated driving work while at the same time protecting personal data effectively,” Danielle Herrmann, intellectual property and information technology counsel at Freshfields Bruckhaus Deringer in Frankfurt, said.

Some sort of framework is essential if connected cars are ever to evolve into self-driving cars, a market worth potentially billions of dollars for the car industry.

Electronic Control Units

Internet of Things

Connected cars are a part of the Internet of things—a network of physical objects equipped with technology that enables them to connect to other products or services to collect and transfer data. The predicted number of connected cars by 2020 ranges from 31.8 million—estimated by Statista—to 1.5 billion—estimated by Ericsson.

Industry professionals and government officials have said that connected cars present prime opportunities to “revolutionize mobility,” but they stand out as prominent targets for hackers (15 PVLR 293, 2/8/16), as evidenced by the 2015 hack of a Jeep (14 PVLR 1368, 7/27/15). Modern cars have multiple electronic control units that are vulnerable to hacker attacks, including the transmission control unit, engine control unit, telematics and even the radio.

Craig Spiezle, executive director, founder and president of the Online Trust Alliance (OTA), said his organization's recent IoT Trust Framework provides useful guidance for connected cars.

“Ninety-nine percent of the IoT Trust Framework requirements are applicable to connected cars,” Spiezle told Bloomberg BNA. “I don't see a reason why there couldn't be a harmonized legal and regulatory framework governing data protection issues related to connected cars,” he said.

Types of Connected Devices

What “connected” means in the context of cars is constantly evolving and there needs to be a flexible framework regulating connected devices (15 PVLR 764, 4/11/16).

There are different categories of technologies that “connect” to the car—embedded; tethered; and integrated—that may implicate different companies, industries and applicable regulations. Embedded systems have processing power and connectivity embedded in the vehicle and provide “always on” services such as the European emergency alert system, eCall. Meanwhile, tethered and integrated systems typically power infotainment and navigation.

Different aspects of connected cars should be governed by different laws and regulated by different agencies, but different standards should only apply where justified, according to Herrmann. “Regarding data protection, the general approach should be similar for all systems, with differences made only where required to reflect the technical solution,” she said.

Raffaele Giarda, co-chairman of Telecommunications and Corporate & Commercial practices at Baker & McKenzie in Rome, and Andrea Mezzetti, a senior associate at the firm, agreed, saying that what laws apply and what agencies have jurisdiction depend on “a number of different technical factors and technical features of the specific services.”

In a car geolocation data system, for example, it doesn't matter if the data are collected from an embedded as opposed to a tethered system so long as information is “sent to a central system where a movement profile of the driver could be created,” Herrmann said. What is important is “if the driver is informed of this data being collected and has the possibility to stop this, and that the operator of the system knows for which purpose the data may be legally used and for which purposes it may not be legally used,” she said.

Different Legal Areas

In addition to the constantly evolving definition of “connected,” establishing a harmonized framework for connected cars may be especially difficult due to the fact that a wide range of laws and regulations are implicated. Some of the existing laws and regulations applicable to connected cars include telecommunications regulations, road and automotive regulations, data protection laws and consumer protection laws, according to a Baker & McKenzie report.

Developing a regional data protection framework, such as the European Union's new General Data Protection Regulation, may ease efforts to harmonize connected car regulations.

“It should be possible to have an overarching, harmonized legal and regulatory framework only governing data protection and privacy considerations related to connected cars,” Giarda and Mezzetti said in comments to Bloomberg BNA

“Regional harmonization practically also leads to more international harmonization,” Herrmann said.

It isn't necessarily desirable to have an overarching, harmonized framework governing multiple legal areas relevant to connected cars, Herrmann said. “Since connected cars affect numerous completely different legal areas, the idea of a single legal framework would rather complicate than promote the international harmonization,” she said.

According to Giarda and Mezzetti, it is theoretically possible to have an overarching, harmonized legal and regulatory framework governing multiple legal areas related to connected cars. A framework would “likely act as a boost for the market rather than a roadblock, and could also concern the removal of pre-existing regulatory restrictions,” they said.

At the end of the day, whether to pursue an overarching framework is “a legislative choice,” they said.

Voluntary Standards

The Alliance of Automobile Manufacturers, the Association of Global Automakers and their members—including BMW Group, Ford Motor Co., General Motors, Toyota, Mercedes-Benz USA, Mitsubishi, Honda, Hyundai and Nissan—November 2014 established Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016.

Those standards included general data use transparency, data collection minimization, accountability and data security principles.

Even though voluntary standards can't replace binding legal standards, they “serve to effectively harmonize data protection internationally even if no harmonized legal framework is in place” and can be used to “show that there is no need to wait for harmonization by national legislators to improve data protection in a critical area,” Herrmann said.

According to Giarda and Mezzetti, “regulators and sector specific authorities will likely look for input from all stakeholders when carrying out market analyses with a view at issuing rules and principles that take into account as much as possible the various industry angles and market needs.”

A broad international framework “should not only cover connected car services, but rather all machine-to-machine type of services with underlying similar issues,” they said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com