Our right to data privacy should not be run over in the pursuit of profits.
As someone who has spent over a decade advising companies on data protection and privacy compliance, I was extremely disturbed to read the recent reports about cars spying on drivers and sending detailed driving behaviour data to insurance companies. This appears to be a flagrant violation of reasonable data privacy expectations.
According to the reports, manufacturers like General Motors, Subaru, Mitsubishi, Hyundai, and Kia are offering drivers apps to connect their vehicles and get fuel economy guidance and "safe driving" feedback. However, the manufacturers have failed to properly disclose that this connectivity allows the vehicles to comprehensively track and record driver behaviours like speeding, hard braking, and aggressive cornering. Even more alarmingly, they are then sharing this personal driving data with insurance companies, which are using it to penalise drivers deemed "high risk" with higher premiums.
This entire data collection and sharing scheme reeks of deceptive practices and violates the core privacy principle of giving users full transparency and choice over how their personal information is used. Most drivers surely have no idea they are being monitored this intrusively nor would they expect details about their driving habits to be covertly packaged and sold to third parties.
From a compliance perspective, there are huge issues here around notice, consent, data minimisation, and purpose limitation principles. Modern data protection laws require companies to provide clear notice about what personal data they collect and how it will be used or shared. The connected car data sharing appears to be happening without true user knowledge or consent. There are also questions around whether tracking someone's second-by-second driving behaviour is even necessary for the stated purposes of the telematics programs.
While insurance providers claim this personal driving data allows them to assess risk more accurately, the negative consequences for consumer privacy and trust are severe. People will rightfully feel betrayed and misled by their automakers and insurers abusing connectivity this way. I fear we are rapidly headed towards a world of ubiquitous surveillance scoring if companies continue to exploit our digital trails without transparency or consent.
Now in the spirit of balance it should be said that insurers claim that your regular motor insurance does not have access to your black box and its data. The only way an insurance company can track the data from your car’s black box is if you have specifically signed up for a telematics (black box) insurance plan, although some commercial vehicle insurance policies include clauses that permit them to obtain black box data in the event of a crash.Â
When the policyholder accepts the insurance coverage, that technically serves as consent. But generally speaking, insurance companies cannot use black box data without a court order or the owner/lessee’s consent.Â
It is clear from the information in the public domain that car manufacturers and insurers must be held to strict compliance standards around collecting and using personal data responsibly. If they fail to course correct, we may need regulatory action to rein in these unethical car monitoring programs and data sharing practices.
Our right to data privacy should not be run over in the pursuit of profits.