Written by by Giulio Coraggio
October 3, 2014
Connected cars are expected to generate $ 131.9 billion by 2019 with a compound annual growth rate (CAGR) of 34.7% from 2013 to 2019. But such growth shall face legal issues that not only affect data protection matters, but also have an impact on product liability issues, telecom law obligations, security and data loss risks.
Connected cars are the subcategory of the Internet of Things relating to technologies that for instance can prevent accidents detecting other vehicles around the car or monitor the body conditions of drivers to prevent accidents if he feels sick or falls asleep. Likewise, it refers to vehicles with self-parking technologies allowing them to autonomously park themselves and everyone has been amazed by Google driverless car. Also, connected cars can interact not only with the traffic system of our municipalities to find the best route to get home and the available parking lot, but also with your smart home technologies turning on for instance the heating system when the car is 20 minutes away from our home.
This is a massive business not only for car manufacturers and original equipment manufacturers (OEM), but also for instance for insurance companies that can monitor cars, determine the liability in case of accidents and reduce the risk exposure. But what are the legal issues to be overcome by connected cars?
Data protection law obligations
Given the close interaction between connected cars and their drivers, the data protection issues relevant for connected cars are the similar to those previously covered with reference to the Internet of Things and wearable technologies.
Data generated through the usage of connected cars are meant to be “personal data” if linkable to an individual. But the matter is even more complicated with connected cars. Indeed, cars more than other devices can be used by different users. And because of such peculiarity, shall an informed privacy consent to the processing of personal data be given each time the car is turned on? And if the consent is necessary to use some functionalities of the car, will this fall under the exemption to the need of a prior consent or a free consent shall be in any case ensured and therefore cannot be an obligation to use some basic functionalities of the car?
Additionally, how can data generated by connected cars be used? Who is the owner of such data? There are several parties involved in the picture such as cars’ owners, users, dealers, OEMs and car manufacturers. Who shall have the control of data generated through connected cars? Who is the data controller?
Finally, in the case of non-European car manufacturers, there might be an additional data transfer issue. Once manufacturers want the data collected through connected cars to be transferred outside of the European Union, will they need an additional consent from users or rely on legal tools such as the so called standard contractual clauses? Will the data transfer be meant to be necessary for the provision of the service in case of purchase of cars from a non-European entity?
The answer to the above has to be given based on the peculiarities of the case also in absence of positions from local data protection authorities on the matter, save for the recent opinion of the Article 29 Working Party on the Internet of Things.
Telecom law obligations
I previously covered the telecom law issues affecting the Internet of Things and in relation to connected cars the issue is whether car manufacturers/OEMs fall under the scope of telecom law regulations.
Indeed, if they are meant to be providers of electronic communication services for the purposes of telecom regulations, the issue is whether they need a license/general authorization from telecom authorities. This would trigger the applicability of telecom law obligations that are quite burdensome for an entity that is not a telecom operator. Furthermore such obligations might be deemed to be disproportionate to the types of data that are transferred.
Also, since most of car manufacturers sell their cars globally, will they have to comply with the telecom laws of each country where their cars are sold? The fregmentation of regulations in such sector might become a major barrier to the growth of such technologies.
These are the issues that the Italian telecom authority, AGCOM, and the UK telecom regulator, OFCOM, are facing as part of the consultations on the Internet of Things and, based on our discussions with them, they will try to adopt measures to overcome these hurdles.
Given the amount of data collected through connected cars, the issue is how such data should be protected against cyber attacks. Also, will this data be stored in the car or just transferred to a cloud database? Which security measures should be implemented to protect connected cars from hackers?
As discussed with reference to the IoT, the answers to these questions cannot always be found in the regulations. The Italian data protection authority in particular has often been quite detailed in prescribing the security measures to be implemented to protect data from an unauthorised access to them. However, the level of security measures to be adopted will also increase with the level of sensitive data collected through connected cars.
Also, the new EU Privacy Regulations will extend to any type of data processing, the obligation to notify data breaches which will add a further obligation on car manufactures.
Liability for accidents
Current regulations prescribe that car owners are generally liable for accidents caused by their vehicles and are obliged to put in place an insurance coverage. However, in the case of self-driving cars will there be a liability regime for OEMs? Shall this matter be contractually regulated between the manufacturers and buyers? Will these accidents fall under product liability regulations preventing any limitation?
Additionally, it will be interesting to see what kind of checks and approvals will be required by local authorities before allowing the sale of this kind of cars. And this might be one of the main issues delaying the launch of devices like Google driverless car.
The above are just some of the legal issues that can impact connected cars and much further might arise depending on the developed technology. It will be interesting to see how car manufacturers will face such hurdles. And as usual feel free to contact me, Giulio Coraggio (email@example.com) to discuss or partecipate to the consultation. Also follow us on Google+, in our IPTitaly group on LinkedIn and on Twitter.