The automotive industry is facing major changes, many of them regarding the mega trends collectively referred to as CASE (connected, autonomous, shared, and electric).1 Of these four trends, connectivity is the biggest enabler of change.2 It is forecasted that by 2022, 75% of manufactured vehicles will be connected cars.3 With this increasing trend, a controversial policy discussion has emerged in the EU about data privacy and the access to in-vehicle data for independent service provider. A recently published guideline by the European Data Protection Board (EDPB) that focuses on this issue could have enormous consequences for the connected vehicle ecosystem as it addresses the processing of personal data in the context of connected vehicles and mobility. Granular consent for both personal and non-personal data would be required from customer of the connected vehicle.
Sharing vehicle data
The term connected vehicles describes vehicles that use of technologies like sensor data, 5G, Artificial Intelligence (AI), and/or Blockchain, to communicate with the driver, its environment, other vehicles, or systems like the (edge) cloud. In addition, it allows vehicles to share data with other devices, both inside and outside the vehicle, and to process it. Therefore, the car generates data of diverse categories (i.e. vehicle data, context data, driver data), with different levels of privacy sensitivity to the customer.4 This data is interesting to many stakeholders in the mobility ecosystem, like the original equipment manufacturers (OEMs) (e.g. BMW, Mercedes), the consumer (driver), automotive suppliers (e.g. Bosch, Siemens), Internet of Things (IoT) platforms (e.g. Apple CarPlay), connectivity providers (e.g. Telekom, Vodafone), tech companies (e.g. Amazon, Microsoft), and mobility solution provider (e.g. Uber, Lyft).
Furthermore, the generated data can be used for various connected services. A study by the data platform provider Otonomo found that most European customers are interested in being alert of hazardous road conditions, real-time navigation, predictive maintenance, live-parking information, and personalised insurance offers.5
Types of data sharing
In order to be able to implement the services just mentioned, two types of data sharing take place between the stakeholders: the first is between the vehicle and the OEM and second is between the OEM and third-party players in the ecosystem.
In the first place, the generated vehicle (and personal) data are directly transmitted to proprietary servers of the OEM and they have de facto exclusive control of this data. Neither the owner of the vehicle or other stakeholders can use the collected data without the consent of the OEM.6 In return for sharing the vehicle data with the OEM the customer receives over-the-air software-updates and on-board diagnostics.
The second way of data sharing is between the OEM and other stakeholders in the ecosystem. The OEM can monetise the collected data and sell it to a data marketplace or give third party providers like insurance companies access to the data. The insurer can use the data to offer personalised insurance to the customer. Personal data are secured by the General Data Protection Regulation (GDPR) which gives the driver (owner) a strong set of rights to protect privacy.7
Challenges in the context of data sharing
Adding connectivity to vehicles has advantages, but it also has several challenges. Namely:
- Customer concerns about sharing data with the OEM: The strength of the consumers’ concerns depends on the type of data being shared. 60% of consumer are concerned about sharing their biometric data collected by sensors in the cockpit, whereas only 27% concern about sensor data related to vehicle status.8 In Germany, the gap in trust from consumers is wide. 28% of consumers have the most trust in manufactures managing the data being generated and shared by a connected car, but also 29% of consumers trust no one.9 The question is how the OEM can address the concerns of the customer to become more trustful.
- Information and privacy problems of car users: When all car and personal data are directly transferred to the server of the OEM the question arises of how the privacy rights of the customer can apply here. Also, who is the owner of the generated data, and who controls it? There’s a problem of information transparency regarding the extent of data collection and weather consumers are aware of the value of their data been collected. A further question is if the customers have a real choice giving their consent because without giving consent, they cannot use all connected vehicle functions. These points must be fully transparent to the consumer/driver so that they know to what exactly they have given consent on and how the driver and vehicle data are being used. Moreover, technical and policy solutions are needed to ensure data privacy. This will also help to address customer concerns.
- Competition problems: The OEM can capture all vehicle and personal data from the connected car which gives them exclusive control of the access to the data. By using this concept, the OEM can foreclose independent service providers and control in a monopolistic way the full aftermarket. This can lead to high prices and not enough customer choice.10 Access to data is crucial for aftersales and other services. To ensure fair competition, other parties must also have access to the data. This requires common rules that regulate access to data for third parties.
The new EDPB guidelines as a possible solution
One possible solution for some of the problems could be the new draft guideline on Connected Vehicles and Mobility Applications published on 7 February 2020 by the EDPB. If the guidelines are adopted in their current form, they will have consequences on the processing of personal data in the context of connected vehicle. They refer to the GDPR and apply the EU cookie rules, requiring detailed consent to collect personal and non-personal vehicle data from the connected vehicles. The guideline also lists recommendation for OEMs how to configure their vehicles, including recommendations to use local processing where possible. Also, users should be able to have access and the right to delete their personal data from the vehicle when they want to sell it.11 The draft guidelines are open for public consolidation until 20 March 2020.
To put it in a nutshell the main challenges the industry is facing are customer concerns, data privacy, security and safety problems and how third-party provider can access the collected data. The guidelines could help to answer many of the concern’s customers have about their data rights. On the contrary a recent study conducted by Otonomo and SBD Automotive found that only a few consumers recognised any changes in the communication of OEMs since the GDPR went into effect.12
So, I pose the question: will the new guidelines bring about noticeable changes for OEMs and consumers?
A bonus question and going beyond that is: to what extent would it solve the challenges in the industry?
- 1. https://www.digitalistmag.com/digital-economy/2019/01/02/4-ways-of-case-in-automotive-industry-06195360
- 2. https://www.capgemini.com/resources/connected-vehicle-trend-radar/
- 3. https://www.smartcitiesdive.com/news/the-decades-long-evolution-of-the-connected-vehicle/448903/
- 4. McKinsey, “Car data: paving the way to value-creating mobility. Perspectives on a new automotive business model”, 2016
- 5. https://www.globenewswire.com/news-release/2020/03/03/1993936/0/en/Otonomo-SBD-Automotive-European-Consumer-Survey-Reveals-Solid-Interest-in-Connected-Car-Services-and-Limited-GDPR-Understanding.html
- 6. https://biplatform.nl/2173294/blockchain-technology-and-data-access-to-connected-cars.html
- 7. https://www.jipitec.eu/issues/jipitec-9-3-2018/4807
- 8. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/manufacturing/us-global-automotive-consumer-study-2019.pdf
- 9. https://www2.deloitte.com/us/en/pages/manufacturing/articles/automotive-trends-millennials-consumer-study.html
- 10. https://www.jipitec.eu/issues/jipitec-9-3-2018/4807
- 11. https://www.jdsupra.com/legalnews/eu-privacy-regulators-issue-draft-45185/
- 12. https://www.globenewswire.com/news-release/2020/03/03/1993936/0/en/Otonomo-SBD-Automotive-European-Consumer-Survey-Reveals-Solid-Interest-in-Connected-Car-Services-and-Limited-GDPR-Understanding.html