Jusletter IT

During the 20th century, the number of cars increased, and people started to see the automobile as ‘the machine that changed the world’ [Womack et al., 1990] A cheaper way of (mass)production led to an increase in sale. Over the years cars have become safer, more powerful and above all; way more intelligent.

The amount of technology in cars has increased every year since the first car launched. Tons of innovations, like the auto-radio, airbags, air conditioning, ABS, ESP, Lane Departure Warning Systems, parking assistance, adaptive cruise control and navigation-systems contributed to the growth of electrical architecture in automobiles. In the late 90’s, GM launched their revolutionary OnStar system. OnStar made it possible to make emergency phone calls from the car when an accident occurred. Nowadays this service is developed also to monitor a car’s maintenance, track its location and can even stop and lock the car remotely in case of theft.

At the same time, other car manufacturers launched comparable services like Audi Connect, Ford Sync, Mercedes Me Connect, My Tesla, Volvo OnCall, BMW ConnectedDrive and Volkswagen Car-Net.

From the 31st of March 2018, all new cars in the EU should be able to make an emergency call (eCall) to the European emergency number 112, when a severe accident occurs. This technology is meant to be an automatic triggered call when the car detects with the help of sensors that an accident occurred, this could be a for example when one of the airbags explodes. Relevant data about the vehicle, like location, type of vehicle, direction, is also sent with the eCall.

By implementing this EU regulation since March 2018, car manufacturers are equipping their new automobiles with sim-cards to guarantee and establish a connection between the car and the Public Safety Answering Point (PSAP). Another main reason for manufacturers to integrate sim-cards in modern vehicles is to provide convenience for the user. By driving a ‘connected car’, users can have better navigation, entertainment and safety. It sounds very convenient to have real-time traffic information, Spotify streaming, remotely maintenance monitoring and a find my car application for mobile phones. Car manufacturers are collecting and analyzing more and more data from their vehicles and users. Motives of car manufacturers to collect this are concepts such as product improvement, marketing and previously named adding comfort for the automobile user. While collecting data may serve purposes that are beneficial to the car users, some may not be in their interest and privacy can be threatened in both cases. This paper focuses on the attitude of consumers towards data collection and processing by car manufacturers. In this study, we limited ourselves to the data collection practice by three OEMs BMW, Volvo and Tesla. The research was conducted in June 2018, a month after the GDPR became applicable.

Over the years, software development has been of increasingly importance for car manufacturers. A nowadays on-board system in a car, consist of more than 100 million lines of code [Newcomb, 2012], to put that in perspective; that is more than a Windows Operating System and the on-board software of a Boeing 787 Dreamliner, combined [Mann, 2002; MacDuffie et al., 2010].

With the increased importance of car software, possibilities to collect and analyze car data increased as well. There are several motives why original equipment manufacturers (OEMs) collect data about their customers. There are several reasons for OEMs to collect data.

Car manufacturers are legally forced to collect and store data about their customers and vehicles. This data could include for instance address details and phone numbers in case of a product recall.

Also, it is necessary that car manufacturers store specific data about their customers for financial purposes, such as billing. Car Manufacturers must notify customers when they make changes in their Terms of Conditions and Privacy Statements, for this reason, they have to hold some personal details about their user to contact them in case of possible adjustments in those conditions and statements.

Some manufacturers equip their cars with black boxes. Black boxes save data, such as speed and airbag registration to have more insight into road accidents. When authorities want to reconstruct a crash, those event data recorders can be useful. By increasing the quality of accident data, authorities and manufacturers can better evaluate accidents and improve safety technologies.

Another reason for manufacturers to collect data about the user of the usage of the vehicle is to collect data that is useful to improve the product. Car manufacturers tend to be very broad in the range of data that could be useful to improve their products and services. First of all, in all privacy and legal statements is mentioned that manufacturers can collect the necessary data in person or via remote access. According to Tesla [Tesla, 2018] does this collection include data such as speed information, VIN and software version information. At the same time, those statements include less specific descriptions on data collection such as ‘electrical system functions’, ‘infotainment system data’, ‘safety-related data’ and ‘camera images’ are named as well. Another part of product improvement is to provide better service to their clients. Manufacturers notify customers when they must refill their fuel, and they also know a person's profile when there is contact via customer service.

Besides legal obligations and data collection for product improvement, data is also collected for marketing purposes. All companies include in their statements that they use customers’ data for this goal as well. Companies use customer details such as mail addresses to inform their customers on new products and services. Statements also show that customers are informed about promotional events and asked to participate in market research.

On-board systems collect data from various sources like cameras, microphones, GPS and vehicle-generated data like engine status, temperature and tire pressure, etc. Modern cars are able to collect data on the following categories:

• Personal details (a.o. name, gender, address, email address, payment details and also data based on website visits such as device type and operating system)
• Operational vehicle data (a.o. location, speed, battery/fuel level, seat belt use, number of heavy braking and horn uses, number of passengers)
• Maintenance of the vehicle (a.o. outside and inside temperature, oil levels, tire pressure, technical failures, rounds per minute, software version)
• Vehicles surroundings (a.o. road markings, traffic signs, weather conditions)
• Comfort for the user (a.o. settings on chair, light, steering wheel)
• Infotainment (a.o. media settings, phone connectivity relating to messages, calls, contacts, call history, browser history)
• In case of an emergency (for a successful eCall: a.o. VIN, vehicle type, fuel type, location, direction, number of passengers)

[Tesla, 2018; Volvo, 2018; BMW Group, 2018; European Commission, 2018]

Manufacturers that collect such privacy-sensitive data often share this data with several parties. First of all, manufacturers can share user's data with certified dealers and installers to propose tailored offers and maintenance services to the users. With the data about the vehicles that auto-garages receive, they are better able to detect and repair certain defects. Garages can gain better insight into the maintenance of a vehicle in general. Furthermore, all companies indicate in their statements that they might share the collected data with affiliates, companies that are controlled or (partly) owned by the manufacturer's holding or group. The privacy policies also indicate that the manufacturers might share data with governmental authorities when this legally obligatory. In this case, manufacturers might share data with authorities for conducting an investigation or other purposes defined by law.

Moreover, manufacturers might share data with employers, fleet operators or other owners if the user does not own the car. This principle also means that manufacturers might share user data with affiliated parties. The statements also provide information about data sharing with insurance companies. Several car manufacturers and insurance companies already started to offer certain 'pay-as-you-drive' insurances, which calculates the number of kilometers the user drives.

The companies also state that they will share data with certified business partners, to provide services such as web hosting, payment processing, product diagnostics, data analytics, marketing and customer services. When a user connected their onboard computer to social media, manufacturers will share data with the social media account provider. Manufacturers will also share data with a Public Safety Answering Point in case of an emergency. The car will autonomously send out a Minimum Set of Data (MSD) during an eCall. This MSD includes data such as vehicle type, fuel type, location, direction and number of passengers. Manufacturers might also share data with roadside assistance if they provide particular services.

Lastly, it is possible that manufacturers share data with companies that provide applications for the car's onboard systems. Third-party applications, such as navigation apps and music streaming services, can also collect user data.

Since most car manufacturers operate globally, it is high likely that personal data is transferred between facilities and service providers in different countries around the world. This also means that the data is processed in countries out of the European Economic Area and the United States, where there are different data protection laws. All car manufactures state that they ensure to process personal data globally with an adequate level of data protection.

[Tesla, 2018; Volvo, 2018; BMW Group, 2018]

The terms of conditions and privacy statements of companies can play an important role in addressing the details on data collection by car manufacturers. In light of recent events in data and privacy regulations, it is becoming extremely difficult to ignore the current personal data gathering by car manufacturers. There is an urgent need to address privacy issues and public awareness of this specific topic. Little is known about public awareness about this topic and it is not clear if people are informed correctly about the collection and processing of their data.

The experimental work presented here provides one of the first investigations into the attitude of people towards data collection and processing by car manufacturers. A Dutch questionnaire was set up to measure the attitude towards this specific topic among participants. The design of the questionnaires involved questions with Likert-scale and asked participants to enter demographic details.

The survey was distributed at garages, service points, supercharge stations in Amsterdam, The Netherlands. In a second stage, the survey was distributed online as well. The research focused on only three high-end car manufacturers. Only participants driving a modern BMW, Volvo or Tesla were recruited for participation in this research. Of the initial cohort of 47 respondents, seven were female and 40 male. This initial sample consisted of 20 Volvo drivers, 15 BMW drivers and 12 Tesla drivers. Participants were asked to respond using a 5-point Likert scale. The questions asked participants to rate how strongly they agreed with each statement. A Shapiro-Wilk test was used to test the normality of the sample. Comparisons between the three manufacturers were made using a Kruskal-Wallis test. Data management and analysis were performed using SPSS. We also tested two hypotheses:

1. The user is not informed properly about what data is being collected by the OEM.
2. The different brands do not differ in their efforts to inform their users.

The latter question was analyzed by considering six statements that were used to measure the users’ attitudes.

A critical aspect of this research is to measure the actual user's behaviour. Six items on the questionnaire measured the extent to what attitude people have towards data collection and processing by their car manufacturer.

The first statement of the questionnaire focuses on the idea of informed consent. The user of the vehicle must give consent to collect and process personal data. It is favourable, and obligatory, that the OEMs informs the users about what data they collect when he or she starts using the connected car. The survey asked participants how they were informed about data collection by the OEMs when they started to use the vehicle.

Figure 1: The attitude of connected car users towards data collection and processing by OEMs

There were 47 responses to the statement: ‘I am clearly informed about what data are collected by the OEM.’ The majority of participants (79%) disagreed or strongly disagreed with the statement. Only a small number of respondents were neutral, agreed or strongly agreed with the statement.

Furthermore, the majority also thought that it would be hard to have access and insight to the data that the OEM collects about them. When asked whether the respondents know for what purposes the OEMs process their personal data, 66% of the respondents reported that they do not know that. The majority of participants (78%) disagreed or strongly disagreed with the statement that it would be easy to ask for erasure of personal data.

A variety of perspectives were expressed in the question of whether OEMs process data safely and adequately. Over half of those surveyed (51%) reported that they expected that OEMs would share their personal data with third parties as well.

Together these results provide valuable insights into the field of user's attitude towards data collection and processing by OEMs. In summary, these results show that users are not sufficiently informed about data collection by OEMs.

Two of the six questions significantly correlated to the brand. The idea that personal data were shared with third parties F= .746, p=.024, and the awareness of the aims for sharing the data F=.675, p=.034. Tesla users were more aware than Volvo and BMW users about the fact that data was shared with third parties. Tesla users were more aware than BMW users about the purpose of the data collected.

An initial objective of the research was to identify the level of awareness about data collection and processing among connected car users. The present study was designed to determine the attitude of connected car users towards this topic. With respect to the first research question, it was found that users are not informed sufficiently about what kind of data about them is collected and processed by their car and the OEM. However, with a small sample size, 47 respondents out of approximately 200.000 car users having cars with SIM cards (derived from car sales data of www.autoweek.nl), caution must be applied, as the findings might be biased. This study should consequently be seen as an indication of the current awareness situation rather than an accurate picture.

In order to give connected car user better insight into data collection and processing, it might be useful to provide transparent and short information to the user. The reseller or lesser offer the car-user an extract indicating what data the OEM collects, for what purposes, with which parties they share the data, how this data is processed (internationally), and what rights the user has to access, adapt or erase these data. OEMs should also offer a simple opt-out that ensures that the user can immediately switch off data collection by the manufacturer.

The study was focused on current car communication practices. It can be expected with new developments such as ITS and extended autonomous driving, mobility management etc. that more data will be collected. Balancing the interests of the parties involve should include weighing different values, such as road safety, privacy, product liability etc. Different regulations may promote different and sometimes conflicting values. In order to have a good debate about balancing these values consumers should be better informed. This study shows there is still a long way to go.

Future research has to be conducted to see what the practices are in other countries and with other brands. The current study was limited to only part of the obligations following from the GDPR. The study was too limited to grasp a better insight in the lawfulness of the processing of the data by third parties.

If we look at the current potential of gathering data from the sensors and the on board systems in vehicles serious threads to privacy are at stake. Although vehicle users are like any data subject somewhat protected by the GDPR, their position is still quite weak. Particularly when we take into account that a majority of cars are not privately owned and informed consent is typically arranged for in the sale agreement, the situation with sensitive vehicle data is maybe worse than in other domains where the data subject is the primary client of the organization that controls the data.

Next to more research on the actual practices, threads to privacy or even GDPR violations it is therefore needed that the national law enforcement organizations take a stronger position to protect the public interests. Let’s not forget that in Europe the right on privacy is a fundamental human right that is not to be sacrificed for commercial reasons, disinterest of the public or governments that fail to protect these public interests.

BMW, Legal & Privacy https://www.bmw.com/en/footer/legal-disclaimer.html (accessed on 18 November 2018), 2018.

European Commission, The interoperable EU-wide eCall. https://ec.europa.eu/transport/themes/its/road/action_plan/ecall_en (accessed on 18 November 2018), 2018.

MacDuffie, John Paul / Fujimoto, Takahiro, Why Dinosaurs Will Keep Ruling the Auto Industry, Harvard Business Review, 2010, p. 23–25.

Mann, Charles C., Why Software Is So Bad. MIT Technology Review. https://www.technologyreview.com/s/401594/why-software-is-so-bad/ (accessed on 18 November 2018), 2002.

Newcomb, Doug, The Next Big OS War is in your Dashboard. Wired. https://www.wired.com/2012/12/automotive-os-war/ (accessed on 18 November 2018), 2012.

Tesla, Customer Privacy Policy. https://www.tesla.com/en_EU/about/legal (accessed on 18 November 2018), 2018.

Volvo, Customer Privacy Policy. https://www.volvocars.com/intl/footer/privacy (accessed on 18 November 2018), 2018.

Womack, James P. / Jones, Daniel T. / Roos, Daniel, The Machine That Changed the World, Simon and Schuster, New York, 1990.