Cars can collect data via cameras, microphones, sensors, and connected phones and apps. Our privacy laws need urgent reform if these data are to be kept safe.
Cars with internet-connected features are fast becoming all-seeing data-harvesting machines 鈥 a so-called 鈥減rivacy nightmare on wheels鈥, US-based research conducted by the .
The researchers looked at the privacy terms of 25 car brands, which were found to collect a range of customer data, from facial expressions, to sexual activity, to when, where and how people drive.
They also found terms that allowed this information to be passed on to third parties. Cars were 鈥渢he official worst category of products for privacy鈥 they had ever reviewed, .
Australia鈥檚 privacy laws aren鈥檛 up to the task of protecting the vast amount of personal information collected and shared by car companies. And since our privacy laws don鈥檛 demand the specific disclosures required by some US states, we have much less information about what car companies are doing with our data.
Australia鈥檚 privacy laws need urgent reform. We also need international cooperation on enforcing privacy regulation for car manufacturers.
Apart from data entered directly into a car鈥檚 鈥渋nfotainment鈥 system, many cars can collect data in the background via cameras, microphones, sensors and connected phones and apps.
These data include:
A lot of these data are used, at least in part, for legitimate purposes such as making driving more enjoyable and safer for the driver, passengers and pedestrians.
But they can also be supplemented with data collected from other sources and used for other purposes. For instance, data may be collected from your website visit, your test drive at a dealership, or from third parties including 鈥溾 and 鈥減roviders of data-collecting devices, products or systems that you use鈥.
The latter is very broad since our TVs, fridges and even our baby monitors can collect data about us.
Mozilla points out these combined data can be used 鈥渢o develop inferences about a driver鈥檚 intelligence, abilities, characteristics, preferences and more鈥.
While cars have been collecting large amounts of information since they became 鈥溾, this information has generally been stored in modules in the vehicle and accessed only when the car is physically connected to diagnostic equipment.
Now, however, vehicles are being sold with 鈥渋n the sense that they can exchange information wirelessly with the vehicle manufacturer, third party service providers, users, infrastructure operators and other vehicles鈥.
This means your connected car can transmit data about you and your activities, generally via the internet, to various other companies as you go about your life.
In Australia, we have little information about how our information can be used and by whom.
In its US-based study, Mozilla found data from consumers鈥 cars was being disclosed to other companies for marketing and targeted advertising purposes. It was also sold to data brokers.
Mozilla was able to uncover highly detailed information, largely because the laws of and require specific disclosures about who personal data is disclosed to and for what purposes (among other higher privacy standards).
Australian privacy law doesn鈥檛 require such specific disclosures. This is one reason car brands often have separate privacy policies for Australia.
A look at the privacy policies of various companies supplying connected cars in Australia reveals several vague, broad statements. Aside from using your data to provide you with connected services, these companies will:
Some may disclose your information to law enforcement or the government even when not required by law, such as when they believe 鈥渢he use or disclosure is a law enforcement agency鈥.
It鈥檚 safe to say car manufacturers generally don鈥檛 want privacy laws tightened. The (FCAI) represents companies distributing 68 brands of various types of vehicles in Australia.
During the recent review of our privacy legislation, the FCAI made a submission to the Attorney General鈥檚 department arguing against many of the privacy .
Instead, it promoted its own . This weak document seems designed to comfort consumers without adding any privacy protections beyond existing legal obligations.
For example, signatories don鈥檛 say they鈥檙e bound by the code. Nor do they promise to follow its terms. They only say its principles will 鈥渄rive their approach to treatment of vehicle-generated data and associated personal information鈥. There are no penalties for ignoring the code.
It even states signatories will 鈥渧oluntarily notify鈥 consumers of certain matters when the Privacy Act already requires this as a matter of law.
The code also notes third parties are increasingly interested in accessing and using consumers鈥 data to provide services, including insurance companies, parking garage operators, entertainment providers, social networks and search engine operators.
It says companies making data available to such third parties 鈥渨ill strive to inform you鈥 about this.
The government recently proposed important and , following the Privacy Act Review which began in 2020. These changes are long overdue.
Proposals such as an updated definition of 鈥減ersonal information鈥 and higher standards for 鈥渃onsent鈥 could help protect consumers from intrusive and manipulative data practices.
The proposed 鈥渇air and reasonable test鈥 would also assess whether a practice is substantively fair. This would help avoid claims data practices are lawful just because consumers had to provide consent.
The FCAI points out many cars aren鈥檛 specifically designed for Australia鈥檚 relatively small market, so increased privacy standards might result in some vehicles not being released here. But this isn鈥檛 a reason to carve out vehicles from privacy law reform.
Privacy laws are also being upgraded in numerous jurisdictions overseas. Australia鈥檚 government agencies should coordinate with their international counterparts to protect drivers鈥 privacy.
, Associate Professor, Faculty of Law & Justice, and Deputy Director, Allens Hub for Technology, Law & Innovation,
This article is republished from under a Creative Commons license. Read the .