A global group of data privacy regulators has, for the first time, set forth data privacy and security guidance on the development of automated and connected-car technologies. The Resolution on Data Protection in Automated and Connected Vehicles was announced at the recently convened International Conference of Data Protection and Privacy Commissioners (ICDPPC). The resolution sets forth 16 data privacy and security principles to guide automotive manufacturers, transportation-service providers, car rental companies, and providers of data-driven services (e.g., speech recognition, navigation remote maintenance, or motor insurance telematics services) in the development of connected-car technologies.

Of note, the Commissioners recommend that automotive manufacturers and other relevant parties:

  • utilize anonymization measures to "minimize the amount of personal data or use pseudonymization when the former is not feasible;"

  • minimize collection and retention of personal data;

  • implement easy-to-use privacy controls for vehicle users, enabling them to grant or withhold access to different data categories, where appropriate;

  • implement secure data storage technologies;

  • develop and implement technologies to prevent unauthorized access to and interception of collected personal data;

  • provide safeguards against unlawful tracking/tracing of drivers, and limit the possibility of illegitimate vehicle tracking and driver identification;

  • commission an assessment by an independent third party of potential discriminatory automated decisions arising from self-learning algorithms, and;

  • conduct data impact assessments for new, innovative, or risky development or implementation of these data technologies.

The ICDPPC is composed of dozens of member entities from around the world, and includes representative organizations from the European Union as well as the Federal Trade Commission (FTC).

The non-binding resolution was adopted in a closed session at the conference and represents the first—and by far the most granular—data privacy and security guidance for connected-car manufacturers. Notably, the FTC abstained from the resolution, leaving open the question of applicability to connected-car manufacturers, application developers, and car rental companies in the United States.

Implementation of the resolution will require a substantial investment of technological resources by connected-car manufacturers (and other original equipment manufacturers) as well as careful legal consideration of the potential impact on privacy of these technologies.

Ballard Spahr's Privacy and Data Security Group regularly counsels automotive manufacturers, data service providers, and others on navigating a wide array of privacy and data security issues.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.