As modern cars increasingly become autonomous and connected, they generate large amounts of data. Some of this data can be utilized for reasons beyond ensuring that the car reaches its destination safely. A good example is the deployment of user-generated car data for car insurance.

This type of insurance is often referred to as usage-based motor insurance (UBI). Data generated from the in-car sensors and systems such as speed, braking, cornering, and mileage has proved to be highly predictive of risk and can help improve the accuracy of insurers’ premium setting at the time of applying for car insurance. Insurers can better assess risks and provide consumers with a more accurate premium based on how well they drive by combining car data with traditional rating variables such as the driver’s age, gender, credit, and driving records. Insurers who use consumer-generated car data effectively can, thus, obtain a competitive advantage, and consumers who are more likely to drive safely benefit from being able to obtain a lower premium.

My Car, Not ‘My’ Car Data?

The increased awareness about the value of car data has also led to debates about its ownership, control, and use. While it may seem as though the person who owns the car should control the data it generates, this is often not the case. When consumers buy a connected car they enter into a contractual agreement which often gives the car manufacturer control over their car data. This is the case, not only with connected cars but with any digital devices that are part of the Internet of Things (IoT), including fitness trackers, televisions, and kitchen appliances, all of which have the potential to share data without most people being (made) aware of it.

Some people argue that ‘privacy is dead’ and you just have to accept it if you want to take part in daily life, but this does not have to be the case. The problems with data monopolies being created by companies are something governments and organizations worldwide are facing and taking steps to combat.

The European Commission, for example, has recently published new regulations in response to the data monopolies of Big Tech companies such as Google and Facebook. The regulations challenge these so-called data gatekeepers to share access not only to the data but also to the ecosystems they dominate. The European strategy for data aims to support the European Commission’s (EU) global digital ambitions to build a competitive European data economy while ensuring European values through a high level of data security, data protection, and privacy. The EU Data Strategy also underlines an open but assertive approach towards international data flows.

“We want every citizen, every employee, every business to stand a fair chance to reap the benefits of digitalization. Whether that means driving more safely or polluting less thanks to connected cars; [..].”
—Margrethe Vestager, Executive Vice-President for ‘A Europe Fit for the Digital Age.’

Although the EU proposes to take a human-centric approach, there are serious concerns about what these proposals will mean in practice and whether they will give citizens more control over the collection and use of the data they generate while using digital devices.

The Keys to User Empowerment: A Role for the EU GDPR

The development of connected and increasingly automated cars presents an interesting case to challenge whether the European Union’s General Data Protection Regulation (GDPR), which is put forth as a leading example of how to regulate consumer privacy, is a capable regulatory framework for empowering consumers to regain control over their devices and data. There are two ways in which the regulations can be improved towards this end.
First, companies should ask consumers for consent (under Article 6(1)a) of the GDPR) before processing their data. This will give consumers control over whether or not they want their data to be used. The focus of the reform should be defining and clarifying what information consumers should be given and ensuring that they have an actual say in whether they agree to any of the purposes for which their data is to be used.

Second, the reform should ensure that consumers are able to effectively use their right to data portability (under Article 20 of the GDPR), to get and/or share a copy of the data they have generated with another company to provide them with a product or service they want.

When consumers buy a connected car they enter into a contractual agreement which often gives the car manufacturer control over their car data.

The Connected Car Ecosystem

Given the value of car data and car manufacturers’ liability for car safety, security, and privacy, there is an obvious incentive to not make car data available without being able to decide who can access it and for what purpose.

Currently, car manufacturers make data available either on their cloud platform or together with multiple car manufacturers through a ‘neutral’ but still access-controlled cloud platform. Access to (a subset of) pre-processed data is only made available to third parties who need to sign up to one of these platforms, subject to a fee and license terms. They also seek to protect their investments in development and manufacturing as well as their competitive advantage. Because of their investments in research and development, car manufacturers look to maintain exclusive rights to commercialize car-generated data. Thus, they become gatekeepers of the connected car ecosystem and data value chain, limiting the innovative potential of free data flows.

As the EU has highlighted, the market for personal data is acquiring increasingly greater importance. Business models based on data monetization have become widespread and a large share of consumers access digital services in return for their data. However, to ensure that this contributes to consumer welfare, the EU must put in place an adequate regulatory framework for data governance that balances the interests of all the relevant stakeholders.

Notwithstanding the benefits of data sharing for stakeholders across the data value chain, the large-scale deployment of connected cars and telematics specifically, also poses serious risks. For example, some of this data can be used to reveal highly sensitive information about the user/driver. This is most relevant in the case of location data as the constant monitoring of drivers’ movements would reveal their daily routine which may include data directly or indirectly related to reveal health, political, or sexual preferences. It is not just insurance companies who are interested in this data but also organizations involved in developing smart cities as well as law enforcement.

Furthermore, this constant collection and communication of car data is something drivers may not be aware of. Lack of transparency about the collection and multi-purpose use of car data as well as its potential misuse have raised serious concerns about what data should become available and who is to decide.

Would You Like to Take the Data Home with Your Device?

In an ideal scenario, consumers should be the ones deciding what happens to the data beyond its use within the car. However, in practice, the rights accrue to the car manufacturer to whom consumers hand over control of their data by signing contracts at the time of purchase. In the absence of a data ownership framework for consumers, they can only regain some control over their data when this is classified as ‘personal data’ under the scope of the GDPR. On the one hand, the GDPR aims to enable the free flow of data, which is important for the development of new products and services from which we can all benefit. However, on the other hand, it protects consumers against harm by empowering them with two specific rights that can solve the problem of data gatekeepers.

The requirements for informed consent and the right to data portability embedded in the GDPR provide two key opportunities for consumers to challenge the current stronghold of the car manufacturers over the data they generate.

Besides consent, the GDPR allows companies to lawfully use personal data based on contractual necessity and legitimate interest. However, what is argued for here is that despite its limitations, informed consent is the most appropriate ground to give consumers the best protection in terms of being able to control what happens to their car data.

With the right to data portability, consumers can obtain a copy of the data they have given the car manufacturer. This not only allows them to see what data is being collected and whether it is, for example, accurate, but also makes it easier for them to switch between companies because they can take the data with them.

It is, however, unclear whether these rights are adequate for consumers to regain more control since there is still much uncertainty about how to interpret them in practice.

Yes, I understand and consent to how my device data will be used.

For consent to be valid (the requirements for valid consent are defined in Article 7 of the GDPR and specified further in recitals), people should understand and be given an actual choice to agree with or refuse how the data they have generated will be used.

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
— Recital 32 of the GDPR

This means that people need to be provided relevant information to allow them to make well-informed decisions. In the context of connected cars, consumers must be given specific information on what data is being generated and how it is used. If these uses extend beyond what is necessary for the car to function, consumers should be able to select the purposes they agree with and refuse others. For example, they may consent to data being used for insurance purposes or a smart-parking app but not for monitoring of traffic flows. Although most of these examples are already based on consent this does not mean that they comply with the GDPR requirements.

One of the problems is the power asymmetry between consumers and companies. Consumers often do not have the option to decline the terms and conditions offered by the company if they want to sign up for a service. Connected car manufacturers, for example, will state in their policy that the provision of data is not necessary for the conclusion of the agreement. However, without the data and the processing thereof, the manufacturers are not able to provide specific services, such as information services, real-time traffic information etc., that would otherwise benefit consumers. More problematically, car safety and security often depend on the data shared by consumers, leaving them with little choice on whether or not to consent to the processing of such data.

Although car manufacturers have to comply, the EU has acknowledged that it can be difficult for them to specify all (potential) purposes for which the data will be used in advance. This, however, cannot be a reason to not specify the purposes that are already known. The concern put forth by companies that such disclosure would stifle future innovations is not a strong enough argument considering that consent can be requested at any time in the future when more specific purposes are known.

Another challenge is that the consumers have the right to withdraw their consent at any time which would make it difficult for any user to guarantee and/or rely on the availability of data. A car manufacturer must be capable of withdrawing personal data when requested and make subsequent users of the personal data aware of the withdrawal. This requires companies to invest in a system that can respond to such requests.

The GDPR does allow companies to process personal data based on grounds other than consent, for example, to fulfill contractual obligations or when a company has a legitimate interest in doing so. Again, there are some strong arguments against allowing the use of personal data without consumers’ consent, which is not recommended. If data is collected and used on these grounds, it can also be used for other purposes compatible with the original one, and no separate legal basis would be required (Recital 50 of the GDPR). From the consumers’ point of view, this may reduce the control they have over the purposes for which their data is used.

When car manufacturers can use data based on legitimate interest, consumers do not have the right to data portability. Given the growing attention to ensuring data portability as a means to challenge the stronghold of companies, this is another reason why consumers’ consent should be made imperative for the use of car data and this legal provision should be adequately enforced.

Yes, I’d Like a Doggy Bag for my Car Data, Please.

When consumers consent to the collection and use of their data by car manufacturers, they have the right to request a copy of their data and have it sent directly to their insurer. This provision was introduced in the GDPR Article 20 to mitigate the power asymmetry by helping consumers avoid being locked-in. Essentially, data portability allows consumers to switch more easily between products and service providers because it gives them the right to take their data with them.

This is expected to improve the free flow of data for innovations and to ensure fair competition because a company can no longer refuse to share the data they have when a consumer wants to switch to a competitor.

However, the right to data portability enshrined in the GDPR may not go far enough to empower consumers. One of its limitations is that the right only allows consumers to obtain the data they have provided themselves. In the context of telematics insurance, this would include a copy of sensor data but not driving score, which is arguably more important because it forms the basis on which decisions are made by the insurer about acceptance of consumers’ applications or insurance claims.

there is an urgent need for the EU to confirm what data must be made available and how to make it as useful as possible in terms of quality and interoperability to unlock the full potential of data sharing.

Besides, the GDPR does not make it mandatory for companies to facilitate data portability. Companies can decide not to invest in making the data and their processing systems easily accessible since the onus is on the receiving entity to have a system that is compatible with data portability.

Another issue is that while companies are not allowed to hinder data portability, it is up to the receiver of the data to make sure its system is interoperable. This has raised concerns about the incentives for data holders to contribute to improving data sharing as it would be of greater interest to them not to invest, develop and/or adopt industry-wide standards. This could result in a system where each car manufacturer determines what system the insurer should use to become or stay interoperable with its systems. This is already the case for independent car maintenance and repair shops who have to use different sets of brand-specific tools to read data from different brands. Not only does this lead to unfair competition and additional costs for independent repair shops, it also reduces consumer choice and makes it more difficult for consumers to switch their data between competitors. Some entrepreneurs, however, have taken this challenge as an opportunity to develop (car) data-sharing platforms cleaning up the data from multiple brands and making it available in a useful format for insurers and other users.

A fourth limitation of the GDPR is that the right to data portability does not extend to all data and the discussion on what data falls under its scope is still underway. For data portability to be truly effective, it is necessary to have a broad interpretation of the categories of data that can be brought under its scope. For now, since a consensus is lacking, the EU should provide more clarity so that companies know what they need to comply with, and consumers understand what their rights are and take action when these are not respected.

While reforms are underway, there are already plenty of opportunities for the automotive and insurance industries to take action and develop industry-wide practices and standards to increase interoperability, security, privacy, and innovation. Article 40 of the GDPR encourages this approach.

Driving Beneficial Innovations for Consumers

The EU acknowledges that legal uncertainty hampers innovation and reduces consumer protection. With its data strategy, it has the opportunity to clarify the role of the GDPR to ensure that it will lead by example and develop a data governance model that respects human values and benefits people locally as well as globally.

The proposed recommendations are to clarify the scope of consent as the most appropriate basis for companies to access data from the devices we use. The recommendations also ensure that people are given the information they need to decide if they agree to the use of their data, without being forced or nudged into agreeing to share too much for purposes they may not agree with or are not in their best interest. Given these challenges, facilitating data intermediaries such as the MYDATA operators, as proposed by the EU in its new regulations, is a good step forward. When it comes to the right to data portability, there is an urgent need for the EU to confirm what data must be made available and how to make it as useful as possible in terms of quality and interoperability to unlock the full potential of data sharing.

Clarifying what organizations must do and what citizens can ask for will help improve both the protection and flow of data for innovations that benefit us as citizens of a global society faced with difficult challenges. As is apparent from the impacts of the Covid-19 pandemic and climate change, it couldn’t be timelier for governments and organizations to take action.