Sunday 22nd September 2019

Who owns connected cars’ data?

Published on March 1st, 2019

Igor Ilunin, head of IoT at DataArt looks at what data is collected such as about the car itself, or its usage, or the driver, and to whom it belongs.Today’s cars can hardly do without extensive IT systems and numerous sensors and the permanent connection between vehicles and the backend systems of manufacturers and service partners is being expanded.

Most car manufacturers are building connected car solutions, integrating them with other third-party services to develop ecosystems for the benefit of all participants. The data could be used for a variety of data-driven businesses like car services, gas and electric vehicle charging stations, and insurance carriers.

Cars generate a lot of real-time data, and it can be inefficient to transfer or collect it all. The data most commonly collected is about location, the car’s use (mileage and fuel consumption) and anything that helps analyse a driver’s behaviour (acceleration, braking, speed, engine status and temperature).

Being online can enhance some of a car’s functions and applications, but lack of connectivity isn’t essential at this stage – most map services work offline, although they’re more precise and can provide advanced traffic information only when online. If temporarily disconnected, data is stored locally and sent to the cloud when connectivity is restored.

EU data privacy

Since the EU’s General Data Privacy Regulation was introduced May 2018, all data generated by a vehicle that could be used to identify someone became the property of the driver. Hence car makers and other connected car service providers should not collect data unless the driver authorises its collection and processing, and the data cannot be sold or transferred without the owner’s consent.

However, if the data is anonymised or the owner gives explicit consent, data can be used as it is, or analysed, or combined with other data for analysis or predictions. The EU’s new Privacy and Electronic Communications (e-Privacy) Regulation also limits how much data a car manufacturer can share with other organisations.

According to the GDPR, there are two major types of data operators – data controllers and data processors. Vehicle manufacturers fall into the first category, as they control other parties’ access. Consequently they are responsible for providing security measures. If data privacy is compromised, the controller faces of up to €20 million or 4% of the company’s worldwide annual revenue for the prior fiscal year, whichever is higher.

US data privacy

The approach data ownership is different in the US. There most of the vehicles’ data is owned by car manufacturers, not drivers. When someone buys a vehicle, they own it, but the contracts say nothing about data within the vehicle.

There are exceptions; the information in the event data recorders belongs to the driver, but most other vehicle-generated data is stored in the vehicle, and its use is not regulated.

The Alliance of Automobile Manufacturers and the Association of Global Automakers issued guidelines in 2014 that have been voluntarily accepted by most companies that sell cars in the US.

Firms that collect data from vehicles say they anonymise it, but the process is not controlled, the methodology is unknown, and there’s no regulation about how and when a car owner can find out and control how the data is being used.

Igor Ilunin

There have been notorious examples of unauthorised data use: GM cars equipped with the OnStar system collected information about car owners, their driving style, accident details, and so on, whether or not car owners had signed up for this service.

GM shared this information with third parties (including law enforcement and insurance companies), explaining this practice as a necessary safety measure. This monitoring occurred automatically unless the car owner explicitly opted out.

Ford’s representative also said: “We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone.”

Data security

The risk of hacks and leaks is high. If data is not stored securely (that is encrypted, anonymised, or pseudonymised), and there is no permission-based access in place, the risk is higher.

If data can be retrieved by direct access to the car, the risk of a car being hacked or someone gaining control of a subsystem, or malware being installed is small so long as only one company provides the connectivity. Multiple parties communicating with the car simultaneously increases the number of communication channels and the risk of being hacked through a third-party system.

The risk can be reduced by using encrypted data storage on the provider’s site, data audit trails, permission or role-based access to the data, and data logs to detect anomalous behaviour or data use without unauthorised access.


Future innovations will be shaped by how companies and platforms collect data. Though GDPR and other regulations limit the way companies gather information in the EU, other aspects of data collection remain a grey area in many countries.

The general trend is that drivers’ sensitive data should be protected. We expect data collection and access to be strictly regulated in more regions in the next five to ten years.

The author of this blog is Igor Ilunin, head of IoT at DataArt.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow