Connected transport

Contents

Introduction

From facial recognition of fatigue to smart watch monitoring of stress, the next generation of vehicles will know their users more intimately than ever before.

After years of growth and investment, connected vehicle technology is revolutionising the automotive industry by changing how vehicles operate and interact with people and their surroundings. Cars of the future will come equipped with advanced sensors, fast and reliable internet connectivity and sophisticated data processing abilities.

These features aim to reduce congestion, make our journeys safer and improve users’ experience through seamless connection with the outside world.¹ But as our transport trends towards autonomy, the increasing use of data by vehicles raises concerns about the implications for data protection and the privacy of drivers, passengers and the wider public.²

State of development

The market for connected cars, cars with increased communications capabilities, has grown rapidly, with vehicle makers investing heavily to meet consumer demand for seamless, digitally enhanced in-car experiences. Advances in areas such as integrated sensors and 5G, along with new market entrants, have spurred this investment. Meanwhile, government and civil society are interested in the potential safety benefits, net-zero gains and regulatory challenges of automation.

At the heart of connected car technologies lies vehicle-to-everything (V2X) communication. V2X is a system that enables cars to communicate with:

other vehicles via vehicle-to-vehicle (V2V) technology – such as allowing your vehicle to receive an instant alert warning you that a car several vehicles ahead has suddenly braked. This feature could allow you more time to reduce your speed and avoid a collision;
infrastructure via vehicle-to-infrastructure (V2I) technology – allowing your car to automatically communicate with local toll booths and pass through without stopping. This feature could reduce congestion and travel times; and
pedestrians via vehicle-to-pedestrians (V2P) technology – which could enable your car to detect pedestrians carrying smart devices late at night in low visibility. The car could then take safety precautions accordingly, through enhancing headlights or reducing speed when close to the pedestrian.

V2X technology uses a combination of sensors, cameras, global positioning systems (GPS) and wireless connectivity to enable cars to collect and share this information. The technology and its data protection implications are similar to internet of things (IoT) technology and devices.³ As with IoT, sensors collect a large volume of information in a complex ecosystem of data controllers and processors and respond in real time.

Connected car technology is regarded as nascent today. Although many new cars include advanced technology, the broader ecosystem for full connectivity is still developing. As connected technology becomes standard in vehicles and infrastructure evolves, new features and ways of making use of this capability are likely to emerge on UK roads.

Beyond V2X technology, the infotainment systems in modern vehicles are also increasingly connected. These systems are typically multimedia interfaces accessed through screens in the vehicle or an app on a user’s smartphone. They include features such as:

real-time navigation;
voice recognition and voice assistants;
smartphone integration;
camera systems; and
in-car functions.

Infotainment systems enhance driving by enabling smartphone connectivity, hands-free operation, and voice control for greater convenience and safety. Modern vehicles already feature virtual assistants for tasks like calling or texting. Emerging natural-language processing capabilities may enable vehicles to learn users’ speech patterns and enhance interactions over time.⁴ In-car cameras and microphones could identify occupants and customise infotainment content accordingly. In future this could include profiling and advertisements tailored to drivers or passengers based on their past verbal reactions to similar advertisements.⁵

Other features include predictive maintenance – relying on continuous data collection and analysis to provide real-time insights into vehicle health. This feature may improve vehicle performance but may also indicate a driver’s routines and driving style to make efficiency recommendations.

These technologies and use cases may first bring to mind passenger cars, but businesses in sectors such as freight and logistics have been using connected vehicle systems for many years. These include:

telemetrics for fleet management;
route optimisation;
predictive maintenance on the vehicles; and
monitoring driver hours in compliance with regulatory requirements.

These features are also used in much public transport. In future, public transport could use connected technology to enable traffic lights to automatically detect and change, creating quicker bus routes.

Smart city initiatives often look towards V2I technology to manage traffic flows in real time to reduce travel time and therefore emissions, contributing to improved health for pedestrians and residents. Similarly, these initiatives may use real-time information from connected vehicles to report on road conditions and implement safety initiatives such as reduced speed limits in icy weather.

Fictional future scenario

Sam, a marketing executive, commutes daily in her connected car. As she starts the engine, the car scans her facial features to confirm she’s alert to drive. Detecting minor fatigue, the car selects an energising playlist and adjusts the internal lighting for improved focus.

The car maps the optimal route, factoring in traffic and Sam’s preference for main roads. Using city-connected infrastructure, it reserves a nearby parking spot in advance for the duration of her morning meetings.

Throughout the morning, Sam’s car monitors traffic patterns to suggest the optimal time to leave the office for a client meeting across town, integrating with her digital calendar and reminders app to notify her when she needs to leave. En route to a client meeting, the car’s AI assistant reads her a memo from her team so she’s prepared for her presentation.

On the way home from the meeting, Sam uses the infotainment system to participate in a team conference call. Using the car’s external noise-cancelling features and high-speed 5G, she’s able to participate in the call seamlessly. When she’s 10 minutes away from home, her car alerts her home-smart devices that she’ll return soon. The alert autonomously turns on her lights and speakers, and pre-heats her smart oven for dinner.

At the end of the month, a connected health and wellness app on her personal device notifies Sam that her car has noticed a pattern of increased fatigue signs on her early-morning drives. The app suggests she consider an earlier bedtime or morning workout before driving to improve her driver safety and personal wellbeing.

Data protection and privacy implications

As connected car technologies evolve, they are likely to collect and process increasing volumes of information to enable new services and features. While not all information processed will be personal, much of it may be linked to the personal information of the owner, driver or passengers. This could include real-time location data, information on driving patterns via a telemetric device or mobile app, or biometric data.

Where information does relate to an identified or identifiable person, organisations processing the information must comply with data protection legislation (UK GDPR, DPA 18).^{6, 7} In addition, where data is stored and accessed on the user’s terminal equipment, this will likely engage e-privacy legislation.⁸

Transparency

As connected vehicles collect a wide range of information for various purposes within a complex ecosystem of data controllers and processors, compliance with transparency requirements will remain important. The UK GDPR recognises that not all organisations involved in the processing will have the same degree of control or responsibility. Organisations must identify who is acting as a controller, a joint controller or a processor so they can clearly assign UK GDPR obligations and evidence accountability.

Organisations must provide clear, concise, and accessible privacy information. They should ensure people are clear about what information is being processed, by whom, and for what purpose. The in-vehicle environment may provide a challenge to disseminating this information, as smaller monitors and displays present less opportunity for meaningful user engagement. Organisations should also consider passengers as well as the driver.

Organisations should consider, too, when privacy notices or prompts are given because drivers must remain focused on operating the vehicle to avoid accidents. Vehicle makers should consider innovative solutions across the in-car environment – and, if applicable, mobile apps – to provide clear information when an individual is setting up the vehicle’s inbuilt technologies. This should continue through ongoing real-time transparency and, where applicable, consent mechanisms throughout the vehicle’s use.

Lawful basis

Once the purpose of processing has been established, organisations should take care to identify the correct lawful basis for the use of personal data within connected vehicles. They must record this in line with accountability and governance requirements. Our guide to lawful basis gives more information.

Organisations should remember that if they are storing information on – or gaining access to information stored on – terminal equipment, they must consider PECR compliance before looking at UK GDPR. In the context of connected vehicles, organisations should particularly remember Regulation 6 of PECR. This prohibits the storage and access of information on a device unless an exemption applies or consent is obtained.

If no exemption applies, prior consent must be obtained to the high standard set by UK GDPR. This requires that individuals have a meaningful way to consent without detriment, so organisations should not make consent a precondition of service. Our guidance on PECR should be consulted for more information.

Excessive data collection and online tracking

The proliferation of sensors in connected vehicles increases the risk of collecting excessive information beyond what is required for the stated purpose. In particular, sensors may collect data in a continuous and automatic way with limited or no ability for the user to effectively opt out of collection.

Under UK GDPR, organisations must collect only adequate, relevant and necessary personal information for their purposes. To adequately evidence this and meet requirements under the accountability principle of UK GPDR, organisations must clearly tell individuals what information they are collecting and for what purpose. They also must be able to show they are collecting and retaining no more than they need. As new features are installed via remote software upgrades, organisations should ensure their data collection practices are regularly reviewed to comply with these requirements.

In particular, organisations should consider if they want to collect personal information through a connected vehicle for advertising or profiling. This could include processing information from a linked smartphone or consumer-wearable device, video or audio recordings within the vehicle or use of location data from the vehicle – or a combination of these. If information is accessed or collected from these sources, PECR will probably apply.⁹ In particular, organisations should remember Regulation 14 of PECR, which details strict rules on the processing of location data. Our guidance on processing location data gives more information.

If an organisation decides to process this information for advertising or profiling, they must tell individuals they want to do so and get their valid consent before starting the processing. This may be difficult in an in-vehicle environment where there are multiple passengers or where the vehicle is shared-use. Organisations must also provide people with options to withdraw their consent at any point.

Biometric data

Connected cars of the future may rely on biometric technology to improve the vehicle’s safety, security and user experience. This could range from fingerprint scanners to unlock a vehicle to internal facial recognition that authorise in-car payments at drive-thru restaurants. It may also include eye-movement tracking and facial-movement monitoring to assess the driver’s health and competence at a particular point in time, enabling the vehicle to determine whether the person is safe to drive.

While these use cases have demonstrable benefits, the information collected may often be biometric special category data under the UK GDPR and therefore subject to additional protections. Even if the threshold for biometric special category data is not met, the information may still be considered sensitive and organisations should consider data minimisation and security. Our biometric data guidance should be consulted for more information.

Shared-use vehicles

Unlike many devices, vehicles are often shared, which can cause difficulty to organisations seeking to give privacy information and show compliance. A key test will be ensuring that everyone in the vehicle has access to appropriate transparency information and, where consent is being relied upon, that this is captured appropriately. This is critical so individuals understand how to enact their individual rights. Examples of shared-use circumstances could include:

passengers in vehicles;
rental vehicles;
employer-provided fleet vehicles;
company vehicles authorised for business and personal use.

Privacy concerns about shared-use vehicles centre on what information from past users can still be accessed or collected by organisations or the vehicle’s future users. This could include information on the in-vehicle dashboard obtained from pairing a smartphone, or previous address locations including a marked ‘home’ address in a maps application.

Organisations must clearly explain what information is processed within vehicle systems and its purpose. They should also consider how to convey appropriate guidance to people about deleting information when they return the vehicle. Organisations should maintain, too, compliance with data minimisation requirements to ensure they only retain required personal information.

The nature of the sharing arrangement will determine what actions data controllers and processors need to take to comply with data protection requirements. A data protection impact assessment (DPIA) may be useful for organisations seeking to identify and minimise the data protection risks of their approach to shared-use vehicles. Our guidance on DPIAs gives more information about this.

In circumstances where information from vehicles is used to monitor employees, organisations must ensure their workers are aware of the nature, extent and reasons for monitoring. Organisations must have a clearly defined purpose for collecting and retaining the information as well as a lawful basis to rely on for this processing. Our employment practices guidance should be consulted to help employers fully comply with data protection law in this regard.

Children’s information

Children are likely to be active users of vehicle infotainment systems and voice assistants. These systems include entertainment and educational materials across streaming and gaming applications delivered via an in-vehicle screen. The applications may collect personal information including account information such as a name and email address, usage data, payment information for in-game purchases or geographical information.

Organisations must therefore be aware of the UK GDPR’s higher protection level for children’s information. They should focus on providing default settings that ensure children have the best possible access to online services while minimising data collection and use, by default. In particular, they must be able to demonstrate a lawful basis for their processing of children’s personal information, and obtain parental consent for processing under 13s’ data if relying on the lawful basis of consent.

Organisations need to be aware of the specific risks and requirements relating to collecting real-time location data connected to children and restrictions regarding profiling children. Both should be switched off by default when related to children’s information. If parental controls are in use in an in-vehicle environment, children should be given suitable information about this. Our Age appropriate design code provides guidance for online services likely to be accessed by children.

Recommendations and next steps

As adoption of connected car technologies grows, and as we trend towards automation, the information gathered, processed and retained by vehicles is likely to increase. These advances aim to improve safety and user experience, but this should not come at the cost of privacy. It will be critical that regulators and the broad spectrum of data controllers and processors in the vehicle industry engage to establish policies and standards about personal information that uphold consumer trust. Privacy policies should be written in a way that’s easy for people to understand and include information on how to exercise their individual rights.

Embedding privacy by design into hardware and services related to connected vehicles will be critical in supporting the various industry stakeholders such as vehicle makers, rental-car providers and public-transport operators to evidence their compliance with data protection legislation. We are committed to supporting innovators to embed privacy-enhancing mechanisms into their solutions through our array of innovation services.