- David Polách
The Mozilla Foundation, the organization behind the privacy-focused Firefox web browser, published an article last week[1]that assessed the data collection and privacy of car drivers. Cars from 28 different car manufacturers were examined. The results were disastrous.
The article was subsequently also published on the Czech Television website, even with partial inaccuracies.[2] The article discussed what data modern cars collect, what options they give drivers with regard to loading and protecting their data, and what this means for drivers.
[It is good to remember that the research was conducted in the USA, where, unlike Europe, the General Data Protection Regulation (GDPR) and the e-Privacy Directive do not apply. However, even strict regulation may not force car companies to behave responsibly in this regard. The risks associated with privacy and data protection were outlined by the European Personal Data Protection Board (EDPB)[3] already in 2020, including the absence of consents in the case of subsequent processing, masking of processing purposes as necessary to provide services with the aim of consents avoiding or incorporating consents into contracts for the purchase or rental of a car, processing of sensitive data (biometric data, religious belief or sexual orientation) and data revealing crimes or misdemeanors that require stricter processing conditions, non-transparent information, the issue of informing fellow passengers in the car, forwarding data to third countries, perhaps even to the USA.]
Car companies have been boasting for years that their cars are moresophisticated computers on wheelsclassic means of transportation.[4] The authors of the article mention several problem areas associated with cars. Cars collect far more datathan they need for their operation (in fact, all available data - the better equipment and sensors you buy, the more the car company finds out about you and sells), most car companies (84% of those surveyed) can sell your data and most car companies (92% of those surveyed) give drivers little or no control over how their data is handled. Since drivers are buying the car, the automakers' approach to data collection is another way to squeeze money out of them. Due to the uniform approach of practically all car companies, there is no possibility of defense.
And what data do car companies collect? [(Perhaps it would be easier to say which ones they don't collect...)according to their own documentation, collect information about the sexual activity of drivers (Nissan), genetic information, stress level, how much money you earn... This data are extreme "fads" beyond your name, contacts, address, journeys you take and others you might expect.
What options does the car manufacturer give drivers in accordance with the protection of their data and personal data? Of the 28 examined, only 2 allow the driver's personal data to be deleted. For others, this option simply does not exist. In addition, car manufacturers do not indicate in their documentation whether the "data at rest" stored in the car is encrypted. The answer was not obvious to the researchers even from the few answers that the car companies delivered to them on this question. This is a problem given the poor history of data security to date – for example, Volskwagen said that between August 2019 and May 2021, data on 3.3 million of its customers were available online.
And what do car companies do with all the information and personal data? It is possible to read in the documentation that they can use them to improve their services and sell them on. One of the companies that buys this data is, for example, High Mobility[5]. Whether and to whom he resells them is still not public information.[5]. Jestli a komu je přeprodává dál není veřejná informace.
The article concludes with the fact that none of the automakers passed the Mozilla Foundation's tests and all were awarded the mark "Privacy not guaranteed" Some were worse than others, but all bad. [We remind you that practice in Europe may be different from the procedures described in the article, although experience does not correspond to this. Has the car informed you what data it processes about you? We do not find many reasons for different procedures. The only differences are the more robust legal regulation of personal data and data protection in the EU. However, it is not always fully enforced. Especially in the case of automotive, this may not be entirely desirable from the point of view of its position within the European economy. The "On-board monitoring" function, which will be mandatory when the EURO7 standard is adopted, can also mix things up with the whole thing.[6] This imposes an obligation on car companies to collect real-life data on the operation of the car. The collected data will thus increase.]
