The 39th International Conference of Data Protection and Privacy Commissioners held in September in Hong Kong produced a non-binding resolution (PDF) on connected car privacy.

The resolution is addressed to standards bodies, public authorities, vehicle and equipment manufacturers, personal transportation or rental companies, and providers of services like speech recognition, navigation, remote maintenance, or vehicle insurance telematics. It calls for full respect of users’ rights to the protection of personal data, urging the above parties to adhere to a set of 16 principles (below). They are all excellent recommendations that embrace and extend the GDPR’s principles and other privacy and data ethics frameworks. Particularly thoughtful are:

  • #12: reducing the discrimination risk of connected car algorithms – This is a very forward-looking principle that emerges more from the world of data ethics than existing regulation. It’s of course generally applicable to all algorithmic decision systems, but its appearance here is a welcome application within a specific sector that might not have such concerns top of mind.
  • #2: encouraging anonymization and pseudonymizationEncouraging pseudonymization is critical as it creates technical barriers to uncontrolled data collection. Anonymization is effectively impossible for systems that gather personal data, but that’s a quibble.
  • #9b: inhibit sharing while still allowing traffic information – The principle here is encouraging the creation of systems that still give useful or important information without demanding an exchange of personal data.
  • #9c & e: inhibit driver tracking and identification – It’s vital to spell this out; this encourages privacy norms to be applied in public contexts (since driving occurs almost exclusively in public). It also leads to the creation of technical measures that can separate the work context and personal, off-duty context for people who drive for a living.
  • #9d: ensure privacy in authentication – This is a very specific recommendation that indicates the high level of technical awareness of the Commissioners who wrote the Resolution. The sensitivity of authentication and other identity management (IDM) functions is often too low down in the weeds to draw much discussion outside of the IDM community, so it’s heartening to see it here. In the future, I’d like to see the term ‘unlinkability‘ used as it combines pseudonymity, data leakage from authentication, and the goals of context separation and reducing cross-correlation of personal data.

The full list of principles are:

  1. “give data subjects comprehensive information as to what data is collected and processed … for what purposes and by whom,
  2. utilize anonymization measures to minimize the amount of personal data, or to use pseudonymization when not feasible,
  3. keep personal data no longer than necessary in relation to the legitimate purpose for which they are processed, for further compatible purposes, or in accordance with law or with consent, and to delete them after this period,
  4. provide technical means to erase personal data when a vehicle is sold or returned to its owner,
  5. provide granular and easy to use privacy controls for vehicle users enabling them to, where appropriate, grant or withhold access to different data categories in vehicles,
  6. provide technical means for vehicle users to restrict the collection of data,
  7. provide secure data storage devices that put vehicle users in full control regarding the access to the data collected by their vehicles,
  8. provide technical measures for secure online-communication components that protect against cyber-attacks and prevent unauthorized access to and interception of personal data,
  9. develop and implement technologies for cooperative intelligent transportation systems in ways that
    1. prevent unauthorized access to and interception of personal data collected by vehicles (v2v), transportation infrastructure (v2i) or other third party’s entities (v2x),
    2. enable vehicle users to inhibit the sharing of positional and kinematic data while still receiving road hazard warnings,
    3. provide safeguards against unlawful tracking and tracing of drivers,
    4. ensure the security mechanisms of v2v, v2i and v2x communication during authentication processes do not pose additional risks to privacy and personal data and
    5. limit the possibility of illegitimate vehicle tracking and driver identification.
  10. respect the principles of privacy by default and privacy by design, by providing technical and organizational measures and procedures to ensure that the data subject’s privacy is respected, both when determining the means of the processing and when processing the data,
  11. develop privacy preserving technologies and architectures that favorably process personal data onboard,
  12. guarantee the self-learning algorithms needed for automated and connected cars are made transparent in their functionality and have been subject to prior assessment by an independent body in order to reduce the risk of discriminatory automated decisions,
  13. provide vehicle users with privacy-friendly driving modes with default settings,
  14. undertake data protection impact assessments for new, innovative or risky development or implementation of these technologies,
  15. promote the respect of the personal data privacy of vehicle users by responsible processing of their personal data, and giving due consideration to the potential harm that may be caused to the vehicle users as a result of the processing and use and
  16. enter into a dialogue with the data protection and privacy commissioners to develop compliance tools to accompany and provide legal certainty to connected vehicles’ related processing.”