Seizing opportunities and managing risk in a connected world.
The automotive industry is experiencing a transformation with the rapid development and evolution of “connected cars,” which are altering not only the relationship between individuals and their cars, but also the relationship between, and among, auto industry stakeholders-original equipment manufacturers, telecom providers, hardware and software suppliers, and others – and their customers.
Legal privacy considerations
From a legal and business perspective, many of the core opportunities and risks in relation to the connected car are rooted in the fact that data collection and use will often involve “personal information” about individuals’ activities, characteristics and preferences. While this information can be extremely useful for marketing, research and development, and other purposes to generate revenue, it must be collected, used and disclosed with a view to privacy and related legal requirements and risks.
Unlike the United States, Canada has enacted a privacy statute of general application in the private sector-the Personal Information and Protection of Electronic Documents Act (PIPEDA)-as well as substantially similar statutes which are applicable within British Columbia, Alberta and Quebec. All privacy laws in Canada regulate the collection, use and disclosure of personal information (i.e. information about identifiable individuals), including in the automotive sector.
Subject to limited exceptions, these laws generally require express or implied consent from individuals in respect of such activities. An organization must identify to a customer the purposes for which they are collecting their personal information at or before the time of collection. Consent may be given, express or implied, depending on the sensitivity of the data and the obviousness of the necessity of its collection.
While the requirements of privacy laws typically can be met in a manner which permits business objectives to be achieved and even enhanced, presently, there are three main considerations in play regarding the application of privacy law in the context of the connected car: determining what information is “personal information,” determining appropriate purposes, and implementing adequate technical and other safeguards to protect information against unauthorized access, use and disclosure.
Under privacy laws, the term “personal information” is defined broadly, and includes any information about an identifiable individual. Identifiability is a key concept. Information will typically be considered “personal information” where there is a serious possibility that the information, either alone or in combination with other available information, could be linked to an identifiable individual.
This feature of privacy law is important because it permits organizations to engage in a wide variety of activities involving anonymized or de-identified data, usually without having to address the requirements of privacy laws. However, the question of identifiability is highly fact-specific, particularly in the context of the connected car, which may collect information about not only drivers, but also passengers and others, and can sometimes raise key questions.
For example, if an organization parses out a data set of personal information and de-identifies it solely for a particular marketing or other purpose, but technically could re-identify the individuals using other information, there will be a question about the extent to which privacy laws may still apply.
One of the overarching requirements of Canadian privacy laws is that organizations may collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate. In other words, even if an individual consents to the activity, it may nonetheless be impermissible under privacy laws.
A number of regulatory and court findings have helped to shape an assessment of the appropriate purposes requirement. Although it is to be expected that practices in relation to connected cars will be compliant with this requirement when implemented in the appropriate manner, careful consideration must be given to the information being collected (particularly sensitive information), as well as the effectiveness, need and benefits for collecting the information, among other factors.
Safeguards and /cybersecurity
Canadian privacy laws require organizations to implement reasonable physical, technical, administrative and other measures to protect personal information. These requirements have become a particular focus, including the automotive sector, as a result of the increased prevalence of data breaches and cyberattacks in recent years.
Given the potential proliferation of the collection, use and disclosure of personal information in relation to the connected car, it is imperative that the industry and related partners take appropriate steps to prevent, detect, and respond to potential data security incidents.
In the area of safeguarding information, the legal and reputational risks are very real. In recent years, Canada has witnessed a tremendous increase in privacy-related litigation and class actions, both in respect of data breaches and cyberattacks, but also for ordinary business practices involving personal information. With the potential for significant financial and other consequences, the case for strong safeguards and care regarding personal information has never been higher.
In addition to implementing appropriate measures, organizations can also take steps to mitigate legal risks by, for example, carefully reviewing privacy policies and related disclosures to ensure that they do not contain any unnecessary “promises” regarding safeguarding. Such promises are not only not required to be made under privacy law, but may also create legal risk (for breach of contract) that may otherwise not be present in a given case.
The auto industry is at the cusp of transformative change through the evolution of the connected car. While core business and functionality will remain largely as they have been, the new and innovative features of connected cars can raise important privacy considerations. With privacy-related matters and risks taking on ever-increasing importance in commerce, including in the auto industry, the industry must address such issues with care and foresight.