The Office of the Privacy Commissioner of Canada will soon be funding an arms-length project to develop a code of practice for connected cars, weighing a balance between information flow and privacy protection.
“The benefits available to Canadians through the arrival of connected and autonomous cars may be significant,” Privacy Commissioner of Canada Daniel Therrien said in remarks on Tuesday before the Senate Committee on Transportation and Communications. “However, consumers’ trust in these technologies will only take hold when the appropriate balance is reached between information flow and privacy protection is struck.”
Therrien’s appearance before the committee was related to a study on the regulatory and technical issues that affect the deployment of connected and automated vehicles. With regard to privacy challenges, the “potentially highly revealing data” generated by a connected car raises important questions, Therrien said, including:
In the face of the complex data flows involving many different players in the connected car ecosystem, we must ask ourselves who is ultimately accountable for what? More concretely, which company or public sector institution would the average driver contact when they have a privacy concern?;
When a person sells their car, or returns their rental, is there an easy mechanism to ensure that infotainment systems are thoroughly wiped such that no one has inappropriate access to information about them?; and
More fundamentally, how are collections, uses and disclosures of information being communicated to individuals, so that they have a real choice in providing consent or not to services that are not essential to the functioning of the car?
“On this last point, my office is currently examining potential enhancements to the consent process, to address many of the challenges raised by the flow of large amounts of data through complex ecosystems, as can be seen in the connected car industry and more broadly in the Internet of Things,” Therrien said in the remarks.
He added that he agrees with prior witnesses who spoke of the importance of “privacy by design, whereby companies should consider privacy from the outset, and from a whole organization perspective, when they design new technologies such as the connected car.”
Car makers do not have to go about this process alone, as there is benefit to stakeholders coming together to set appropriate standards to bring certainty to both industry and consumers, he said, adding that absent comprehensive legislation, automakers in the United States came together to develop and commit to a series of privacy principles similar to those found in the Personal Information Protection and Electronic Documents Act (PIPEDA). “To the extent that they can ensure compliance with – or even surpassing of – manufacturers’ obligations under PIPEDA, efforts such as these should be encouraged,” he said.
There are two primary streams of data in a connected car, the privacy commissioner pointed out: telematics and infotainment systems. The first involves sensors that capture a broad expanse of information about vehicle systems from which further information can be extrapolated about the vehicle’s driver, including how and where they drive. Infotainment systems, Therrien explained, are “conduits for information related to navigation, traffic, weather or entertainment, such as streaming audio.” These systems can be paired with a driver’s phone to enable hands-free communication, giving the system access to the user’s contact list, as well as incoming calls, text messages and emails.
“Modern cars are more than simply vehicles,” Therrien said. “They have become smartphones on wheels – mobile sensor networks, capable of gathering information about, and communicating with, their internal systems, other vehicles on the road and local infrastructure. This information is not strictly about the car; it can be associated with the car’s driver and occupants, and used to expose patterns or make inferences about those people for a number of purposes not all related to safe transportation.”
In conclusion, although there are challenges, the connected car and privacy protection are not inherently opposed, Therrien said in his remarks. “Done appropriately, Canadians will be more comfortable in adopting the benefits of connected and autonomous cars knowing that their privacy will be protected.”