Data and Data Protection – Why the automotive industry needs to take notice
Cars – and the processes used to create them – now generate more data than ever before. This brings huge possibilities for the automotive sector, allowing manufacturers to utilise data for a vast array of purposes, not least to improve manufacturing processes and vehicle performance, reduce costs and enhance customer experiences.
However utilising the power of data, regardless of how beneficial that may be for an organisation, raises a number of additional considerations that may not have traditionally been on the radar for the automotive sector. A brief overview of some of these issues is set out below.
The more data you hold – and the more valuable that data is – the more attractive your organisation is to threat actors. Cyber threats are an unavoidable consequence of participating in a digital ecosystem and organisations should take a “when”, not “if”, approach to their cyber risk planning.
This means employing not only up-to-date and appropriate technical measures to protect your organisation from attack (such as firewalls, multi-factor authentication, use of encryption etc) but also creating a culture of security awareness and governance. The most effective regimes are those which operate across all levels of an organisation, including tailored security training and cyber risk awareness programs for a broad range of roles as well as company-wide policies and procedures.
If you haven’t already done so, it may be worthwhile considering whether a dedicated cyber insurance policy is required, providing coverage for cyber incidents and breaches of applicable privacy laws. However, as with all insurance policies, the exclusions should be checked carefully and it is unlikely that all losses will be recoverable.
Do privacy laws apply?
If any of the data your organisation collects or holds is capable of identifying an individual, privacy laws will apply. Some types of personal information (such as names, email addresses etc) are easy to identify as personal information and shouldn’t lead to any surprises. However organisations shouldn’t be fooled into thinking that their privacy obligations end here.
A vast range of data collected from on-board computers, apps and websites is now capable of being considered personal information for the purpose of applicable privacy and data protection laws, including IP addresses, device identifiers and location data. In each case, whether or not an individual is identifiable from a particular data set depends on a range of factors, including the other data sets held and the resources of the organisation holding them.
The key take away is that the more data points which you hold about an individual, the more likely it is that the data will be considered personal information. This is the case even where key identifiers such as name, address etc have been removed.
More information about the privacy and data protection laws applicable throughout the world can be found in DLA Piper’s Data Protection Laws of the World Handbook, available here.
Notifiable data breaches
If your organisation holds personal information, it should be aware of its obligations regarding notifiable data breaches. Some jurisdictions, including Australia, require the mandatory reporting of eligible data breaches to regulators and, in some cases, to the affected individuals themselves.
In some locations, the time scales within which breaches must be notified are short (for example, where the General Data Protection Regulation applies, relevant notifications should be made within 72 hours of becoming aware of the breach), so you should be aware of your obligations before a breach happens.
Complying with all applicable notification obligations is one aspect of a successful data breach response. More information about how DLA Piper can assist with data breach responses can be found here.
Supply chain issues
Like all commodities, data has a supply chain and where your organisation sits within that supply chain will determine how it can use and disclose data and what restrictions may need to be imposed.
It is increasingly common for contracts of all kinds to include terms relating to data, privacy and security. Whilst it can sometimes be difficult to negotiate changes to these clauses, especially with counter-parties in highly regulated jurisdictions such as the UK, EU and California, there are risks in accepting these obligations without further consideration.
For example, if you are sharing data with another entity, are there any legal or contractual restrictions which may prevent you from doing so (such as those imposed under applicable privacy laws or, if the data was disclosed by another party, any contractual terms imposed by that party) and can the receiving entity use and share the data freely, or use it only for specific purposes? If you are receiving data from another organisation, are they entitled to share it with you for the purposes for which you want to use that data and how is the risk allocated if this is not the case?
Law makers and regulators are struggling to keep up with the exponential rate of change to technology and, as such, this is one area of law where regulatory changes are always on the horizon.
As well as being aware of their current legal obligations regarding the use of data, all organisations within the automotive sector must be constantly checking for and adapting to relevant legal changes as and when they occur. For example:
- in Australia, a comprehensive review of the Privacy Act 1988 (Cth) is currently being undertaken by the Commonwealth Government and wholesale changes to the privacy regime are expected later this year;
- also in Australia, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 places new data security obligations on entities in a broad range of sectors which are considered to operate critical infrastructure, such as higher education and those involved in the manufacturing, distribution and supply of food. These requirements are not currently slated to apply to the automotive sector, but it is not a stretch to imagine that they will at some stage;
- the Cyberspace Administration of China (CAC) has published draft rules, called Several Provisions on the Safety Management of Automobile Data, which clarify new principles and rules that must be complied with when handling both personal information and important data generated by and in connection with the automobile industry (read more here);
- regulations regarding the use of connected devices (or “the internet of things”) are constantly evolving. The UK introduced the voluntary “Code of Practice for consumer IoT security” in 2018 and the Australian Government introduced a similar code in 2020; and
- the development of the European Strategy on Cooperative Intelligent Transport Systems (or C-ITS), first tabled in the EU in 2016, is ongoing, with a sub-group established in 2020 to support implementation of a pilot.
If you have any questions on this, or if you’d like to talk further about your approach to data protection with an automotive sector expert, please reach out to Sarah Birkett or Tim Lyons.