In-car communications systems can collect a broad range of information about your driving habits. What kind of information is being collected, and how is it being used? From the perspective of privacy, is there cause for concern?
Imagine you are doing some online research on car insurance, comparing quotes to see if you can save some money. You know that many companies offer discounts to customers with good driving records, and you search, “safe driver discounts.” You soon find a page on a major insurance company’s website which announces, “You’re a good driver. And with our Drive Safe & Save program, that actually gives you more control over how much you can save on your auto insurance.” As you read on, you realize that State Farm Insurance is offering a discount of up to 50% on auto insurance in exchange for the right to monitor your driving using your vehicle’s OnStar® or In-Drive communication system. In State Farm’s friendly words, “The safer you drive, the more you save. It’s that easy.”
In-car communications systems and privacy
Uncharted legal territory
You may wonder who regulates the collection and use of information from in-car communications systems. The simple answer is that no one is entirely sure. North American privacy laws are written to regulate specific domains such as health care, education, commercial transactions, or telecommunications. When a technology or service does not clearly fit in one of these categories, courts usually apply the most relevant legislation available. In Canada, privacy requirements in all domains are guided by the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, a set of general principles which underlies Canadian privacy legislation.
There are only a few North American laws relevant to vehicle tracking. Some US laws require the tracking of vehicles carrying hazardous materials. Perhaps the only law that directly addresses privacy is a California law regulating the use of information gathered through “event data recorders” (also known as “black boxes”), which are required to be installed in vehicles in California. This law strictly limits the retrieval and use of this data, permitting access only by the vehicle owner or others permitted by the owner, by authorities in response to a court order, for the purpose of improving vehicle safety, or for servicing or repairing the vehicle. In practice, the data is often used by police to track stolen cars or suspects in criminal investigations. However, there are no Canadian laws concerning vehicle tracking.
Another possible source of relevant legislation is the field of mobile communications. Canadian Radio-television and Telecommunications Commission (CRTC) regulations are applicable, but provide little guidance with regard to privacy.
Core privacy principles
The most promising approach to determining privacy requirements in this scenario is to apply general privacy principles to the specific context of in-car communications systems. The ten privacy principles of the CSA Model Code underlie Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA). These principles apply to all commercial and institutional collection, use, and disclosure of personal information. There are two principles of the code that are especially relevant:
- Consent: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” (Principle 3)
- Limiting Use, Disclosure, and Retention: “Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.” (Principle 5)
In accordance with these principles, commercial service providers are obligated to inform customers of how they collect and use personal information and to whom they disclose it. Without consent, they cannot collect, use, or disclose such information, except as required by law. Further, customer information should not be retained beyond the end of the customer’s relationship with the service provider.
In the case of State Farm’s Drive Safe & Save program, drivers are consenting to be monitored. This is legal, though it is uncertain whether it would hold up in the event of a high-profile complaint. If Canada’s Information and Privacy Commissioner has not addressed this issue, it is probably because no one has complained or asked about the practice of tracking driving habits. Because privacy legislation tends to be complaint-driven, the risks of in-car communication systems capable of tracking people’s locations and driving behaviours may only receive government attention when there is a high-profile incident, such as an OnStar employee using location data from an in-car system to track his ex-spouse. One final thought is that since the existing privacy laws are covered by civil law rather than criminal law, companies may opt to break them if they think that the advantage of doing so will exceed the damages they may have to pay.
Secondary uses of in-car system information
PIPEDA makes it clear that in-car communications providers must seek customer consent to share their personal information with other companies or agencies. But what is and is not personal information? Most jurisdictions name specific identifiers that are always considered to be personal information, including names, dates of birth, health card numbers, and credit card numbers. Computer IP addresses are considered personal information in Canada and the EU. There is currently a lot of interest in establishing whether MAC (medium access control) wireless network addresses, which are used by wireless devices including smart phones and in-car communications systems, constitute personal information. However, personal information is legally defined simply as information that can identify an individual, either alone or in combination with other available information. Alberta’s Health Information Act specifically defines identifiability, saying that if information can reasonably be used to ascertain the identity of an individual, it is personal information. In the case of in-car tracking data, the definition of personal information would extend beyond names, driver’s license numbers, and so on to include any data that could identify individuals. For example, someone with access to customer data could probably recognize a family member or close friend by the pattern of their most frequent locations and travel times.
It is not legal for companies to share customers’ personal information with third parties without consent. However, information from in-car communications systems could legally be used for secondary purposes if it is thoroughly de-identified – that is, if the information shared cannot be used to identify individuals. If in-car communications providers ever opt to sell information to retail companies or government agencies, they will need to ensure that the privacy risk of this data is very low. Where sensitive data such as demographics and location are involved, service providers should develop strong privacy risk measurement capabilities before sharing data with third parties.
The Connected car: Who’s in the driver seat https://fipa.bc.ca/wordpress/wp-content/uploads/2015/03/CC_report_lite.pdf.
Office of the Privacy Commissioner of Canada, “Legal information related to PIPEDA.” http://www.priv.gc.ca/leg_c/p_principle_e.asp
Ki Consulting, Breached by Design.
Ki Consulting, Risk-based Privacy Maturity Model.
Ki Consulting, Taking Advantage of Big Data Analytics.