Connected vehicles and privacy
Connected vehicles, such as a connected car, may collect and share data about you. On this page you can read which data this concerns, and which privacy risks are involved.
On this page
Connected vehicles collect personal data
Even if you have not entered your name in your connected vehicle, it is usually possible to find out that data are about you. This makes these data personal data.
Examples
The registration number or serial number can be used to find out who the owner of a car or a motor scooter is. Or who rented the vehicle.
Even if you borrow a car, location details, for example, may reveal who you are. For example, because the car is parked in front of your house every night and therefore your home address is known.
Data collected by connected vehicles
Connected vehicles may collect the following data about you:
- Location details: these are data about where you have been with your vehicle, the route to the location, and possible destinations.
- Data about driving behaviour: these are data such as how fast your car moves, accelerates, brakes, and makes turns. These data may be used for an investigation into your driving behaviour and for your insurance.
- Data about infotainment: these are data about your favourite radio stations, playlists and navigation settings, for example.
- Communication data: communication data may be collected, such as who has called you, messages, and what you did on the Internet. This particularly happens in vehicles with fixed infotainment systems.
- Vehicle data: data may be collected about the performance and operation of your vehicle. Such as motor performance, fuel consumption, tyre pressure, and the required maintenance.
The data collected may vary for each manufacturer, model and the functions of your vehicle.
Privacy risks of connected vehicles
Connected vehicles often also collect sensitive data about you. It is important that you can make your own choices with regard to the data that are collected. And that the data are protected properly, because it is easier for hackers to obtain access to data that lack proper protection.
If this happens, you may be tracked, your identity may be stolen, or you may be faced with other forms of crime. In addition, insurers may use the data when you do not expect this.
Privacy protection in the case of connected vehicles
Manufacturers of connected vehicles have an important responsibility when it comes to the protection of the personal data in connected vehicles. In short, manufacturers have to make vehicles that collect as few data as possible. Manufacturers also have to let users know which data are being collected. Read more about the requirements for manufacturers.
There are also things that you can do yourself to protect your privacy. Read what you can do if you:
Requirements for manufacturers
Manufacturers of connected vehicles are obliged to comply with laws such as the privacy law GDPR. This means that manufacturers:
- Have to design vehicles in such a way that they collect as few personal data as possible.
- Are allowed to use collected data only for purposes determined by them in advance. This means that manufacturers may not suddenly start using the data for something else.
- Are allowed to collect only data that are really necessary for those purposes. Manufacturers therefore have to set vehicles by default to collect necessary personal data only. This means that all systems have to be disabled, unless the manufacturer is obliged by law to enable a certain system. You, as the user of the vehicle, must be able to choose whether or not you want to enable a system.
- Have to secure the collected data thoroughly.
- Have to say clearly which data are collected, how those data are used, and with whom they are shared. You must have given consent for this.
For more information, see the EDPB guidelines on connected vehicles.
Choosing which systems you use
Systems that are not statutorily required must be disabled by default. In that case, you can choose for yourself if you want or do not want to use such a system. For example:
- Bluetooth. You may think it convenient if the system in the vehicle takes over the lists of contacts from your phone, but you will have to make an active choice for this.
- Navigation settings. It may come in handy to remember frequently visited locations or frequently driven routes. You will have make an active choice for this as well, because places that you visit frequently may also say a lot about your personal life.
- Manufacturer's app. Some vehicles offer you the option to log in to the vehicle with an account, through an app provided by the manufacturer. You can use your existing email address for this purpose. Be aware then that in doing so, you will enable your email provider to get to know even more about you. You can also use a separate email address for this purpose. For example, an address at a provider who guarantees that your data cannot be accessed from outside the EU.
When using these systems, it is advisable to find out with whom the vehicle may share these data. This may be just the manufacturer, but the manufacturer may also forward the data. Also bear in mind that the personal data of other persons, such as passengers, may be shared as well.
Be critical of manufacturers who share data with others. Do you, for example, agree to a manufacturer who shares driving data with an insurance company?
Giving and withdrawing consent
Some systems require your consent for collecting and exchanging your personal data. Did you give consent, but do you change your mind? Then you must be able to withdraw that consent at any time.
The manufacturer may indicate that certain functions of your vehicle no longer work properly if you withdraw your consent. In that case, the manufacturer must be able to explain clearly why those functions no longer work. Often, processing of personal data is not necessary for the normal operation of a vehicle. Unless the manufacturer has a statutory obligation to enable a system.
The withdrawal of consent does not affect statutorily required systems.
Your privacy rights in the case of connected vehicles
If an organisation uses your personal data, you have a number of privacy rights. For example: the right to information, the right of access, and the right to erasure of your personal data.
Do you want to know which personal data of you are collected and shared by the manufacturer of your connected vehicle? Then you can ask for access to your personal data. The manufacturer is obliged to respond properly to such a request. After this, you can also ask the manufacturer to erase your personal data, if you wish.