Non-transparent handling of private data: Car manufacturers risk their customers’ trust

The study “Data protection in the automotive industry: high expectations, low trust” by Veritas investigated what consumers in Germany expect from car manufacturers when it comes to the protection and disclosure of their private data.

The results show that 86 percent of consumers expect car manufacturers to take appropriate measures to protect their personal data. Almost three quarters said they would consider switching car brands in the event of a leak or data breach involving their personal information.

A study published by the Mozilla Foundation in September revealed the extent to which 25 of the world’s leading car brands collect and share private and sometimes highly sensitive data. The report also showed that 17 of the 25 manufacturers examined had been affected by a data protection incident in the recent past. None of the brands were rated as satisfactory in the study when it comes to the protection and careful handling of private data.

Little trust in car manufacturers

However, 84% of consumers want clarity about where and how the data collected from their vehicle is stored. However, less than half (43%) believe that car manufacturers offer an easy way to delete their data directly in the vehicle or online. This contradicts the requirements of the General Data Protection Regulation (GDPR).

Ultimately, almost half of respondents do not trust car manufacturers when it comes to their private data. One in three even believe that car manufacturers do not comply with the GDPR – even though it applies to all companies and authorities on European soil.

When it comes to secure data storage, respondents are hardly any more confident. Only just over half believe that their private data is stored securely in their vehicles. If the data is stored in the cloud or on the manufacturer’s servers, consumers have just as little confidence. According to the Mozilla Foundation’s findings, there is every reason for this: the encryption of on-board data, a fundamental practice in the area of cyber security, could not be confirmed for any of the manufacturers surveyed. This raises doubts about their reliability.

Consumers only partially informed

The consumers surveyed appear to have limited awareness of the situation: Three out of four respondents state that they are aware of legitimate data collection, i.e. the storage of data required for the benefit of driver assistance systems. This includes information that can be used to improve vehicle development and on-board entertainment. By contrast, less than half are aware of the collection and storage of more sensitive data that is not of direct use to users. This includes, for example, geolocation, health data or private images.

When it comes to passing on and selling data, consumers are even shockingly ill-informed: Only 43 percent know that car manufacturers are allowed to share their private data with public institutions or law enforcement agencies. Just as many are aware of the fact that car manufacturers can also pass on or sell this data to other private companies.

Personal data is passed on

However, according to research by the Mozilla Foundation, “a surprisingly high 56 percent of car manufacturers say they can share data with the government or law enforcement agencies ‘on request’. This does not require a court order – a simple ‘informal request’ is sufficient.” Furthermore, “84 percent of car brands in the Mozilla Foundation test said they could share personal data – with service providers, data brokers and other companies about which we know little to nothing. Even worse, three quarters of brands say they can sell personal data.”