Second-hand connected car data drama could be a GDPR minefield

Legal eagles drill into the issue with El Reg

What are the implications under GDPR of a previous owner retaining access to data and control of a connected car after it is sold on?

Although El Reg's initial story on the topic focused on the experience of two Jaguar Land Rover owners and the car maker's response, it has become clear this is an industry-wide issue and cars from BMW, Mercedes-Benz and Nissan are also affected. Previous owners still have access to data and controls even after the car has been sold on.

Connected cars have remote-control climate systems and doors, can call breakdown services, record destination details, and much more. This information is typically available through an online account and associated mobile apps.

Sellers are supposed to unbind themselves from this account and surrender access. The process should work like resetting an iPhone and clearing the data before a sale but in practice it's more like selling on a house but not turning over the keys, according to feedback from several Reg readers.

Car makers need a foolproof method to disconnect the original owner when the vehicle changes hands, but this is not happening. As revealed by numerous studies over recent years, data erasure is patchy when it comes to the sale of second-hand PCs and a comparable problem exists when we consider connected cars.

Multiple manufacturers and their respective telematic technology providers appear to be at fault one way or another. Focusing on the specifics of the Jaguar Land Rover case and its legal ramifications nonetheless allows us to draw out some general themes.

Airbag triggered

Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound


Risk management expert AJ Witt commented: "JLR are storing the new driver's data on their servers, and releasing it to the previous owner without the new driver's permission. [The] new driver hasn't provided consent. [It's] a pretty cut and dried GDPR breach."

Dai Davis, a solicitor at Percy Crow Davis & Co and an expert in data protection law, agreed that JLR was likely at fault under the EU's General Data Protection Regulation.

"Assuming that, as seems to be the case, (i) Jaguar Land Rover has access to the vehicle data after it has been sold by owner A to owner B and (ii) the vehicle data includes location data, Jaguar Land Rover will be in breach of the GDPR, at least in respect of all vehicles sold on or after 25th May. And technically each time it sells such a vehicle, that is a separate (civil) 'offence' under GDPR."

El Reg previously asked JLR about the GDPR implications of previous owners retaining access to the data and controls of sold cars and received the old "we take customer privacy very seriously" routine:

Customer confidentiality and the security and privacy of customer data is paramount to Jaguar Land Rover. We continually review our processes to identify further improvements to meet the security and privacy needs of our customers.

The recent Wirkschaftakademie case ruling in the Court of Justice of the EU may be relevant to thinking about the data collected by connected cars. This ruling expanded the "data controller" concept so that more organisations – even those only peripherally concerned with the processing of data – will be covered by data protection law.

"The ruling concerned a German educational services provider which operates a fan page on Facebook, but it will impact all organisations that have an influence over how personal data is processed, even if they do not primarily determine the purposes and means of the processing or have access to the data," as explained by

Car makers may have a case to answer even outside the rules of GDPR. Lilian Edwards, an IT law academic and self-confessed GDPR nerd, approached the issue from the perspective of contract law.

"To me this is mainly about contract," she told El Reg. "It's quite common in B2B to stipulate sub-contractors will do things; rather less so with consumers.

"Data protection protects the data of the previous owner – I'm not sure it adds much to the rights of the new owner. It could be argued that Jag as data controller have failed in security principle over personal data of the old owner. But they will point to [the] contract [an] old owner signed."

Edwards reasoned that the rights of a new owner might be infringed but this would fall under the scope of other regulations, rather than GDPR.

"Security of a new owner is clearly prejudiced but that's going to be a different law than GDPR – possibly tort, or sale of goods or laws specifically relating to cars/safety," she continued.

"In practical terms the problem Jag has is not having a fallback of remote deletion of data at the end of service contract where a private sale is not managed by their dealer and the old owner doesn't bother. Is it really so difficult to do that?" ®

Similar topics

Other stories you might like

  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Ubuntu releases Core 22: Its IoT and edge distro
    A tougher nut to crack than the regular flavor, some will find it very tasty

    Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.

    This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.

    Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.

    Continue reading

Biting the hand that feeds IT © 1998–2022