What are the implications under GDPR of a previous owner retaining access to data and control of a connected car after it is sold on?
Although El Reg's initial story on the topic focused on the experience of two Jaguar Land Rover owners and the car maker's response, it has become clear this is an industry-wide issue and cars from BMW, Mercedes-Benz and Nissan are also affected. Previous owners still have access to data and controls even after the car has been sold on.
Connected cars have remote-control climate systems and doors, can call breakdown services, record destination details, and much more. This information is typically available through an online account and associated mobile apps.
In this week's threat report: Used connected cars need disconnecting https://t.co/5qegGac4rr— NCSC UK (@NCSC) August 3, 2018
Sellers are supposed to unbind themselves from this account and surrender access. The process should work like resetting an iPhone and clearing the data before a sale but in practice it's more like selling on a house but not turning over the keys, according to feedback from several Reg readers.
Car makers need a foolproof method to disconnect the original owner when the vehicle changes hands, but this is not happening. As revealed by numerous studies over recent years, data erasure is patchy when it comes to the sale of second-hand PCs and a comparable problem exists when we consider connected cars.
Multiple manufacturers and their respective telematic technology providers appear to be at fault one way or another. Focusing on the specifics of the Jaguar Land Rover case and its legal ramifications nonetheless allows us to draw out some general themes.
Shock Land Rover Discovery: Sellers could meddle with connected cars if not unboundREAD MORE
Risk management expert AJ Witt commented: "JLR are storing the new driver's data on their servers, and releasing it to the previous owner without the new driver's permission. [The] new driver hasn't provided consent. [It's] a pretty cut and dried GDPR breach."
Dai Davis, a solicitor at Percy Crow Davis & Co and an expert in data protection law, agreed that JLR was likely at fault under the EU's General Data Protection Regulation.
"Assuming that, as seems to be the case, (i) Jaguar Land Rover has access to the vehicle data after it has been sold by owner A to owner B and (ii) the vehicle data includes location data, Jaguar Land Rover will be in breach of the GDPR, at least in respect of all vehicles sold on or after 25th May. And technically each time it sells such a vehicle, that is a separate (civil) 'offence' under GDPR."
El Reg previously asked JLR about the GDPR implications of previous owners retaining access to the data and controls of sold cars and received the old "we take customer privacy very seriously" routine:
Customer confidentiality and the security and privacy of customer data is paramount to Jaguar Land Rover. We continually review our processes to identify further improvements to meet the security and privacy needs of our customers.
The recent Wirkschaftakademie case ruling in the Court of Justice of the EU may be relevant to thinking about the data collected by connected cars. This ruling expanded the "data controller" concept so that more organisations – even those only peripherally concerned with the processing of data – will be covered by data protection law.
"The ruling concerned a German educational services provider which operates a fan page on Facebook, but it will impact all organisations that have an influence over how personal data is processed, even if they do not primarily determine the purposes and means of the processing or have access to the data," as explained by Out-Law.com.
Car makers may have a case to answer even outside the rules of GDPR. Lilian Edwards, an IT law academic and self-confessed GDPR nerd, approached the issue from the perspective of contract law.
"To me this is mainly about contract," she told El Reg. "It's quite common in B2B to stipulate sub-contractors will do things; rather less so with consumers.
"Data protection protects the data of the previous owner – I'm not sure it adds much to the rights of the new owner. It could be argued that Jag as data controller have failed in security principle over personal data of the old owner. But they will point to [the] contract [an] old owner signed."
Edwards reasoned that the rights of a new owner might be infringed but this would fall under the scope of other regulations, rather than GDPR.
"Security of a new owner is clearly prejudiced but that's going to be a different law than GDPR – possibly tort, or sale of goods or laws specifically relating to cars/safety," she continued.
"In practical terms the problem Jag has is not having a fallback of remote deletion of data at the end of service contract where a private sale is not managed by their dealer and the old owner doesn't bother. Is it really so difficult to do that?" ®