12 Jan 23

"Make privacy a selling point"

GDPR, the EU's privacy regulation, has served as a catalyst for the global fleet industry to get their ac together on privacy, says Andrea Amico. However, the founder and CEO of Privacy4Cars believes that fleets have a lot more work to do if they want to meet the regulatory mandates for data collected by the vehicles themselves. And auto companies should emulate the 'Apple model', making privacy a value proposition for their clients. 

Why is privacy becoming more important for fleets? 

Andrea Amico: "Privacy is increasingly important, especially in Europe. GDPR (the General Data Protection Regulation - Ed.), which was issued around three and a half years ago, has driven significant changes in how businesses treat consumer data. What is different, is that cars tend to be forgotten - but that's changing. This is the result of two things:" 

"On the one hand, the industry has been reluctant to address how much data cars actually collect. So, the privacy aspect of cars has remained in the shadows, by purpose. The other thing is historical: many people still believe cars simply take you from A to B. A more accurate view is that cars take you from A to B and record everything in the process. A car is a giant network of computers, which is increasingly connected."

"This mindset is changing. People are starting to realise that where yesterday's cars were typewriters, today's vehicles are laptops. Hence the need to solve a host of privacy and security issues. This realisation has started to dawn on everyone, including fleets. So, this is a growing area of concern, from privacy and security to regulatory compliance, and being a good steward for your customers' interests. Yes, we see it as an increasingly important topic." 

Once you said GDPR is the best European export. Why is that? 

"What I meant is that GDPR spurred global changes in privacy. Now, around 130 countries around the world have strong regulations over privacy. Not only have other countries taken from the example of GDPR that it is possible to pass strong privacy laws, but the EU also requires all trading partners to offer information and have a process on how they collect private and personal information. It's not surprising that the first regulations in the Americas were in countries like Mexico and Panama, because these have huge trade relations with the EU. Similarly, Canada already had good privacy protections but is now further raising the bar."

"What is interesting to me is that even though privacy protections in Europe are much more strict in theory, European companies so far have been trailing their U.S. and Canadian peers when it comes to privacy protections, especially in automotive. But this is going to change quickly. It was easier to fly under the radar three years ago than it is today, and it's going to be much harder each year, given the growing number of cases that are appearing in front of the European courts." 

What are the cyber risks that fleets face? 

"First off, let me say that cyberattacks are a common reality for automotive companies. Connected vehicles operated by OEMs and telematics companies are regularly targeted for their data. In fact, according to auto cybersecurity company Upstream, data theft became a more common crime than car theft three years ago! There are always attacks and leaks, and people need to realise this!"

"We also have seen increasing cases of stalking, harassment, and in general consumers harmed by people who abuse, or misuse connected vehicle data and technologies. Beyond the accidents there is a broader theme of respect for the law. It is a sad reality that in Europe, most companies mistakenly believe that by just putting a disclaimer in the lease contract that they are not responsible for protecting the privacy of consumers, or that consumers are at fault if they sync their phones and leave their data behind. If you don’t know what we mean, just read the Terms of Service next time you rent a car."

"Let's be clear: that is not what the law says. GDPR and e-privacy require that the business – not the consumer – is responsible for having the previous users’ data removed before re-renting or re-selling the vehicle. Not doing so is a legal violation and a data breach. Readers should refer to the guidance specifically given on connected vehicles 1.5 years ago by the European Data Protection Board (EPDB) who said all the data must be removed. Even CARA stated, in its whitepaper on vehicle data, that as part of the remarketing process, vehicle owners shall 'depersonalise' cars before defleeting."

"Unfortunately, we have no evidence that this is currently being done, definitively not to scale, and definitively not with decent levels of compliance. Next time you rent a car or test-drive a vehicle for sale or go to an auction and see all the previous users' data, reflect on this: 4% of the global revenue of these companies is at risk of fines, not to mention their reputation and, in the case of public companies, potential misrepresentations of risks to investors. It is essential to point out the fact that closing these gaps is easy, and there's no reason to wait."

How do fleet managers approach the issue of privacy? 

"If I have to simplify, there are two problems fleets need to solve. Problem number one is that there is a lot of personal information of individuals stored in cars. In other words: fleet managers should think of cars like a giant hard drive. Secondly, especially for many fleet cars, data is not only stored on the local hard drive but is also sent to hundreds of databases through onboard telematics, which OEMs or after-market services could provide. What we recommend fleets is to first solve the first problem, because that is where regulators have directed their focus so far." 

"There are very strong precedents from many other consumer electronics (laptops, portable hard drives, phones etc.) on how to deal with consumer personal information left behind when a device exchanges hands. Because of laws and regulations (including GDPR and e-privacy), the de facto industry-accepted standard practice is that the business is responsible for and must delete all consumer data stored in the electronic device prior to reselling/refurbishing it. Privacy4Cars has helped hundreds of companies in North America solve this problem easily, to scale, and leaving behind detailed compliance records (also a regulatory requirement). We are starting now to do it in Europe and the rest of the world." 

The second problem of “connected cars” and data privacy and security is much more complex; but we have already started to roll-out  solutions to address that second area of concern. Companies can reduce risk sometimes with simple actions such as modifying their policies on how they shall be dealing with the data and telematics. However, “disconnecting the connected car” is often far more complex than hiring lawyers and changing documents and policies. The change of ownership problem, and the consequent need to build reasonable protections for consumers, spans both privacy and security aspects that we have not seen either telematics companies or manufacturers appropriately address, and let alone solve, for fleets, who are currently taking on significant risk and need protection. 

How do you help companies set up a privacy programme? 

"We realise that GDPR and e-privacy involve huge pieces of regulation, and many companies have an anxiety about not knowing where to start. What we teach is to crawl first, then walk, then run. There are some low-hanging fruits and easier-to-solve problems. The first one is to make sure the data from the previous driver is removed prior to reselling the vehicle - not doing so is a data breach. For this, we have developed a software platform in the U.S. and Canada, and created a workflow to help businesses manage the deletion process efficiently, reliably, and measurably."

"We spent many years designing and engineering our solution, and we obtained multiple patents for our methodology. Fleets can try to delete consumer data just relying on the expertise of inspectors – but every time we benchmark one of these businesses, we see their results are poor: typically, more than half of the vehicles have data left behind. And their records are worse, providing little to no legal protection."

"In North America, we have built partnerships with auction, repossession, and inspection companies to help them solve their clients’ data protection problems. Once companies have a good handle on deleting data stored in vehicles, we enter an advisory phase, where we help fleets and other automotive businesses formulate policies that align with the law. And the last phase Is to help companies put their telematics under control."

"This is a very long to do list, but we help fleets manage one thing at a time, from the basic - for example, how to send notifications to employees driving those vehicles - to the complex - including how to manage consent and data sharing agreements throughout the life of an asset. Our philosophy is to always start small, think about the essential things to do that provide the most legal coverage and the best protection for consumers and drivers, and only then move on to a more complex phase." 

"We realize that tackling privacy and security of data collected by cars is a new challenge, but it's an unavoidable byproduct of the evolution in connectivity. Cars are capturing and storing more data, and fleet managers can no longer ignore the regulatory and reputational risk. They have to deal with this issue. Technology is bringing more safety, optimisation, and efficiency; and like all good things in life, there is a cost to it. That includes the responsibility and accountability that all connections and data are safe and secure."

Is privacy the new safety? 

"Companies - and their corporate lawyers - are likely to focus first on the hundreds of millions of euros at risk due to GDPR fines for not meeting the obligation to delete consumer data. The way I look at it is much broader: privacy indeed is the new safety. If you asked a dealer or a fleet manager that 30 years ago which is the safest car on their lot, no one could tell you. In fact, decades ago many companies made the mistake of underinvesting in safety. Because consumers were unable to assess it, they weren't shopping for it. The cost of poor safety was carried by consumers, who were getting harmed; and by insurance companies, who were settling a lot of claims."

"Then in the 1990s, insurers created safety ratings. Once safety became 'visible', consumers and fleets started preferring safer vehicles - to no one's surprise. Predictably, companies started competing on safety, investing heavily both in building safer cars and informing consumers about safety. Today, we see the benefits: consumers have benefited from safer cars, but so have the companies who have built brand and equity value by developing advanced safety features."

"Our prediction and mission at Privacy4Cars is that once the privacy of vehicles becomes more visible, consumers will shop for it. The winners will be the companies who are better at protecting consumer data and at communicating their actions – just like Apple does with their phones, which they sell at a premium. In other words, of course companies will care about compliance, but they should focus on how to make privacy and data security in vehicles a competitive advantage. If you're competing for fleet business and you focus on privacy and safety while your competitors do not, this is a significant advantage. We are already seeing this happen in the U.S., where fleet management companies are distinguishing themselves with the privacy and security-based services we help them enable." 

"Considering the automotive industry often refers to cars as 'smartphones on wheels', it never ceases to surprise me that so far no company has decided to follow the strategic positioning of Apple, which has made privacy a selling point. All auto companies, and not just OEMs, are hung up on trying to extract more and more data from unaware consumers – meanwhile Apple is the only smartphone company that has been able to gain enormous share, built a walled garden of services, and established premium prices essentially by positioning itself as the 'privacy protector' in a Wild West of data hoarders – and spending $2 billion every year to tell end users why they should choose Apple over its competitors because of privacy. We predict we will see, just like Volvo did for safety, a company shift to this positioning in the near future." 

What are your predictions for 2023? 

"I would make three predictions for 2023. Firstly, as we have already seen in North America, fleets and fleet management companies will start to debate toxic data left behind – and take action. Secondly, you will see regulatory action in Europe, specifically regarding geolocation. After smartphones, cars are the best geolocation trackers in the world. There's a big market for geolocation via cars, and you will see companies in this space sued, investigated, or fined this calendar year."

"The third prediction is that some companies will market privacy and security solutions as a selling point to consumers and/or fleets. Privacy and data protection are part of the “S” and the “G” in Environmental, Social, and Governance goals companies commit to. We expect that wise companies will understand how to take current regulatory obligations and turn them into value propositions for their customers, investors, and stakeholders." 

The main image is courtesy of Shutterstock. The in-article image shows Andrea Amico, founder and CEO of Privacy4Cars.

Authored by: Mufit Yilmaz Gokmen