By -

Earlier this month, the Federal Chamber of Automotive Industries released figures showing 10,464 full battery electric vehicles (EVs) were sold in March this year, representing 9.5 percent of the total new vehicles delivered. In that time the Tesla Model Y was the third-biggest selling vehicle of any type in Australia and global consulting firm McKinsey has predicted that by 2030, 95 percent of cars will be connected, or “smart cars”.

The Electric Vehicle Council is advocating for a target of one million EVs on Australian roads by 2027. According to industry sales analysts VFACTS, there were 80,446 EV sales in Australia between January and November 2023, around 7300 per month.

This increasing popularity of electric vehicles, and connected vehicles more broadly, raises concerns over the computer systems used in the vehicles in terms of what data these systems are recording, storing and potentially sharing and, of course, who has access to that data. For example, between 2020 and 2022, Tesla was revealed to have been sharing footage from people’s private cars via internal staff emails for the purposes of their own entertainment.

The collection of all this data about our driving, where, how often, and our in-car phone use, builds a profile that could be gravely misused if passed on to third parties such as foreign governments, advertisers, and insurance companies.

Given the type of information that may be collected, there are valid questions about how this data is stored, used and protected. Data privacy concerns are not exclusive to EVs, but extend to all vehicles with internet-connected capabilities. In Australia, carmakers are required to adhere to the Australian Privacy Principles (APP) and the Privacy Act to ensure appropriate practices with respect to data handling, consent, access, and security.

The case for urgent reform 

Dr Katharine Kemp, Associate Professor in the Faculty of Law & Justice, and Deputy Director, Allens Hub for Technology, Law & Innovation, at UNSW Sydney, has made a case for urgent reforms to Australian privacy laws that address loopholes in privacy regulation for car manufacturers. This is based on US research that indicated 25 popular car brands had collected customer data (facial expressions, sexual activity, seat belt use, infotainment settings, destinations and routes used, voice data and phone contacts, speed, location and footage of car users outside their cars).

Dr Kemp warns that aside from data drivers and passengers enter directly into the car’s infotainment system, many cars can collect data in the background via cameras, microphones, sensors, and connected phones and apps.

She is leading an ongoing project on privacy in connected motor vehicles, with major findings expected to be announced late this year.

Dr Kemp says, “Our research so far indicates that Australia’s privacy laws aren’t up to the job of protecting the vast array of personal information collected and shared by car companies – especially with the transmission of data in real time from connected cars. Our laws don’t even ensure that Australian consumers have enough information to make the decisions they want to make about privacy in their cars.”

She believes the protections provided by Australia’s privacy law are well behind those provided by the EU’s General Data Protection Regulation and the likes of the California Consumer Privacy Act.

“One of the hurdles in this research – and for consumers trying to protect their data – is that Australian privacy law doesn’t require such specific disclosures about what data is collected and who it’s being share with as you’ll find in California, say. It means we’re really lacking transparency on how we’re being tracked and profiled, and it appears there are car companies taking advantage of that,” she says.

Dr Kemp is not going to name brands when it comes to comparative levels of intrusiveness but says “we’re presently judging the intrusiveness of motor vehicle manufacturers’ data practices based on their privacy policies and collection notices, and assuming the data traffic matches those. But based on privacy terms for connected services in cars, most major car companies’ data practices are concerning.”

She adds, “Australian privacy law [Privacy Act 1988 (Privacy Act)] says a company is allowed to share personal information if they reasonably believe that the disclosure is reasonably necessary for one or more enforcement related activities conducted by an enforcement body. But, certainly there are privacy policies that stray from that formula and seem to claim a broader discretion for the car company to hand your data over to law enforcement. “


image description
Dr Katharine Kemp

Data can be shared with few protections

The US research revealed that data collected from people’s cars was being sold to data brokers and provided to third parties for marketing and targeted advertising. In Australia, privacy laws don’t require that the provision of this data to third parties be disclosed. Car brands typically have separate privacy policies for Australia than for the US or elsewhere because of our lack of definitive requirements around disclosure. The UNSW expert found car brands can use data to profile their customers, and provide the data to third parties for marketing. Some have the ability to disclose data to law enforcement or government when laws do not require it, such as when car manufacturers deem it “reasonably necessary” to disclose information to “assist a law enforcement agency”.

The European Union introduced the General Data Protection Regulation (GDPR) in 2014, Federal Law No. 15 of 2020 on Consumer Protection in the UAE, and California introduced the California Consumer Privacy Act (CCPA) in 2018. A single breach of the GDPR may be fined up to the greater of €20m or 4 per cent of the company’s annual global turnover.

Australia is sorely lacking in legislation that is as comprehensive. Following the Federal Government’s review of the Privacy Act 1988 (Cth), involving an inquiry by the Australian Consumer and Competition Commission into the effects of digital platforms, the Privacy Act Review Report raised multiple areas of risk. The increasing freedom of business, media and public service collection and storage of people’s information enhances the risk of serious privacy breaches, as we’ve seen with recent Optus and Medibank system hacks.

Internationally, a number of non-binding guidelines can direct the cybersecurity and data protection approach of EV companies. One comprehensive guide is the EU Agency for Cybersecurity’s ‘Good Practices for IoT and Smart Infrastructures Tool’  which details security measures on various smart infrastructures, including smart cars. The interactive guide addresses how computerised systems in connected vehicles can optimise data security, its communication via networks, interactions with other devices, and the security aspects of software used by drivers.

Majority of EV brands fail the privacy test

The non-profit US organisation Mozilla Foundation operates an online buyer’s guide called *Privacy Not Included, which thoroughly researches products to ascertain how user data is collected, stored and accessed.

In September last year, three of its researchers published an article titled “Cars Are the Worst Product Category We Have Ever Reviewed for Privacy”. Of the 25 brands of electric vehicles they investigated, they all collected more personal data than necessary to function and used that information for no purpose related to the function of the vehicle.

From the phone-based app, which can access third party apps such as Google Maps and radio apps, the car brands can build a consumer picture of every user, knowing their regular driving routes, favourite music, when they order food or which destinations they visit. The Foundation also found the majority share user’s personal data with other businesses, and 19 out of 25 brands have the choice to sell users’ personal data. More than half (56 per cent) admitted they can share user’s information with government and law enforcement if requested – not by a court order either, but purely an informal request, making it difficult to track how frequently this may be occuring. Only two brands enabled users to request that their data be deleted (Renault and Dacia, owned by the same parent company).

Beyond the structural freedoms these companies have to collect personal information, and share it somewhat indiscriminately, there have been significant breaches of user security in recent years. These include Volkswagen (and associated company Audi) suffering a data breach affecting 3.3 million users. Toyota leaked data of 2.2 million users over 10 years between 2013 and 2023, and in June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses, and phone numbers.

Mozilla Foundation researchers told LSJ, “California’s Consumer Privacy Act likely offers the best privacy protections. We’d like to see the principles behind this law be adopted at the federal level.”

In February, the White House announced the US Commerce Department was opening an investigation into the potential national security risks posed by Chinese EV imports, and specifically the connected car technology. Owing to the “large amounts of sensitive data” EV vehicles collect, including through cameras and sensors that “record detailed information on U.S. infrastructure,” the White House said it may impose restrictions on imports, including autonomous vehicles. In a statement, Joe Biden said, “China’s policies could flood our market with its vehicles, posing risks to our national security. I’m not going to let that happen on my watch.” The swift rebuke from China via ministry spokesperson Mao Ning urged the US to “respect the laws of the market economy and principles of fair competition, stop overstretching the concept of national security, [and] stop its discriminatory suppression of Chinese companies”

Buyers (and passengers) beware

In 2016, the Fédération Internationale de l’Automobile (FIA) ran a campaign across Europe, called My Car My Data, which invited response from citizens on the increasing privacy intrusion posed by connected vehicles. Despite overwhelming embrace of data to enhance the driving experience, there was an equal importance placed by the public on the need for auto companies to comply with personal data protection legislation.

The protection of personal data has to be fundamental to the product design phase, to continue to merit the confidence of drivers, passengers and policymakers, especially as the development of these in-car technologies speeds up.

As the federal, state and territory governments of Australia collectively champion greater uptake of electric vehicles, and connected vehicles are the standard modern model, there is an inevitability to review of privacy and security shortfalls in legislation.

So for now, buyer be warned. The Committee inquiry into the transition to electric vehicles began on 18 January 2024 following a referral from the Minister for Climate Change and Energy, Chris Bowen. Submissions closed on March 22, with findings expected later in the year.