Emerging Data Privacy Regulation Brings OEMs and Consumers Closer Together Than Ever Before


May 23, 2018

Recent data breaches, hacks and misuse of personal data following the emergence of the connected car, have increased public awareness to data privacy, and now, regulation is beginning to form globally in order to protect consumers’ data privacy in the automotive industry. This article discusses automotive OEMs‘ significant role in protecting consumers’ data privacy, and why the emerging robust regulation is actually good news for car makers around the world.

Connected cars are massive data generators by default: from engine performance to telematics, infotainment data, location, road conditions, and more– the connected car gathers data on the car, the driver, the ride itself, and its surroundings by design. After all, it is what enables the car to communicate with the Internet and IoT devices to improve our cars, our safety, and our experience. However, this reality raises some major concerns in the automotive industry over the past few years: 1. Who owns the collected data from the car? 2. Is the data collected from the car considered personal data? 3. Who is responsible for securing the data collected? 4. Who has access to the data collected?

Regulation and public opinion calling the shots on who owns the data

The answers to those burning questions carry great significance, since they determine who is ultimately responsible for the proper gathering, sending, analyzing, storing, and securing the data collected from the car, and who should be held responsible for any breaches, hacks or misuse of that data. Judging by the regulatory trends of recent years, especially in light of the upcoming GDPR, and in addition to increasing public awareness to data privacy due to recent high-profile data breaches (such as Uber’s major data breach, recurring incidents of remote car hacking, access to car owners’ data by previous owners, and so much more), it seems these questions have already been answered clearly by both legislators and consumers.

Legislation on data privacy in the automotive industry such as the European Parliament’s Transport Committee’s call for EU regulation on access to car data, the US Senators’ SPY Car Act, the UK’s Department for Transport’s principles of vehicle cybersecurity for connected cars and automated vehicles, Canada’s digital privacy law (PIPEDA), along with consumer campaigns such as My Car My Data, all indicate that lawmakers and consumers are coming together to generate a new culture of consumer-centric approach to data privacy in the connected-car era. From a legal perspective, studies suggest that all vehicle-generated data can be considered personal data. And as for the users- surveys show that 95% of them feel they need legislation to protect their data.

In light of this reality, where consumers are conceived as the owners of their car-generated data, and they want to be given control over who gets their data – then who is responsible for protecting it? Based on recent regulation and public pressure, it seems OEMs are the “right guys” for the job, and although it bears heavy duties, this job might benefit carmakers more than they think.

OEMs are the new data gatekeepers, and it might be the best thing that ever happened to them

Carmakers have a significant incentive in making data privacy a top concern, and join the legislators and consumers in calling for standardized data policies. As a vital component in the chain of handling personal information, they should be concerned about legal compliance more than ever. But putting legal ramifications aside, OEMs can also leverage their role and become the consumer’s most trusted ally in protecting their data.

Here are some of the benefits OEMs can reap from the emerging data regulation –

  • Boost customer relationship due to increased consumer trust
  • Avoid brand damage and maintain positive public relations due to fewer data breaches
  • Improve services thanks to ‘consumer consent’ based data
  • Lead greater market innovation and unleash new services due to standardized data sharing with high-quality after-market services

No wonder some of the biggest carmakers associations in the world are taking an active part in shaping the upcoming change

The European Automobile Manufacturers’ Association (ACEA), which represents the 15 Europe-based car, van, truck and bus makers, has established 5 key principles of data protection that were adopted by the European industry, and might signify OEM’s global role in shaping data privacy, including transparency, customer choice, ‘privacy by design’, data security and the proportionate use of data.

As Sebastian Zimmermann (Head of data services connected car, BMW Group) said himself, only through assigning clear responsibilities, adhering to customer’s consent to data sharing, and not allowing any unauthorized direct access to third parties, will OEMs be able to protect vehicle-generated data. In other words, OEMs are presented with a golden opportunity to provide protection and maintain customers’ trust more than ever before.

Giving OEMs the tools to leverage new data privacy regulations

In order for carmakers to embrace and leverage new data privacy standards, they need to implement robust security controls. In addition to compliance with new legislation, OEMs should adopt a comprehensive, wholesome approach to securing the connected car; one that is not focused on protecting the vehicle alone, but rather on preventing data breaches across the entire connected-car’s ecosystem. By collecting, combining, and analyzing data from multiple sources, OEMs can produce a comprehensive, intelligible view of the data, and monitor real-time data traffic to detect leakage and identify threats.

How Upstream Security can help OEMs protect data privacy

Upstream Security enables OEMs to protect and maintain their consumers’ data privacy by using Artificial Intelligence and Machine Learning technologies to analyze the data traffic across the entire connected-car ecosystem. By creating behavioral analyses of vehicle-generated data containing Personally Identifiable Information (PII), Upstream can identify if and where exactly any leakage of private information took place on the telematics channel.

To sum it up, consumers shouldn’t have to choose between using new technologies and protecting their privacy. OEMs can provide them with both ends by using Upstream’s proprietary cybersecurity technology.


Learn more about how Upstream protects connected vehicles and car fleets at upstream.auto.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more

With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility…

Read more

The GenAI Arms Race is Here

The Automotive and Smart Mobility Ecosystem is entering a new era of GenAI, democratizing attacks but also cyber defenses. On the one hand, GenAI is…

Read more