On the download: How car dealers could be stealing your data
Published
Personal data is supposed to be private, but dealers and insurers have been accused of downloading it from cars without permission
What Mario Bonfanti thought was simply an annoying emissions problem with his Range Rover Evoque has spiralled into a data protection issue that should concern every motorist who pairs their phone with their car. The 26-year-old energy advisor took delivery of his new Evoque in September 2018, but by February 2020 it had suffered four breakdowns related to its diesel particulate filter, a problem common to Land Rover models and recently highlighted by Autocar.
Frustrated by his car’s poor reliability, Bonfanti approached Rejectmycar.com, a firm that helps motorists in dispute with dealers and finance companies. According to Bonfanti, it was revealed during court proceedings that Park’s Land Rover Ayr, the dealership that sold him the Evoque, had downloaded all the electronic data stored in it. The aim of Park’s had been to examine the session file created at the time the vehicle broke down and which would establish how the Evoque was being driven. However, the global download it is alleged to have performed harvested data not only from the vehicle’s ECU but also from the memory in its multimedia system. As Bonfanti’s phone was directly synced, or shared, with the car, this data included his phone ID and serial numbers, his contacts and his messages.
Ian Ferguson of Rejectmycar.com claims Park’s Land Rover Ayr downloaded the Evoque’s data without his or his client’s permission, so breaking the terms of the Data Protection Act 2018. On the face of it, its actions may seem harmless: an innocent act by a garage trying to repair a car. Except that with up to 100 people working in a typical large dealership, collecting, processing and storing data is, says Ferguson, a job that must be performed responsibly and with respect for the law if customers’ privacy is to be safeguarded.
Examples where it hasn’t been include the Scottish Premiership footballer whose phone contacts were taken from his car’s memory and shared with others when the vehicle was at a dealer for routine servicing, and a lawyer who, while their car was also in a workshop, had their destination data harvested – data including the addresses of clients on witness protection programmes. Neither of these cases relates to Park’s Motor Group.
“My firm alone represents 24 people who claim their vehicle data was accessed without permission by car dealers,” says Ferguson. “Based on this, I would guess that each day, hundreds of motorists are unwittingly making their data available to car dealers. Who knows where it ends up?”
The Evoque is now back, unrepaired, on Bonfanti’s drive, where it has been since March last year, while he awaits the outcome of his claim relating to illegal data access and his rejection of his car under the terms of the Consumer Rights Act 2015. Park’s Land Rover Ayr did not respond to Autocar’s requests for comment.
Dealers aren’t the only motor businesses accused of taking data without permission. Ross Hadfield is an independent motor engineer who helps establish the cause of accidents. He claims some major investigation companies routinely download the data stored by a vehicle without the owner’s say-so. “Despite a car’s ECU being classed as a ‘terminal unit’, and so requiring the owner’s permission to access the data within, many vehicle assessors working for insurers download the data anyway,” says Hadfield. “I’ve experience of insurers using such data to reject claims unfairly.”
Depending on the type of download, in addition to the electronic data recording (EDR) that insurers are seeking and which contains data relating to aspects of the car’s performance, including ABS activation, steering angle and throttle position, personal data is also captured. “I reckon up to 5000 cars a week have their data downloaded in bodyshops alone,” says Hadfield. “That’s a lot of phone numbers and other personal information that goes who knows where?”
A spokesperson for the Association of British Insurers said: “We are not aware of this practice taking place and insurers should, of course, always comply with relevant data protection legislation.”
The Information Commissioner’s Office, the agency that oversees the Data Protection Act, the scope of which extends beyond the EU’s General Data Protection Regulation (GDPR), says it’s not aware of data issues affecting the motor industry. A spokesperson told Autocar: “It’s not an issue we’ve seen specifically from the motor industry. However, all organisations need to be clear and transparent when collecting personal data.”
The ICO may not recognise there’s an issue, but the European Data Protection Board, the organisation that ensures the consistent application of data protection rules throughout Europe, is sufficiently concerned about data protection within the motor industry that in January last year it published a 30-page guidance document on the subject. In addition to declaring all vehicle data, including data generated by the car, to be personal, in that it is directly relatable to an individual through the vehicle’s VIN number, it reminds businesses that where they take data, their reasons for doing so must be “specified, explicit and legitimate”. It continues: “Prior to the processing of personal data, the data subject (the vehicle driver or owner) shall be informed of the purpose of processing, the data recipients, the length of time the data will be stored and the subject’s rights under the GDPR.”
This will be news to Bonfanti, whose data, he alleges, was downloaded from his Evoque by Park’s Land Rover Ayr 15 days before it sought his permission. “I was more worried for my family than for me,” he says. “Some of my older relatives, especially, are private and cautious people who would be concerned about the possibility of their personal information being shared. If something were to happen to them or any member of my family as a consequence, I’d feel responsible.”
*Who's responsible?*
In 2017, Privacy International rented a selection of cars from major hire companies and found that all of them contained the personal details of previous renters and the locations they had visited. When challenged, the rental companies couldn’t agree whose responsibility – hirer or hiree – it was to delete the information.
More recently, a survey by Which? last year found that four in five people who had sold their car had failed to clear its infotainment memory containing personal data. Half of them had synced their phone to their car. Unlike systems including MirrorLink, Apple CarPlay and Android Auto, this connection method enables phone data to be stored in the car’s memory. Exactly how much depends on the system. Some have a memory in the Bluetooth module that is erased each time the phone is disconnected. Well, almost erased – the location address of the data is erased but not the data itself.
Sue Robinson, chief executive of the National Franchised Dealers Association, said: “Members must at all times comply with data protection regulations, including the General Data Protection Regulation. All vehicles sold through dealers must have all personal data removed from on-board computers and other devices that contain such information.”
*READ MORE*
*Covid guidance: Car dealers can offer test drives during lockdown *
*New moves: How dealers are trying to stimulate car sales *
*The man who saves buyers from tricky car dealers*