Automobile safety is not just about crash safety anymore, unless that includes computer crashes.
The Department of Transportation has released guidelines for broadband-connected cars (highly automated vehicles, or HAVs) and the first sub-topics under "Safety Assessment" are "data recording and sharing" and related "privacy."
DOT cited the White House Consumer Privacy Bill of Rights and the Federal Trade Commission's privacy guidance in saying that it strongly believes in protecting privacy rights.
It may have to include the FCC in that list, since the commission is now responsible for overseeing broadband privacy. Given that DOT cites the FTC guidance, that would mean the department is not suggesting that consumers will have to affirmatively agree to have their information shared, only that they have choice in whether it is shared and how it is shared, and that the ability to share that information should be based on the sensitivity of the information and how it is being used.
DOT laid out the following guidelines on privacy, targeted at auto manufacturers:
Transparency: provide consumers with accessible, clear, meaningful data privacy and security notices/agreements which should incorporate the baseline protections outlined in the White House Consumer Privacy Bill of Rights and explain how entities collect, use, share, secure, audit, and destroy data generated by, or retrieved from, their vehicles."
Choice: "Offer vehicle owners choices regarding the collection, use, sharing, retention, and deconstruction of data, including geolocation, biometric, and driver behavior data that could be reasonably linkable to them personally (i.e., personal data).
c. Respect for Context: "Use data collected from production HAVs only in ways that are consistent with the purposes for which the data originally was collected (as explained in applicable data privacy notice/agreements);
d. Minimization, De-Identification and Retention: "Collect and retain only for as long as necessary the minimum amount of personal data required to achieve legitimate business purposes, and take steps to de-identify sensitive data where practical, in accordance with applicable data privacy notices/agreements and principles;
e. Data Security: "Implement measures to protect data that are commensurate with the harm that would result from loss or unauthorized disclosure of the data;
f. Integrity and Access: "Implement measures to maintain the accuracy of personal data and permit vehicle operators and owners to review and correct such information when it is collected in a way that directly or reasonably links the data to a specific vehicle or person;
g. Accountability: Take reasonable steps, through such activities as evaluation and auditing of privacy and data protections in its approach and practices, to ensure that the entities that collect or receive consumers’ data comply with applicable data privacy and security agreements/notices."
DOT plans to solicit comment on the guidelines and hold workshops, and says regulation could follow if necessary to govern the rollout of connected cars.
“As we move closer to a future of automated vehicles, regulators will need to oversee advancements in safety technology without hampering innovation,” said Senate Commerce Committee Chairman John Thune (R-S.D.). “This guidance report is an important step acknowledging the need for federal officials to collaborate effectively with manufacturers and state authorities to ensure we see the tremendous opportunities offered by these vehicles. As this collaborative process moves forward, I expect new needs for oversight and Congress’ role will come more clearly into focus.”