With an estimated 80% of cars being connected by 2016, the industry is experiencing an explosion in the amount of data that is generated and processed. It is heralding a new era of technological and business convergence involving OEMs, mobile network operators, insurers, software companies and fleet operators. Collecting, analysing and delivering services based on this data will be a key revenue stream.
Connectivity means that manufacturers have an unprecedented opportunity to engage directly with customers, enabling them to maintain brand awareness and promote maintenance and other service offerings.
Unsurprisingly, all this change is disrupting the traditional economics and R&D focus of the automotive industry as well as many of the legal principles and frameworks that have previously applied.
The question of who owns particular data is fundamental to the issue of how it is used and monetised. Most OEMs have publically stated that vehicle owners also own ‘most’ of the data generated. In order to use this data, OEMs therefore have to obtain consent and abide by relevant data protection legislation.
The current UK Data Protection regime is based on EU Directive passed in 1995. The Data Protection Act sets out standards for the processing and storage of personal data in eight basic principles, which are enforced by the Information Commissioner’s Office.
Data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept any longer than necessary
- Not transferred to countries without adequate protection
There are increasing concerns that some manufacturers are using their ability to ‘control’ vehicle data to bypass or ignore some of the existing data protection rules and that nothing is being done about this. Current data protection rules are insufficient to cover these issues, which is creating a ‘Wild West’ scenario in terms of data access and usage.
EU Data Protection Regulations
New EU data protection laws are due to be introduced this year as regulators seek to catch-up with the increased sharing and use of data created by the ‘Internet of Things’. Some of the key changes that are likely to be introduced include:
- Harmonised rules across all 28 member states. Unlike EU Directives, which can be implemented according to different national interpretations, the new rules will be binding on all member states and applied in the same way.
- Larger fines and sanctions for companies breaking the law. Data protection breaches will no longer just be a reputational issue…
- Collaborative data protection enforcement. A new supranational regulator and local data protection agencies will be able to collaborate in fighting against data abuses.
- The new regulations will address the issue of ‘cloud-based’ services where data is crossing national boundaries.
The issue of OEM data breaches will almost definitely need to be addressed at an EU-wide level. There is a feeling that the current lack of activity is probably due to complainants and regulators waiting for the extra powers that will be introduced under the new data protection regulations.
Access to vehicle data
Most lobbying work in this area is going on at an EU-level, through Leaseurope who are feeding into the work of AFCAR (Alliance for the Freedom of Car Repair).
They are calling for policymakers to enshrine the right of independent operators to obtain equal, open and standardised access to the same functionalities and data provided from in-vehicle telematics systems. Current regulations (Euro 5) provides this right for accessing information via the standard on-board diagnostics (OBD) connector, but this legislation applies to emissions and periodic testing (MOT) data, not to dynamic telematics information such as odometer readings or predictive service data, for example.
Going forward there are concerns about what information will be provided via the OBD port in future, because manufacturers have been complaining that some after-fit dongles have been causing problems.
Volvo have launched a car that no longer provides telematics information via the OBD port. A number of German manufacturers have said that they are willing to maintain independent, open access via the OBD port, but that this functionality will be switched off as soon as the car starts moving.
If telematics data is restricted to proprietary manufacturer systems, there are concerns about equal access, functionality, timeliness and the cost to access it.
The first opportunity to influence regulation in this area was the eCall legislation. Unfortunately, all they managed to obtain here was a brief and vague reference to the fact that the Commission must come up with an initiative within two years to resolve the issue of providing open, standardised access to online vehicle information.
The Directorate General for Mobility and Transport (DG Move) has set up a C-ITS (Co-operative Intelligent Transport Systems) group which has been mandated to agree a common platform during 2015. This would in effect be coming up with a baseline for the next type approval legislation.
Some OEMs are currently championing the Extended Vehicle Platform model, which would see them provide a cloud-based, virtual online platform that they claim would be more secure. However, there are concerns about the costs and the fact that this would give OEMs too much power in terms of what information was available and how and when it was provided.
AFCAR is arguing for a separate, interim solution that would see a third party providing a shared server that could be used by the OEM and the independent aftermarket. It would be standardised and have a low set-up cost. This would give all parties breathing space to come up with an acceptable, secure, open platform for the long term
Data safety and security
More and more mechanical systems are replaced by electronic ones and the car itself is being asked to take increasing responsibility for the passengers it contains. The electronics world works at a much faster pace than the traditional automotive development timeline, so OEMs face the problem of managing this change in an environment where any issues or bugs can have a catastrophic impact on their customers, and where they can be held liable.
One solution they are adopting is the ISO 26262 standard, which provides a repeatable, traceable, well-documented and safety-focussed process for developing new systems. By adopting this standard and ensuring their supply chain does, they can demonstrate that they are taking all possible steps – thus having a greater chance of avoiding any liability if things do go wrong.
BVRLA members would be advised to adopt the same standard if they are developing or commissioning their own connected vehicle or telematics systems.
BVRLA policy position
The BVRLA has been discussing the issue of vehicle and driver data with members and key stakeholders since 2013. It featured in both our 2014 Fleet Technology Congress and our Industry Conference and our position was outlined in our Fleet Industry Manifesto, which was presented to all the main UK parties ahead of the General Election:
- Vehicle owners and drivers should be in charge of how their data is used.
- The government needs to support the introduction of open, standardised and secure platforms to enable this to happen.
- These platforms need to enable a variety of businesses to develop services for vehicle drivers and owners, ensuring a fair and open aftermarket for vehicle data.
- The Information Commissioner should investigate the current rules regulating fleet and driver information with a view to improving consumer confidence by a further issuing of guidance.
- The government should consider whether the Commissioner’s existing powers are sufficient in safeguarding the above data protection rights, or whether additional powers should be awarded.
FIGIEFA - http://www.figiefa.eu/ecall-telematics/
This is the European federation for independent parts automotive parts suppliers. Their website includes lots of information about efforts to secure fair, standardised and open access to vehicle data.
ICO - https://ico.org.uk/
The Information Commissioner's Office is the UK body responsible for upholding information rights. Their website includes some useful contact information and guidance for businesses.