Your car says EVERYTHING about you, but where does the data stored in it go?

Year after year, new vehicles inaugurate innovations in terms of technology that involve comfort, safety, entertainment, navigation, problem detection and other functions. And with that, your vehicle is increasingly customizable for you, but this is only possible thanks to data storage.

Have you ever wondered how much your car manufacturer knows about your life? Does it have access to the places you frequent, routine habits, driving profile, contact list, call history, among other information?

SEE ALSO:

• GM is accused of selling its customers’ data
• Do you know all the fluids present in your car?
• Data and AI system is the “heart” of Mercedes’ industrial operation

How does the connected car have access to your information? What data does it collect?

According to Flavio Sakai, Director of Electronics and Connectivity at the Brazilian Association of Automotive Engineering (AEA), the connected vehicle has different ways of accessing and storing driver data. This information can be collected through smartphone connectivity or by recording the driver’s activities inside the car.

A modern model can access and record data through:

• Bluetooth: is present in most of the simplest connected vehicles and gives access to the phone/contacts, call history – This data is linked to the cell phone, but is located somewhere in the system memory. They are usually not easily accessed.
• Android Auto/Apple CarPlay – in this case there is less data transfer, as it is a cell phone mirroring function, but as this tool has the option to operate through Bluetooth, the data may be stored. In general, it is safe, because when you get out of the car and you take your cell phone away, the information is not kept in the vehicle.
• GPS navigation data – on-board navigation information, such as addresses, navigation history, residence, work, etc. are stored if the driver uses the model’s native GPS.
• Other multimedia application data – storage of data such as purchase histories, places visited, and services used by applications residing in the vehicle’s system and operating without connectivity (typically those that store historical data that are not updated online).
• Facial or voice recognition – face and voice record that is used for different functions, especially aimed at safety, are recorded in the car.

Engineer Mithermayer Menabo, connectivity mentor at SAE BRASIL, also points out that cars with a higher level of connectivity can still store and use:

• Identification of the user/profile (login to the multimedia system);
• Appointment agenda;
• Personal preferences, such as seat position, air conditioning temperature, and favorite radio stations/playlists;
• Driving style (aggressiveness, acceleration, braking);
• Vehicle usage patterns;
• Operational and telemetry data, such as speed, acceleration, hard braking, driving and stopping time, fuel/energy consumption, mechanical status (failures, alerts, diagnostics) and safety events (collisions, ADAS, lane deviations);
• Environmental and external data, such as road conditions, traffic, and interactions with infrastructure.

The connectivity expert points out that the collection of information occurs through a distributed architecture that consists of the following main components:

• ECUs (Electronic Control Units), which control specific systems (engine, brake, comfort, etc.)
• TCU (Telematics Control Units), which are responsible for external communication (4G/5G/IoT)
• Infotainment System: User interface and integration with mobile devices
• Onboard sensors, such as GPS, accelerometers, cameras (ADAS/DSM), engine sensors, etc.

Usually the data flow happens as follows: a sensor captures the data, which in sequence is processed by the ECUs and TCUs and finally stored in a cloud of the automaker or other partner/contracted company.

Where does the data your vehicle collects about you go?

The data that is stored by vehicles usually remains in it. However, according to Flavio Sakai, a lot of information is also made available to the automaker, or even to telemetry platforms, insurance companies (when contracted for this) and linked mobile apps .

As cars have more connectivity, with 5G, for example, data is not usually stored in the car, but sent to a cloud of the manufacturer. This sharing enables various functions, such as predictive maintenance, OTA (Over-the-Air) updates, connected services (tracking, remote locking) and Usage Based Insurance (UBI) programs, highlights Mithermayer Menabo.

In this case of sending information to car manufacturers, Flavio Sakai highlights two scenarios:

Connected vehicles with a service contract between automaker and owner

In this case, at the time of purchase, the automaker already establishes by contract what data will be stored. They are:

• The user’s personal information, such as CPF, billing data, main addresses, among others.
• Geolocation histories, speeds, driving profile, vehicle maintenance conditions, etc.
• Call center call history, support request, concierge, and other similar services;

It is still possible for the automaker to have access to the history of purchases, meals and parking depending on the level of service or the business model between application developers, automaker and users.

Flavio Sakai points out that the storage of data by the connected car is a reduced and simplified version of the registration of information made by smartphones. The more services that are offered via apps, the more data is made available to the automaker and app developers.

In addition to automakers, insurance companies can also store through a tracker installed in the vehicle. That way, if you hire this type of service, which usually offers a high level of safety, concierge available for assistance and other benefits, the company will also have access to your driving profile, where you have been, if these places are safe, among other information.

Connected vehicles without service contracts with the automaker

When there is no signed contract for the provision of service and data processing, the information transmitted to the automaker is much smaller:

• Vehicle fault and performance data can be transmitted and anonymized for improved vehicle quality and performance
• No user data is used, only purely vehicle data

What does the LGPD say about this?

As described so far, connected vehicles can store the most varied types of information, including behavior profiles, habits, and routines. Therefore, automakers must follow Law No. 13,709/2018 – General Data Protection Law (LGPD).

This is because, according to Greycielle Amaral, a lawyer specializing in the LGPD, once there is processing of personal data , companies are required to clearly inform what data is collected, what it will be used for, and how it will be stored. Data processing happens when third parties have access to the information, which makes the Protection Law applicable, with several other obligations to be observed.

Any sharing of information from natural persons can only be carried out if it falls within one of the legal hypotheses of processing, which are common personal data (art. 7) and sensitive personal data (art. 11). For example: having access to the route of an owner and verifying that he frequents a certain address in front of a religious temple would allow us to infer his religion, which constitutes sensitive data.

Therefore, the expert lawyer states that owners have the right to know if their personal data is processed, stored and shared and must expressly consent to this. If the information is stored and shared without authorization, drivers can request revocation and other obligations provided for in the LGPD, such as requesting deletion, preventing sharing with third parties, and requesting corrections.

Privacy and Security Measures You Should Have with Your Connected Car

Currently, personal data is one of the most valuable assets for society and especially for companies, which work massively on this information. Therefore, Greycielle Amaral points out that it is very important to be aware of the real risks of leaks or unauthorized access, especially when they involve sensitive data, such as location, routines, and usage preferences.

This is because the misuse of data sets precedents for fraud, criminal actions with fake notifications and scams, in addition to the annoyance with unwanted advertising contacts. As such, all citizens should take care of their data and remain alert for companies that do not have a clear privacy policy or that do not allow you to access or delete their data.

When having a connected car, first of all, it is necessary to be aware of the purchase conditions when purchasing a vehicle. It is necessary to evaluate whether you want to sign a contract for the provision of services that provide various amenities, but involve the use of your data, such as Chevrolet OnStar, Toyota Connected Services, myHonda Connect, myGWM, among others. If you don’t want the automaker to store your information in a cloud, the ideal is to dispense with the service.

The ideal is also to always review telemetry permissions and keep the vehicle’s most current software when there is the possibility of making an update (OTA), as fixes avoid cyber vulnerabilities.

If the owner wants to be very cautious, he can prioritize the use of Android Auto or Apple CarPlay and not use the system’s native apps, nor leave accounts logged in. Thus, your data is mirrored in the vehicle and stored on a much smaller scale. Therefore, if the car is stolen, for example, the chance of someone accessing your information is very low.

Now, if you are planning to sell your vehicle or are using a rental car, don’t forget to delete all the data contained in it. You need to delete the phone from the multimedia menu and reset the system to the factory setting, which is usually available in the menu. This will erase user profiles, multimedia system data, and paired devices.

If there is also an automaker app on your cell phone linked to the vehicle, don’t forget to delete your account and car integration with smartphone. This is essential so that the next owner does not have access to your personal and routine information, which may even pose a risk to your security.

In addition, if the service agreement of the automaker, tracking company or insurance company has been terminated or canceled, demand that your information be deleted. Lawyer Greycielle Amaral also says that owners can request deletion, prevent sharing with third parties and request corrections.

The effective exercise of these rights depends on companies maintaining service channels for the holder functioning properly, which does not always occur in practice. When this channel proves to be ineffective or non-existent, the holder can appeal to the National Data Protection Authority (ANPD), the body responsible for monitoring compliance with the LGPD and receiving complaints.