TMT focus
Zeina Albuainain Associate, Corporate Commercial
Data privacy and security are issues with all devices connected to the ever-expanding Internet of Things (IoT). Whilst data improves user experience across tech sectors, consideration must be given to the mechanisms put in place to control the collection and flow of personal information.
Connected and autonomous vehicles (“CAVs”) can interact with passengers, other drivers, pedestrians, and even the environment to generate tons of information. As such, a connected car is a massive data hub that can collect, store, and transmit information about the driver’s location, driving pattern, routine, mood, and habits.
Set out below are some of the potential risks of connected cars to consumer privacy in the Kingdom of Bahrain and common data privacy concerns that controllers of the data being processed from connected cars need to consider with reference to Bahrain’s main piece of data protection legislation, Law No. 30 of 2018 on the Personal Data Protection Law (“PDPL”).
According to research, connected cars can generate up to 25 gigabytes of data every hour. For autonomous cars, the use of sensors and cameras to enable self-driving (or semi-self-driving) functions means that vast amounts of data are being collected. A lot of this data which is generated from CAVs is connected to the user and qualifies as personal data as defined under the PDPL – i.e., information relating to an identified or identifiable individual.
The sheer volume of data generated and the complex data processing involved means that the data controller (i.e., the person(s) that determines the purpose and means of processing that takes place in the connected car) will need to consider the requirements under the PDPL for lawful processing. The controller may be required to provide users with clear, concise information on the collection of their data and how it is being used, and potentially need to obtain their informed consent.
The complexities involved in processing and utilising connected car data open up the possibility of excessive collection of data, increasing the risk of unauthorised access or misuse. In addition to this, it is not unheard of for companies to inadvertently use consumer data for other purposes than originally intended, or collect more data than required for its purposes, which is generally prohibited by law.
Below are some of the key considerations under the PDPL that controllers need to take into account when collecting / processing data from CAVs.
There are various data privacy concerns for controllers of vehicle data in Bahrain to consider. Set out below are some of the key considerations under the PDPL in this respect.
One of the key takeaways from the current data protection framework in Bahrain include the requirement to have a legal basis for processing personal data. This means that automobile manufacturers and other controllers of the data may not (inter alia) collect, share, store or transmit personal data generated by vehicles, unless there is a “lawful basis” to do so. In line with other data protection regimes, obtaining the data subject’s (i.e. user’s) informed consent would likely satisfy the requirement of needing to have a lawful basis.
However, in certain circumstances it may be the case that the vehicle owner is not adequately informed about the processing of his or her personal data which takes place through the vehicle (noting the large amounts of data being collected for different purposes), in which case the requirements under the PDPL for a valid consent would not be met. It is therefore important to carefully consider the ‘transparency requirements’ under the PDPL (as further discussed below) if consent is being relied upon.
The transparency requirements under the PDPL are comparable with what can be found in other data protection regimes. It is a legal requirement in Bahrain for data controllers to be transparent about the data they collect and how that data is used. Specifically, the PDPL mandates data controllers to furnish users with certain information, including details about the personal data being collected, the purpose(s) of collecting / processing the data, the names of the recipients of the data or their categories, and the rights that are available to users under the PDPL.
The law more generally requires that data subjects are provided with ‘any further information that is necessary, having regard to the specific circumstances, to ensure fair processing of data’ (Article 17).
It is not uncommon for modern cars to have dash cameras that capture the interior and/or exterior of the car, which can make adhering to the transparency requirements relatively challenging. Whilst controllers generally provide the required information to individuals with whom they interact (e.g. upon purchasing the vehicle), adhering to the transparency requirements is less straight forward with respect to individuals who may pass through an external camera’s field of view, considering that the relevant controller would typically not have a direct relationship with such individuals. These considerations would not be of relevance however where a user places a dash camera for personal use (such ‘personal use’ activities are exempt from the PDPL’s scope of application).
Modern vehicles feature sensors, cameras, GPS, and other technology that equip them to collect vast amounts of driver data. In this respect, it is important for the data controller to consider whether it is extracting more data from users than it requires. This may lead to the risk of (for example) sensitive personal data being collected that individual users would otherwise not reveal. Location data is particularly intrusive - regular destinations may draw accurate inferences about a person’s sensitive personal data (defined under the PDPL to include political affiliation and religious beliefs).
The PDPL generally requires that personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The PDPL also recognises the concept of ‘data minimisation’ under Article 3, which stipulates that processed personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was collected (or further processed). Controllers therefore need to be cautious so as to not (for example) track location data except where it is absolutely necessary for the purpose of processing.
Every vehicle or device part of the IoT ecosystem is vulnerable to a measure of cyber risk. Security vulnerabilities in connected car systems carry a high risk of unlawful data access. One of the main consideration in this respect can be seen under Article (8) of the PDPL, which requires data controllers to implement appropriate technical and organisational measures to guarantee protection of data against (inter alia) accidental or unauthorised disclosure and access. The law further adds that in implementing such measures, data controllers must take into account the latest technological security measures, the associated cost, the nature of the data to be processed and the potential risks involved.
The data from connected cars can be valuable to automakers and other controllers, as it can foster a more efficient (and arguably even more secure) driving experience. However, as vehicles become more technology-driven, the more personal data is collected, and the more they risk generating data privacy issues. Automobile manufacturers targeting consumers in Bahrain need to ensure that any data collected and processed through connected cars is done in accordance with the PDPL.
For further information, please contact Andrew Fawcett and Zeina Albuainain.
Published June 2022