Clifford Chance

As technologically sophisticated vehicles become more widespread, the collection, use and monetisation of data is attracting great commercial appetite – but also greater consumer concern. How should companies in Australia balance their privacy obligations with commercial opportunities? 

In September 2023, the Mozilla Foundation released its *Privacy Not Included report, which reviewed the US privacy policies of 25 prominent car brands. The report concluded that each brand collects more personal data than necessary and uses that information for reasons well beyond the operating of its vehicles, leading Mozilla to label cars as "the official worst category of products for privacy that we have ever reviewed".

As vehicles enter a new era of technological capability, increases in built-in sensors, microphones and cameras mean the ability to record and catalogue the actions of drivers is at an all-time high. The types of data car-makers can collect extend well beyond basic data to most information captured from within, and around, an individual's vehicle. This includes driving habits (speed, duration, frequency, location), voice command information, and sensitive data such as an individual's health diagnosis, genetic information and even sexual activity information (collected by certain manufacturers).

The broad scope of collectable data correlates with the growing commercial impetus to capitalise on data collection, often for targeted marketing purposes. Mozilla found that 84% of car brands share drivers' personal data with data brokers and other businesses, and that 76% were entitled to sell someone's personal data. A 2021 article by McKinsey projected that by 2030, about 95 percent of new vehicles sold globally will be connected (a jump of 45% from 2021), which will increase these figures. Unfortunately, high levels of connectivity can be associated with higher privacy risks, as the Mozilla report highlights.

As the automotive industry moves towards managing large amounts of sensitive data, companies must ensure that they are abiding by privacy regulations in relation to the collection and use of individual's data. In Australia, where the national privacy regime is currently undergoing significant change in response to major data breaches such as with Optus and Medibank, companies must also consider how their obligations and responsibilities may evolve in the near future.

Australia's Privacy Landscape

In Australia, the Privacy Act 1988 (Cth) is the principal statute regulating the collection, use, storage and disclosure of "personal information". The Act governs Australian Privacy Principles (APP) entities (which includes companies with over AUD $3 million annual turnover and foreign companies carrying on a business in Australia). Sophisticated automotive industry companies are likely to be treated as APP entities under the Act.

APP entities are required to adhere to the 13 Australian Privacy Principles, which are principles-based law scalable to the operations of each entity. In particular:

• APP 3.2 establishes that an organisation may only solicit and collect personal information that is reasonably necessary for one or more of its functions or activities; and
• APP 6 establishes that an APP entity that holds personal information about an individual can only use or disclose the information for a purpose for which it was collected (known as the "primary purpose") unless an exception applies. Several exceptions exist, however the most frequently used exception is where consent is given by the person from whom the information has been collected.

"Personal information" is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable (a) whether the information or opinion is true or not, and (b) whether the information or opinion is recorded in a material form or not. The precise scope of this definition depends on what is "reasonably identifiable" in each circumstance.

The breadth of information reported by Mozilla to be captured within the privacy policies of the 25 prominent car brands is significant, and the scope of what is "reasonably identifiable" will be informed by factors such as their data retention and anonymisation strategies. Car companies are not exempt from data breaches; in May 2023, Toyota disclosed that it had exposed more than 2.15 million customers' data to the open internet over a ten-year period due to a misconfigured cloud instance.

The examples captured above, and a significant proportion of the other types of data identified in the Mozilla report, would generally fall within the definition of "personal information". Organisations should carefully consider how their collection policies align with the "reasonably necessary" collection test set out in APP 3.2, as well as ensuring that consent has been sought in connection with APP 6 for any secondary uses of the collected data.

Proposed Privacy Changes

In February 2023, the Australian Attorney-General's Department released the Privacy Act Review Report proposing 116 changes to the existing Act. This included a proposal to clarify the scope of "personal information" by replacing "about" an individual with "relates to". This more clearly allows for technical and inferred information, such as IP addresses and device identifiers, to be included in the meaning of "personal information" (which were held to be out of scope in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4). This change would require APP entities to update their privacy policies and permissions to ensure that these additional aspects of "personal information" were properly acknowledged and requested. Failure to do so could place companies in breach of the revised Principles.

Importantly, the proposed changes require that consent be voluntary, informed, current, specific and unambiguous. The proposed changes also recommend the regulation of "targeting" (where information is collected, used or disclosed for tailoring services, content, ads or offers to individuals) which could have a direct impact on the monetisation of data collection in the automotive industry. In addition, a proposed direct right of action for individuals harmed by data privacy breaches to pursue remedies in the courts could create risk for companies who do not have robust protections and anonymisation practices in place and experience a data breach.

The proposed changes are being considered in circumstances where penalties for serious data breaches are now very significant (AUD50 million or more).

Conclusion

There is increasing awareness of the risks posed by in-vehicle data collection and sharing. Though data privacy has traditionally not been a factor in car purchases, the privacy policies and habits of car companies may begin to inform consumer choices as the breadth of data available through this forum is clarified. Companies should be aware of their obligations under the Act and how this may change in the near future. The cost of getting this wrong could be significant.