Modern vehicles are essentially computers on wheels. Everyone has heard some variation of this statement by now. However, not everyone fully appreciates how true it is. There is very nearly nothing a new vehicle does that isn’t controlled, monitored, or logged by a computer somewhere inside it.
Every time a computer sends a control signal or logs the position of a switch or valve, the car generates a data point. A two minute drive to the store can generate thousands of data points. The good news is that, with access to the relevant data stream, a new vehicle can be better understood, better maintained, and better managed than ever before. Telematics is the technology through which this data is extracted, analyzed and presented to vehicle owners.
If you are a fleet owner engaged in vehicle tracking, the answer to the question in the headline, “who owns vehicle data?” probably seems obvious: “My car, my data!” Nearly all European drivers (approximately 90%) agree with you.1 North American surveys would likely yield similar results; so it will probably come as a surprise to find out that a few people have a very different opinion.
Different Opinions on Vehicle Data Ownership
Recently, the law firm Pinsent Masons had this to say when discussing data generated in the current crop of vehicles:
“The data owner, probably the vehicle manufacturer, will not necessarily want to share the data, or at least will want to charge for its use.”2
The European Association of Automobile Manufacturers recently published a position paper that discusses their desire to be able to charge for access to the data generated by the vehicle. The paper argues that the OEMs should be the data guardians and be able to impose a regime of, “No Data Access without Compensation.”3 At least in Europe, there appear to be some OEMs ready to assert ownership and control over the data generated by all the vehicles they sell.
Who’s right, the OEM association or the fleet owners? It’s probably too soon to say where the law will ultimately come down, but we can look at a similar bit of technology that most of us don’t even know is present in our vehicles as an analogy to telematics.
Black Boxes for Cars
Everyone knows about the famous “black boxes” on airplanes that record all manner of information about the aircraft. They have repeatedly proved to be invaluable to crash investigators and have led to major improvements in aircraft safety. It turns out that most passenger cars in North America have similar devices, called Event Data Recorders, or EDRs.
EDRs were first introduced by OEMs to monitor airbag deployment, but have gradually evolved into more “black box” like devices meant to preserve information about vehicle functions around the time of a crash (an “event”). Today they are mandatory in all new vehicles sold in the United States and are used to record data like speed, acceleration, braking and seat belt status, as well as airbag information, just before and just after a crash. Like the case of aircraft, this information has been used to help reconstruct accidents and make vehicles safer.
Who owns the data recorded by EDRs? Over the previous decade or so, several States passed laws that defined ownership rights in the data recorded by EDRs. Most recently, the US Congress passed the Driver Privacy Act of 2015,4 which says:
“Any data retained by an event data recorder… is the property of the owner or, in the case of a leased vehicle, the lessee of the motor vehicle…”5
In Europe, EDRs are not mandatory, but are coming into more common use. However, a lack of legal rules has left the ownership question less clear. Nevertheless, a report for the European Commission in 2014 concludes that the most likely owner of the data is the vehicle owner.6
Analogy to Telematics
The analogy between EDR data and vehicle data gathered by telematics devices, although not perfect, is nevertheless very close and should be used to inform our opinion regarding the ownership of vehicle data. To the degree that they are similar, the data should probably be treated the same, while to the degree that they are different we should take a minute to think through who is best positioned to claim ownership of the data.
Points to keep in mind:
- Telematics devices record most of the same data as EDRs, such as speed, acceleration and braking, although sampling rates are not always the same.
- Telematics devices record other data as well, including vehicle location, engine codes and fuel consumption.
- EDRs record only data surrounding a crash while telematics devices record data more or less continuously.
- In both cases data is generated by a vehicle manufactured by one party, but owned and operated by another.
- Data saves lives. EDR data helps reconstruct crashes and leads to better designs going forward. Telematics data can be used for this too, but also to find accident prone corners, correct bad driving habits by providing real-time feedback, spot upcoming vehicle problems so they don’t occur while moving, improve fuel economy and routing efficiency and much else.
- Privacy is an issue in both cases, but likely matters more for telematics since there is more data (including GPS location data) and recording is continuous.
- EDRs are only accessible via directly plugging into the box while telematics devices provide wireless access a vehicle’s systems leading to greater security concerns.
Conclusion on Vehicle Data Ownership
What conclusion can we draw about who owns telematics data? The concerns seem to fall into at least three categories. On balance, it seems that the vehicle owner has the best case.
The potential security concerns probably shouldn’t influence our judgment either way. To the degree that security can be addressed, this tells us nothing about who ought to own the data, just that the owner will be able to trust that the data is secure and the vehicle will not be compromised. To the degree that security cannot be addressed, the owner may be irrelevant. If the data security cannot meet some minimum threshold, or data gathering cannot be done without exposing the vehicle to excessive risk of intrusion, it may not be worth gathering the data in the first place.
Suggested Reading: 15 Security Recommendations for Building a Telematics Platform Resilient to Cyber Threats
The privacy issues that could come up probably lean towards vehicle owners and/or vehicle drivers being the data owners. There are many privacy laws that restrict the use of data that pertains to an identifiable person. One of the easiest ways to ensure that data is used only for allowable purposes is to assign ownership of the data to the person concerned and require that person to give consent to anyone else that wants access to it.
Nature of the Data
EDRs and telematics don’t line up perfectly, but they are close enough to make a useful comparison. In many ways a telematics device is like a more capable EDR that is always on, albeit one that isn’t necessarily going to survive a crash. The similarities in the data recorded probably lean towards vehicle owners being the data owners: telematics data is, first and foremost, data about a particular vehicle. It’s hard to see anyone other than the vehicle owner with a stronger interest in this information.
“Who owns the data?” is a question that comes up almost everywhere in our connected world and the argument in most areas is just beginning. When it comes to sorting out who owns telematics data, we’ve made a good start, but the debate is far from over.
For further discussion on the legal, economic and public policy implications of open cars, please see the article: “Open Cars” by Lothar Determann and Bruce Perens.
- According to surveys, 90% of European drivers believe that vehicle data belong to the vehice owner or driver.
- Pinsent Masons, “Connected and Autonomous Vehicles: The emerging legal challenges,” Apr. 2016, pp.15.
- European Automobile Manufacturers’ Association — ACEA, “ACEA Strategy Paper on Connectivity,” Apr. 2016, pp.7.
- Passed as part of the FAST Act, H.R.22, 114th Congress, 2015.
- Text from S.766, 114th Congress, 2015.
- D. Hynd and M. McCarthy, “Study on the benefits resulting from the installation of Event Data Recorders: Final Report,” European Commission, PPR707, 2014, pp. 61.
Whose Data Is It Anyway?
Preventing “Negligent Entrustment”: Plausible Deniability vs. Telematics