Submission to the Standing Committee on Transport and Communications regarding their study on the regulatory and technical issues related to the deployment of connected and automated vehicles

The Privacy Commissioner of Canada, Daniel Therrien, made the following submission to the Standing Senate Committee on Transport and Communications, regarding their study on the regulatory and technical issues related to the deployment of connected and automated vehicles. The submission offers further input for consideration, following the Commissioner’s appearance before the committee on the same issue on March 28, 2017.

November 22, 2017

The Honourable Dennis Dawson, Chair
Standing Senate Committee on Transport and Communications
The Senate of Canada
Ottawa, Ontario  K1A 0A4

Dear Mr. Chair:

I wish to thank you and your Committee for the opportunity to submit further views regarding your study on the regulatory and technical issues related to the deployment of connected and automated vehicles.

We have been pleased to see data privacy and security maintain a central role in this Committee’s discussions since my appearance earlier this year, on March 28, 2017.There is much energy rightfully being spent in examining and securing the data flows associated with the Connected Car and the required infrastructure for its advancement.

Update on the Office of the Privacy Commissioner of Canada’s (OPC) work on consent

Since my earlier appearance, the OPC has released its Report on Consent, which follows a year-long consultation that set out to identify improvements to the current consent model under federal private-sector privacy law and bring clearer definition to the roles and responsibilities of the various players who could implement them.

It became clear to us during the consultation that consent remains central to personal autonomy. Individuals want to retain the ability to make decisions about their data. That said, there may be some collections, uses or disclosures in which it might be inappropriate for the driver to control how the information is used.  An example of this might be where the use or disclosure of data is necessary to ensure road safety.

However, many others should be subject to individual choice — for instance, the use of personal information for marketing, usage-based insurance, navigation, and so on. Individuals may have little awareness that such uses are occurring, let alone of the details and implications of those uses, or of any options available to limit, disable or otherwise control them; people are accustomed to simply getting in a car and driving, and many would not give a second thought to privacy, unaware of all of the background collections, uses and disclosures being made of their personal information. 

When organizations are requesting an individual’s consent, we think they need to do a better job of explaining what they propose to do with, in this case, drivers’ personal information.  Historically, dense, legalistic privacy policies that often go unread by consumers have been the main instrument for communicating privacy practices. This has, unsurprisingly, proven ineffective. It is therefore important to find means to improve communications. To this end, we have released a draft update to our Guidelines for Online Consent, which puts forward seven guiding principles for online consent.  Key to this are four elements which must be highlighted to individuals: what data is being collected, for what purposes it is being collected, used or disclosed, to which parties it is being disclosed, and any known or foreseeable risks of harm from the collection, use or disclosure.

Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience(s). Organizations are encouraged to use a variety of communications strategies — including “just-in-time” notices, interactive tools and customized mobile interfaces — to explain their privacy practices. An appropriate summary of the personal information collected by a car — and the potential third-party services providers who may have access to it — should be made available before the car is bought or leased. More specific disclosures should be made at the time when individuals are facing specific choices. For instance, the types of data being used to calculate premiums (and any associated financial risks) could be communicated during the sign-up process for usage-based insurance.  An explanation of the data collected when pairing a phone to a rental car’s Bluetooth system — and how to delete that data at the end of the rental period — could be kept within that rental car’s console. There are a myriad of opportunities for communications with individuals (which do not require attracting their attention while driving), and we challenge stakeholders to identify and make use of them.

The Connected Car may serve as an ideal first application for this new guidance. The auto industry is accustomed to communicating complex performance and safety information to consumers in straightforward, accessible and standardized ways — we see no reason why this should not be the case for privacy considerations.

Enhancing Privacy, Beyond Consent

In our consent report, we said consent remains central to personal autonomy but in order to protect privacy more effectively, consent  needs to be supported by other mechanisms, including more industry guidance and codes of practice, stronger accountability of organizations, proactive enforcement by regulators, and legislative amendments needed to effectively address emerging risks. These other mechanisms are particularly relevant in the connected car environment, due to the complexity of the technology and of the data flows inherent to its operation.

Codes of Practice

As I discussed during my appearance before the Committee, the OPC’s Contributions Program has funded a project aiming to develop a Code of Practice for the Connected Car. We expect valuable outcomes from this project, as we do from all our funded projects. However, we have heard from key stakeholders that privacy is one of many considerations in the connected and autonomous car ecosystem, and that perhaps a broader effort, involving all levels of government, key industry stakeholders, consumer groups and others, will be needed to address the many challenges and opportunities that this evolution presents. 

To that end, we would strongly encourage the government to bring relevant stakeholders — regulators, legislators, automakers, and consumers - together in the development of a connected car framework, which has the protection of privacy as one of its key drivers. The OPC would intend to play a key role in any such project.

Accountability, Privacy by Design and Proactive Compliance Reviews

Accountability is a fundamental PIPEDA principle that requires organizations to develop and implement policies and practices to comply with the principles of the Act. Throughout our consultations on consent, we often heard that accountability needs to take a larger place in privacy protection, in a period where data flows and business models are becoming more complex, thus creating challenges for the consent model.

Accountability includes the notion that organizations should build privacy protection into the very design of a product or service, from the early phase of conception through to its execution, deployment and beyond. Privacy cannot be an after-the-fact consideration in the Connected Car; it would likely be  very difficult (and costly) to re-design a system if a fundamental flaw is identified shortly before production, let alone once cars are already on the road. Stakeholders in our consultation generally supported this use of Privacy by Design (PbD). Two elements of PbD that we find to be of greatest importance are its temporal requirements (as early as possible and continuously assessed) and the fact that it addresses both technological and organizational factors. Both of these aspects can be found in our guidance. In our view, both these elements are key and we expect them to be implemented.

While we believe consent continues to have an important role in protecting privacy, we agree that the weight given to accountability should increase. Accordingly, organizations should be able to demonstrate accountability as a means to ensure that privacy rights are respected. We also believe this obligation should be enforced proactively rather than exclusively through PIPEDA's complaint based system. Most data flows in the connected car are very complex and not transparent, and it is not reasonable to expect consumers to identify privacy problems associated with them. My office will generally be in a better position to know about these problems and to begin Commissioner-initiated complaints.

Ultimately, respect for the accountability principle would require my Office to be able to verify compliance on demand, without grounds to believe a violation of the Act has occurred. These are not extraordinary powers but rather authorities that have been exercised for a long time by other regulators. Amendments to PIPEDA would be required to achieve this, amendments we believe are necessary to achieve meaningful privacy protection in a technologically complex world. For now, we will continue to explore how we could more proactively promote PIPEDA compliance under the current law, including by carrying out Commissioner-initiated investigations pursuant to subsection 11(2) of the Act.

International Developments

The international privacy community has taken a keen interest in the matter of connected and autonomous vehicles. Recently, the 39th International Conference of Data Protection and Privacy Commissioners passed a Resolution on Data Protection in Automated and Connected Vehicles. This resolution calls upon all relevant parties to “fully respect the users´ rights to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services,” and lists 16 actions and activities which parties are urged to undertake to further this end.

In the United States,  the Future of Privacy Forum and the National Auto Dealers Association released a consumer guide titled Personal Data in Your Car, which aims to assist consumers in understanding the kind of personal information collected by the latest generation of vehicles, which use data to further safety, infotainment and customer experience.

Similarly, a Bill introduced in the US Senate, Security and Privacy in Your Car (SPY Car) Act directed the US National Highway Traffic Safety Administration and the Federal Trade Commission to establish a rating system. The “cyber dashboard” that they have proposed is intended to explain how security and privacy are protected above minimum standards, and requires the rating be displayed on a sticker on the windshield of all new cars. This Act has been referred to the US Senate’s Commerce, Science, and Transportation Committee.

In July 2017 the US Government Accountability Office (GAO) also released a report on vehicle data privacy, which analyzed (among other things) the privacy policies of a number of major auto manufacturers. The selected experts interviewed for this project opined, in particular, that the existing Consumer Privacy Protection Principles do not provide sufficient guidance to inform automakers’ actions or protect consumers’ privacy, and should thus be improved. These findings are similar to those of a study by the British Columbia Freedom of Information and Privacy Association, funded under the OPC’s Contributions Program.

There have also been recent developments in the European Union. The EU Committee on Transport and Tourism has published a draft report on a European strategy on Cooperative Intelligent Transport Systems. The report highlighted some key recommendations on data privacy and protection and stressed that these cars should comply with the upcoming General Data Protection Regulation (GDPR). Specifically, they state that “[connected car] service providers must offer clear terms and conditions to drivers, enabling them to give their freely informed consent to any processing of their personal data.”

Conclusion

These solutions offer some valuable takeaways for Canada. The general philosophy of engaging and informing consumers so that they can make reasonable choices, empowering the regulator, as well as efforts to establish a coordinated approach to connected vehicles clearly resonates with how my Office envisions dealing with issues of consent and the privacy challenges associated with connected vehicles.

Going forward, we believe that addressing the many challenges related to the Connected Car will require the engagement of a broad range of stakeholders from all levels of government, the private sector, consumer groups, researchers and members of the public. I am eager to continue the dialogue your Committee has sparked with these interested parties in order to ensure privacy is adequately considered. We look forward to the Committee’s recommendations on this point, as well as the government’s response.

I hope you have found these reflections useful and I thank you once again for providing me an opportunity to share my thoughts on this study.

Sincerely,

Daniel Therrien

(The original version was signed by)

Commissioner

Date modified: