By Praveen Sasidharan
While the safety and security of passengers and vehicles alike have conventionally been key considerations for the automotive industry, the automotive industry stands at a pivotal juncture where connectivity and data analytics advancements are revolutionising how vehicles interact with their surroundings (V2X) and each other (V2V). This era of connected vehicles has ushered in a plethora of benefits, including enhanced traffic management, improved safety features, and the development of autonomous driving technologies. However, this surge in data collection has also raised significant concerns regarding privacy and data protection.
The growth of the connected vehicles and data collection
In the digital era, automotive companies are competing to introduce tech-forward products which has translated into a diverse advancement. Connected vehicles now incorporate IoT (Internet of Things) technology which facilitates communication between vehicles and connected devices such as mobile applications. This advancement in technology enables remote diagnostics, over-the-air updates, real-time data monitoring, and provision of training data for autonomous driving vehicles (“ADVs)”. ADVs rely on sensors, cameras, and training data to navigate the road networks without human intervention.
Apart from the product itself, the automotive industry is increasingly utilising technology for supply chain management by implementing digital tools for predictive maintenance, real-time tracking, and inventory optimisation. Additionally, automotive companies are enhancing customer interactions through digital platforms, including virtual showrooms, augmented reality (AR), and personalised services.
For the implementation and development of such technology, the automotive industry depends largely on data. A large volume of data, including personal data of vehicle owners, is used for various functions. This has given rise to questions about who owns this data and what can be done with it.
According to the Deloitte Global Automotive Consumer Study (2020), 69 percent Indian customers are concerned with the security of data shared with connected vehicles. Moreover, there has been an increasing concern regarding the safety of the data consumers share with businesses. Towards that end, various countries have introduced legislations to regulate the collection and processing of personal data by organisations. In 2023, the Indian Parliament passed the Digital Personal Data Protection Act (Or the DPDP Act) to safeguard the personal data of its citizens. Hence, the automotive industry must focus not only on vehicular and passenger safety but also personal data security to ensure its growth in the coming years.
Key components of the digital personal data protection act
The DPDP Act has been created to enforce personal data privacy in India. The Act is applicable to data that is collected by organisations, referred to as Data Fiduciaries, within the territory of India and to data collected outside of India in case it is for the purpose of business offerings made to individuals residing in India.
The provisions of the Act have been bolstered by clearly outlining the rights of the Data Principal, from Sections 11 through 14. To ensure compliance with the personal data protection requirements, the Act also provides for penalties.
AIS 189: A step towards enhancing data privacy in connected vehicles and auto industry
Recognising the growing privacy concerns surrounding connected vehicles, the Automotive Research Association of India (ARAI) developed AIS 189 (DRAFT), a technical standard for automotive security and data privacy in connected vehicles. AIS 189 (DRAFT) outlines guidelines for anonymising data, minimising data collection, implementing robust security measures to protect vehicle data, and ensuring user consent for data collection and usage.
Key challenges and considerations
With the enactment of the DPDP Act, the onus is on the original equipment manufacturers (OEMs) to ensure that consumers’ personal data is collected and processed according to the law. Auto OEMs have several challenges in front of them for addressing the privacy conundrum effectively. Auto OEMs must implement a robust privacy framework involving Process, People, Technology and Governance (PPTG) to address the aspects of the Act.
Organisations must practice data minimisation, ensuring that only the minimum amount of data necessary for specific purposes is collected. Moreover, the purposes for which vehicle data is collected must be well-defined and it should not be used for unauthorised purposes. Security mechanisms such as access control must be implemented to protect vehicle data from unauthorised access, modification, or disclosure. For data anonymisation, appropriate techniques must be employed to de-identify data and prevent direct linkage to individuals. Additionally, clear guidelines for sharing vehicle data with third parties should be established to ensure that they adhere to privacy principles. Effective mechanisms must be provided for enforcing privacy regulations and holding data controllers accountable for their actions. Lastly, there must be keen focus on obtaining user consent for data collection and usage, providing clear and accessible privacy policies, and enabling individuals to control their data.
Way forward
Vehicle data holds immense potential for revolutionising transportation, but it must be harnessed responsibly and ethically. The Indian government’s DPDP Act and AIS 189 (DRAFT) provide a framework for safeguarding privacy. Investments in a privacy compliance program, whether resource or knowledge-based, would pave the way for developing consumer trust, establishing privacy rights management as a core organisational objective, and strengthening information security practices as the automotive industry continues to embrace connectivity and data-driven innovation.
The author is Partner, Deloitte India
Disclaimer: The views and opinions expressed in this article are solely those of the original author. These views and opinions do not represent those of The Indian Express Group or its employees.
