Data privacy: the law versus public opinion

Date: Tuesday May 6, 2014

Isn’t it ironic that while published data from outside the vehicle is greeted with a chorus of disapproval (Google Street View has all but disappeared in Germany because of privacy concerns), ever more data from inside the vehicle is being published with the blessing of the authorities and the public?

Legislatures might be more or less permissive depending on regions, but they often fall short of protecting companies against possible backlash from public opinion, with potentially costly consequences.

Recently, governor Franken commissioned the Government Accountability Office (GAO) to conduct a study and investigate a number of companies working with car data (auto manufacturers, portable navigation device (PND) companies, and developers of map and navigation applications for mobile devices), and concluded by a call for location privacy law.

The result of the study was that, while most companies interviewed followed the “industry recommended privacy practices”, improvements were required:

All ten companies disclosed the fact they were using location data, but nine provided very broad reasons for the collection. Five did not identify why they were sharing that data.

  • Consent was sought by all, but none accepted that the data could be deleted if requested
  • All took steps to safeguard the data in different ways, but the levels of data “anonymization” and the length of time it is kept varied
  • All took steps to protect the location data they share with third parties, but none held themselves accountable to their customers.

So, while these companies were not acting illegally, all were judged to be inappropriately handling customer data. Yet, everywhere we look, we can see that more data – not less – is being used. The nature of the data, as well as the quantity, is growing rapidly, and actuaries are the loudest voices in pushing for more data.

Progressive has made it clear that it will use location monitoring in its usage-based insurance product, while keeping consumer acceptance in mind. Glenn Renwick told its investors: “I will not rule out – in fact I would say I would rule in – that we will consider more GPS-type monitoring and the like as consumers are willing to accept that as a viable option.

We can also think of drive cams in commercial vehicles becoming more popular in select markets. They can provide a 24-hour monitoring solution that may be an important part of a fleet operator’s insurance and duty of care strategies. Today, their recording capacity is limited, but as chipset memory prices come down, this could change rapidly.

Floating car data is also a great opportunity to monetise location data, and since the data is anonymised, it is safe to use … or so we thought:

In 2011, TomTom was investigated by the leading European Data Protection Authorities for providing car probe data to a third party, after a journalist reported that TomTom sold the data to the police which then used it to place the cameras in spots where drivers exceeded the speed limit. TomTom was, in fact, selling access to their map data, including maximum allowed speed as well as the “expected” speed. The police used the information to remove speed cameras from specific locations where the expected speed was significantly lower than the maximum speed limit.

TomTom was nevertheless investigated by the Dutch data protection authority, while the Italian, German and French authorities also looked on and co-operated with the Dutch. Speed data was not personal and therefore did not fall under the Data Protection Act. However, the authorities judged that TomTom was not clear enough in its explanation of how the data was used.

TomTom was cleared, but was asked to explicitly warn users and require an opt-in, and it cost the company a six-figure sum to deal with the PR damage.

So, it may be legal to send, use and resell location data, but that doesn’t protect against public opinion. As Simon Hania from TomTom said: “Dealing with privacy and trust is beyond compliance.”

What does that mean for the future of geo data privacy? In the short term, more data from the vehicle will be used. It will require better and more communication about the service provided, better clarity on who uses the data and how.

However, more predictive data is really the end goal and should remain the primary focus. The vast data sets collected by service providers and insurers could turn into a liability if divorce and child custody attorneys start getting court orders to access it. Who wants to see in the press that UBI data is being used to demonstrate drinking habits?!

A full analysis of the repercussions of the Data Protection Act reforms can be found in the UBI Global study 2015.