Your car knows more about you than you think

While most people are aware their smartphones collect and share data about them, they might be surprised to learn their car is doing the same thing. 

A recent report from the Mozilla Foundation reviewed the practices of 25 car brands and concluded that "modern cars are a privacy nightmare." 

Equipped with sensors, microphones and cameras, cars have "an unmatched power to watch, listen, and collect information about what you do and where you go," the report reads.

It's collected by the car itself, third-party sources like Google Maps, satellite radio, and any smartphone connected to the vehicle. 

"It's a mess," according to the report.

What's more, it's not just where you drive or how fast that's caught in the collection net. Every car brand Mozilla reviewed scooped more personal data than necessary and used it for reasons that have nothing to do with running the car.

According to Nissan North America's 9500-word privacy notice, personal data that might be collected includes: "race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information." Kia's also includes "sex life," while six companies include "genetic information" and "genetic characteristics."

Car companies also use data to make "inferences" about people's intelligence, interests, abilities, behaviours, attitudes, and psychological trends.

Toronto privacy lawyer Michael Power says the data collection isn't a surprise, as today's vehicles are more computerized than they are mechanical. But there are legitimate questions around what's collected and how and what it's used for. 

"I suspect the car companies don't really want to have this conversation," Power says. "Their argument will be, 'well, you consent to this (at the time of purchase).'"

Canadian privacy laws are based on a consent-based model – but is there actual consent here?

"The notion is people must be able to make informed choices and give informed consent. Otherwise, it's meaningless," says Brent Arnold, who practises cyber security and data protection law at Gowlings WLG in Toronto. 

Other basic principles that govern what organizations are supposed to do are: You don't collect more than you need. You don't collect it for uses you don't have consent for, and you don't retain it indefinitely. 

"You retain it for as long as you need it to perform whatever it is you got consent for," he says.

Many companies draft their privacy policies broadly to include using data to develop future products. 

"Is that really consent if you're consenting to things they haven't even dreamed up, if you can't imagine the full range of things you're consenting to," Arnold asks.  

"That's very much a live question and one the courts are going to have to grapple with." 

With an eye to future uses, retention can become indefinite, which violates a core principle of privacy law. That's of particular concern, considering Mozilla couldn't determine if any car company met its minimum security standards or encrypted personal info kept on the vehicle.

"It's so strange to us that dating apps and sex toys publish more detailed security information than cars," the review noted.

In the meantime, 84% of the car brands said they can share personal data with third parties, and 76% said they can sell it.

Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations that collect or disclose personal information. But it was enacted in 2000 – long before AI and cloud computing became the ubiquitous technologies that they are today. 

"It was a very different world then," says Power. "It wasn't about big tech's massive ability to collect personal information. Facebook wasn't even a gleam in anybody's eye." 

Bill C-27, which is currently working its way through Parliament, aims to replace PIPEDA with The Consumer Privacy Protection Act.

Power says while the proposed legislation makes some advances, it's only around the margins regarding consent and anonymized data. 

"It moves the yardstick a little bit, but the rights that individuals have under the statute don't really change a lot, especially when you compare it to the rights individuals have under the EU's General Data Protection Regulation (GDPR)."

The European Union says the legislation is "the toughest privacy and security law in the world," complete with harsh fines for violations that can run into the tens of millions of euros.

"The law in Canada has still not caught up with the fact that big tech and most organizations see value in an individual's data – and they want to collect it," Power says. 

Up until now, privacy commissioners could not prosecute companies independently. They could investigate and report on PIPEDA breaches, but only the government could do something about it. 

If passed, Bill C-27 will grant privacy commissioners the power to go after companies. Coupled with the new ability to levy real penalties and considerable fines, Arnold expects to see more adjudication and enforcement at that point.

In Quebec, Law 25 goes even further than the proposed federal overhaul, emulating the GDPR and exceeding it in some crucial ways. Its amendments to the province's Act respecting the protection of personal information in the private sector embrace "privacy by default," giving consumers an automatic right to confidentiality over personal information held by private companies. Fines for non-compliance can range from $15,000 to $25 million.

While some of the provisions took effect last year, significant changes came into force in September, which are particularly relevant to the issues raised by Mozilla.

Laure Bonnave, who practises data privacy and cybersecurity law with Clyde & Co in Montreal, says carmakers will now have the distinct obligation to only collect data for a specified purpose. 

"Consent is a central tool in our law. There is a requirement to obtain clear and informed consent before collecting data," she says. 

"And car manufacturers will need to provide clear information about what will be collected, why it's being collected, and how it will be used."

As data sharing and selling is a big concern, manufacturers must inform individuals if their personal information will be disclosed and use a privacy impact assessment to determine the potential risks of doing so. 

As for the deletion of collected data, Bonnave says companies must assure customers their personal information is destroyed or anonymized when the purpose it was collected for has been achieved. 

"They will have the duty to assess on a continuous basis whether there are legitimate purposes to keep personal information in the system," she says.

Since they often collect sensitive information, companies must implement additional security measures to address current concerns. The provincial privacy regulator can verify that protection measures were in place if a breach occurs.

Moreover, the privacy commissioner can now issue orders that carry the same weight as a court judgment.

Bonnave says that based on what Mozilla found, it doesn't appear car companies are in compliance with the new provisions. But with the rise of new technologies and AI, she expects data practices will get more scrutiny from privacy regulators. 

She points to the California Privacy Protection Agency, which recently announced a review of the data privacy practices of vehicle manufacturers to determine how the collected data is used. Under the California Consumer Privacy Act, people have the right to know what companies are collecting.

"Maybe this article will motivate regulators in Canada to initiate an investigation," Bonnave says. "And perhaps at some point there will be a new regulation to provide a clear framework in this sector."

Power agrees that there are fundamental questions that need to be asked and answered by car companies. 

"The people who are best positioned for that are the privacy commissioners because they have the authority to haul these guys in and have a chat," he says.

"It's certainly worthy of a fulsome investigation."