Emergent Tech

Internet of Things

Car rental firms told: Tell your customers about in-car data slurps

Privacy International: Companies need to be explicit, not rely on fine print

By Rebecca Hill


Car rental companies should offer customers explicit information on what happens to data that has been sucked up by connected cars, a civil rights group has said.

In a report published today, Privacy International criticised car rental firms for “relying on the small print in terms and conditions” when it came to dealing with data amassed by in-car entertainment systems.

These infotainment systems sync up to mobile devices via Bluetooth, and store a range of data such as location logs, as well as information from on-board systems for web browsing, making phone calls or streaming music. For connected cars, this information could make its way back to the manufacturer.

This has implications for consumer privacy, PI argued, as the data could be personal, and associated with an identifiable individual. As an example, it pointed to a case where a man in the US tracked down the kids who took his Jeep for a joyride via the info they’d left in his infotainment system.

The firms contacted by PI - Enterprise, and its two subsidiaries Alamo and National; Thrifty; and Sixt - said it was the drivers' responsibility to wipe their data from the systems.

Although some said they would update their privacy policies as part of prep for the General Data Protection Regulation, PI criticised them for a lack of transparency.

It said that if the rental firms were putting the onus on customers, they needed to be more upfront.

“Rental companies and car-share schemes must provide clear and explicit information to customers in relation to what data is retained on the infotainment systems and how to delete it,” the report said.

“They must be given details as to how to do this effectively and informed what data may remain on the car despite a factory reset.”

Enterprise also suggested in its response that the car manufacturer - not Enterprise - is the data controller.

However, Nissan - the maker of the car PI rented from Enterprise as part of the work - countered that, as the vehicle in question wasn’t a connected car, it couldn’t access or control the data if it didn’t have the vehicle. If the car was returned to Nissan, the firm said it would do a full factory reset.

Nissan added that the assertion that manufacturer is the data controller “is a quote from Enterprise only and not a fact”.

This apparent buck-passing is not surprising, as it isn’t clear-cut which party would be the data controller, but PI said that the lack of agreement over who is the data controller was “concerning”.

In recommendations to manufacturers, it said they should “provide the equivalent of a delete button enabling customers to quickly and easily remove their personal data from infotainment systems”.

The report also urged the Information Commissioner’s Office to issue “clear guidance” to rental firms over their obligations to rental customers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

UK.gov's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal