Car rental firms told: Tell your customers about in-car data slurps

Privacy International: Companies need to be explicit, not rely on fine print

By Rebecca Hill

Posted in Internet of Things, 6th December 2017 10:37 GMT

Car rental companies should offer customers explicit information on what happens to data that has been sucked up by connected cars, a civil rights group has said.

In a report published today, Privacy International criticised car rental firms for “relying on the small print in terms and conditions” when it came to dealing with data amassed by in-car entertainment systems.

These infotainment systems sync up to mobile devices via Bluetooth, and store a range of data such as location logs, as well as information from on-board systems for web browsing, making phone calls or streaming music. For connected cars, this information could make its way back to the manufacturer.

This has implications for consumer privacy, PI argued, as the data could be personal, and associated with an identifiable individual. As an example, it pointed to a case where a man in the US tracked down the kids who took his Jeep for a joyride via the info they’d left in his infotainment system.

The firms contacted by PI - Enterprise, and its two subsidiaries Alamo and National; Thrifty; and Sixt - said it was the drivers' responsibility to wipe their data from the systems.

Although some said they would update their privacy policies as part of prep for the General Data Protection Regulation, PI criticised them for a lack of transparency.

It said that if the rental firms were putting the onus on customers, they needed to be more upfront.

“Rental companies and car-share schemes must provide clear and explicit information to customers in relation to what data is retained on the infotainment systems and how to delete it,” the report said.

“They must be given details as to how to do this effectively and informed what data may remain on the car despite a factory reset.”

Enterprise also suggested in its response that the car manufacturer - not Enterprise - is the data controller.

However, Nissan - the maker of the car PI rented from Enterprise as part of the work - countered that, as the vehicle in question wasn’t a connected car, it couldn’t access or control the data if it didn’t have the vehicle. If the car was returned to Nissan, the firm said it would do a full factory reset.

Nissan added that the assertion that manufacturer is the data controller “is a quote from Enterprise only and not a fact”.

This apparent buck-passing is not surprising, as it isn’t clear-cut which party would be the data controller, but PI said that the lack of agreement over who is the data controller was “concerning”.

In recommendations to manufacturers, it said they should “provide the equivalent of a delete button enabling customers to quickly and easily remove their personal data from infotainment systems”.

The report also urged the Information Commissioner’s Office to issue “clear guidance” to rental firms over their obligations to rental customers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

Austrian privacy chief handed leash to EU's data protection beast

Group warms up for greater powers once GDPR hits

Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise Snoop laws not 'significant' obstacle to EU data protection talks

Digi minister confident of adequacy decision post-Brexit

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute

EU's data protection bods join the party to investigate Uber breach told to sever ties with 'grubby, unethical' company

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities