Evolution of the automotive sector – data privacy and cyber security
August 2022 | TALKINGPOINT | SECTOR ANALYSIS
Financier Worldwide Magazine
August 2022 Issue
FW discusses the evolution of data privacy and cyber security in the automotive sector with Miriam Ballhausen and Natallia Karniyevich at Bird & Bird.
FW: Could you provide an overview of the key data privacy and cyber security trends impacting the automotive sector in recent years? To what extent do these issues present increasing risks?
Karniyevich: In recent years, the automotive sector has undergone a number of rapid changes, particularly in the context of connected and autonomous vehicles, advanced driver assistance systems, advanced fleet management, and smart transportation. Though providing a higher level of car safety and increasing user comfort, these innovations are also associated with technological and legal challenges, including in the areas of data privacy and cyber security. With the increase in vehicle connectivity, drivers and passengers becoming more interconnected, usage and behaviour monitoring systems, traffic management and other innovative functions, huge volumes of data are being generated. In practice, this raises data protection and privacy issues concerning the permissible access to vehicle data, its primary and further use, including data analytics, commercialisation and big data, as well as the adoption of artificial intelligence (AI) and machine learning techniques, combined with internet of things (IoT) technologies. These key data privacy trends have been impacting the automotive sector in recent years, with stakeholders aiming to address safety and performance controls through predictive car maintenance and anomaly detection, to enhance driver and passenger experience, to optimise the automotive supply chain, to unfold the potential of research and development (R&D) initiatives and to automate as much as possible. Due to increased connectivity and plurality of functionalities, services and interfaces, vehicles are also exposed to the full force of malicious activities. As a security breach may endanger the life of a connected vehicle’s users and people nearby, it is of vital importance for manufacturers and security vendors to address the security of data and involved processes and systems. Considering the increasing complexity of automotive manufacturing, the complexity of the automotive supply chain, evolving cyber security regulations and increased number of cyber attacks, cyber security presents an increasing risk and a real concern that needs to be addressed.
Ballhausen: Like most other sectors, the automotive sector has increasingly moved toward offering ‘smart’ and autonomous-driving solutions. These require large amounts of personal data to be collected and processed by stakeholders within the automotive sector, while compliance with privacy laws such as the EU’s General Data Protection Regulation (GDPR) must be ensured. Compliance can only be achieved if legal and practical aspects are both considered appropriately, for example to ensure that the information, which must be provided to data subjects, such as drivers, is appropriately available to them in a way that is practically achievable for the respective stakeholder. At the same time, legal provisions are increasingly affecting the technical setup of the offering, which also processes personal data. Of course, the GDPR includes concepts like privacy by design and privacy by default. However, with laws such as section 63e of the German Road Traffic Regulation, the requirements become more specific and define where data processing devices need to be installed, as well as which data they may even be able to collect.
“Due to increased connectivity and plurality of functionalities, services and interfaces, vehicles are also exposed to the full force of malicious activities.”
FW: Against a backdrop of evolving cyber and data privacy regulations, how important is it for the automotive sector to be proactive in protecting data? What are the potential consequences for an automotive company that falls victim to a cyber attack or data breach?
Karniyevich: As a cyber attack or data breach can have an impact on the safety of the driver and passengers, in the context of connected vehicles it is of vital importance for manufacturers and security vendors to be proactive in protecting data and to address the risk of hackers attempting to exploit connected vehicles’ vulnerabilities. Besides reputational damage, an automotive company that falls victim to a cyber attack or a data breach will likely face a fine under the GDPR, as well as the European cyber security regulations, in particular the Network & Information Systems (NIS) Directive which will soon be replaced by the NIS2 Directive and which introduces a new and expanded EU cyber security regime also covering the road transport sector. In addition, the supervisory authority will likely investigate the organisation’s compliance practices and highlight any areas that fail to meet the applicable requirements.
Ballhausen: Stakeholders within the automotive sector should be keen to consider privacy requirements as early as possible. While it may be possible to implement some solutions even at an early stage, such as making the privacy policy available through a user interface, many requirements will need to be considered when products and services are planned. For example, data collection devices may need to be built to exclude specific data from being collected to comply with section 63e of the German Road Traffic Regulation, otherwise the respective device may be prohibited or temporarily taken off the market by a competent authority. These are just two examples of the potential consequences of failing to comply with privacy requirements. In addition, the competent authorities have a whole set of potential measures at their disposal, which range from inquiries to fines. Furthermore, in the event of a data breach which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the data controller is obliged to notify the competent authority and potentially also inform the affected individuals. At the same time, cases in which individuals bring claims directly against the data controller continue to rise. To avoid these risks, the requirements and necessary security measures should be carefully considered as early as possible in the development process.
FW: In your experience, are current levels of data security deployed by automotive companies generally sufficient to address cyber risks?
Karniyevich: With smart car connectivity increasing, the growing use of data and the emergence of semi-autonomous cars, new cyber security risks and threats are developing. Security measures deployed by automotive companies need to be constantly updated to take into account recent cyber security developments to eliminate or mitigate the potential risks, especially as these attacks threaten the security, safety and privacy of vehicle and all other road users. As highlighted by the European Union Agency for Cybersecurity (ENISA), there have been some experimental remote attacks on autonomous cars’ cameras and light detection and ranging (LiDAR) systems, showing effective camera blinding, making real objects appear further than their actual locations or even creating fake objects. In addition to malicious sensors and manipulations, other attack vectors have been demonstrated, such as global navigation satellite systems (GNSS) spoofing and fooling AI-based functions, with the famous example of trapping a self-driving car by just drawing a chalk circle around the vehicle. Such attacks may lead to data breaches, vehicle immobilisation, road accidents, financial losses, and even endanger road users’ safety.
Ballhausen: In our experience, automotive companies are generally very keen to ensure data security. The sector is used to dealing with security requirements. Data security requirements are often seen as an additional set of security requirements which must be met. Nonetheless, automotive companies have faced data breaches and personal data collected by automotive companies has been lost. With an increase in cyber security attacks, it is safe to assume that the number of security issues and data breaches will increase and that despite all efforts, many of today’s security measures are not yet sufficient.
FW: What technical and organisational measures do data controllers in the automotive sector need to adopt to ensure compliance with relevant legislation?
Karniyevich: From the perspective of a data controller, to ensure compliance with data protection regulations, automotive companies need to ensure they have access to hardware and software security, taking advantage of best practices and current security standards, beginning with design and manufacturing to operation and retirement. In addition, in-vehicle network security should be ensured to protect the processed personal data, such as location data, navigation history, call history, microphone recordings and so on. Finally, as vehicle systems need, in some circumstances, to communicate with cloud-based security services to detect and correct threats, cloud security services need to be implemented in a secure manner.
Ballhausen: The technical and organisational measures that need to be adopted depend on various factors. There are, of course, principles such as “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, as referred to in article 32 of the GDPR. However, this ability needs to be ensured through different means, such as if you take access control to ensure confidentiality, for example. If the personal data is processed within a vehicle, access control measures may be limited to password protection and potentially encryption or pseudonymisation, whereas it will generally be possible to restrict the access to personal data processed on servers in a data centre, such as part of a ‘smart’ or cloud solution, physically. Furthermore, the level of security that needs to be achieved depends on the sensitivity of the personal data being processed. The more sensitive the data, the higher the security measures that need to be implemented. Therefore, there is not one definitive set of technical and organisational measures that must be adopted by data controllers in the automotive sector. Instead, data controllers should carefully consider what personal data they will be processing, the sensitivity of this data and the security measures available to them in a specific setup.
“This risk continues to increase as vehicles become more autonomous, and the potential damages continue to increase.”
FW: How important is it for data controllers to review and update their data governance obligations on a regular basis, taking into account changing circumstances? What role can technology play in this process?
Karniyevich: It is of vital importance that data controllers review and update their data governance obligations on a regular basis, taking changing circumstances into consideration. The GDPR, which came into force in 2018, still presents a challenge for many companies, including those in the automotive sector. On the one hand, the technological progress made with respect to connected vehicles provides the opportunity to more efficiently review and update data governance obligations, however, on the other hand, it also increases the complexity of the systems and processes, thereby creating new cyber security risks.
Ballhausen: Arguably, data governance obligations do not need to be reviewed on a regular basis. However, the means through which these obligations are met should be considered and evaluated regularly. This applies especially to the technical and organisational measures implemented. These measures need to address the risks surrounding personal data that is processed and the individuals this data affects. As risks and security threats change, the measures may need to be amended to ensure requirements are met on an ongoing basis.
FW: What essential advice would you offer to automotive companies on navigating cyber security threats and mitigating the risk of sanctions under data protection law?
Karniyevich: It is most important to navigate cyber security threats and mitigate the risk of sanctions under data protection law. We recommend automotive companies comply with data protection by design and by default principles. This means that technologies should be designed to minimise the collection of personal data, provide privacy protection default settings, and ensure that data subjects are well informed and have the option to easily modify configurations associated with their personal data. In addition, supply chain risks should be assessed and appropriately addressed by including audit clauses and mandating testing procedures, cyber security best practices and standards should be applied, and state-of-the-art technology and tools should be used. Finally, technical and organisational measures need to be regularly reviewed and updated with respect to existing systems and technologies.
Ballhausen: Involve your cyber security and data protection teams as early in the process as possible. They can not only provide the input to ensure requirements are met and obligations are fulfilled, but involving them as early as possible also avoids the risk of delays later in the process, for example if the product design needs to be amended to avoid GDPR infringements.
FW: How do you expect data privacy and cyber security issues to unfold within the automotive sector over the months and years ahead? What new evolutions and innovations are likely to carry an increase in risk?
Karniyevich: The trend of big data and the increasing technological level of products, as well as manufacturing systems and processes, will lead to the constant development of data privacy and cyber security issues in the coming months and years. We do not expect any major changes in this area currently; rather, we expect to see constant and steady implementation of new regulations. In the cyber security area, examples of this include UN Regulations No. 155 and 156, the EU Cybersecurity Act, as well as the NIS2 Directive which will replace the old directive on security of network and information systems, amending the rules on the security of network and information systems. We believe the increase in risks will be connected with two trends. First, a growing amount of sensitive customer data stored and processed, such as personal data collected in connection with the customer’s payment at charging stations for electrical vehicles, autonomous driving, storage of driver profiles, and so on. Second, a high dependence of manufacturing sites and logistic providers on the data and its use when talking about just in time (JIT) and just in sequence (JIS). A dramatic increase in cyber security attacks, which has occurred in recent years, will strengthen these trends.
Ballhausen: As in other sectors, security threats will continue to be a core risk for the automotive sector. This risk continues to increase as vehicles become more autonomous, and the potential damages continue to increase.
Miriam Ballhausen is a partner and a member of both Bird & Bird’s technology and communications as well as automotive groups. She is based in Hamburg and advises clients on all matters involving technology, software, digital media, copyright, data and data protection law, with a particular focus on the collaborative development of open-source software, open data and open hardware. She can be contacted on +49 (0)40 46063 6000 or by email: miriam.ballhausen@twobirds.com.
Natallia Karniyevich is a senior associate in Bird & Bird’s Düsseldorf office, specialising in IT security and data protection law. In the context of cyber security, she is primarily focused on contractual issues and assists clients in understanding and implementing regulatory requirements. She can be contacted on +49 (0)211 2005 6000 or by email: natallia.karniyevich@twobirds.com.
© Financier Worldwide