Connected cars – Data protection, privacy, and cybersecurity

Connected cars – Data protection, privacy, and cybersecurity

CONNECTED CAR TECH SERIES PART 4: Complex regulatory landscape threatens to restrict the market’s development 

Contributed by: Waseem Haider

In the last three parts of our Connected Car Tech Series, we talked about the immense possibilities this space is offering to car manufacturers, network operators and other stakeholders. This obviously creates an impression of the grass as all green which is not the case. Connected cars have a number of challenges.

One significant roadblock facing the connected car industry relates to regulations and standards. The need for regulations governing in-vehicle data and other connected car resources is one of the most pressing issues affecting connected car stakeholders. This is partially because regulations were meant to deal with basic connectivity, e.g. emergency calling, and partially because of the expansion of the connected car ecosystem. Current regulations do not sufficiently address the challenges posed by increased connectivity and the role of different stakeholders.

Though there are multiple areas which are affected by lack of standardization and proper regulations in the connected car ecosystem, there are two significant areas which stand-out due to their impact on both the end-consumers and service providers: data protection and privacy, and cybersecurity.

Data Protection and Privacy

One of the biggest challenges faced by the connected car ecosystem is the protection of consumer data. Even though regulatory authorities have made some significant policy changes around connected cars, data access and privacy regulations have yet to be tackled adequately. For example, the EU updated its Motor Vehicle Type Approval Regulation in 2019, but the increasing vehicle connectivity is still a topic of discussion. 

One major data protection law from the EU is the General Data Protection Regulation, or GDPR. There is a lot of uncertainty between the EU and US since the introduction of GDPR. Meanwhile, numerous regional efforts around data protection have emerged, inspired by the GDPR. One such regulation is the California Consumer Privacy Act (CCPA). The CCPA directly addresses car manufacturers and automotive suppliers globally on their telematics data capture, and influences cloud service providers’ data privacy practices.

The amount of data generated not only within the car but also outside of the car, certainly poses a threat to the protection of personal data and raises serious privacy issues. According to some estimates, almost 25 gigabytes of data is produced per hour from a connected car. Most of this is driver’s personal data and that of passengers. Moreover, suddenly the data generated by connected cars have attracted the interests of multiple stakeholders – enforcement and government authorities, car insurance companies, car manufacturers and other third parties.

Primarily, connected cars are generating data from three different categories of functionalities: Telematics, V2X and Infotainment (see Figure 1 below).

Figure 1: Main Data Sources in Connected Cars 

Source: ENISA

The functions shown in the graphic enhance the customer experience for car owners and some of them are essential for safety and emergency services. However, the amount of personal data which the connected car systems are generating becomes a cause of worry for the protection of the data and privacy of individual car owners and/or related parties. Note that we are not talking about the fully autonomous vehicles of the future, which will generate and gather even larger amounts of data than today’s connected cars.

Hence, the question arises how to adopt data protection and privacy standards today which will stand the test of time. While there is some progress in creating standards and regulations surrounding connected cars, for instance the new Motor Vehicle Type Approval Regulation, EU GDPR, and CCPA, many issues have not been addressed comprehensively or consistently enough to support growth of this new market.


Another big challenge for the connected car ecosystem is the now-increased vulnerability of cyberattacks and hacking threats. The transformation of the automotive industry into one offering digital mobility products and services has given rise to importance of cybersecurity in the connected car ecosystem (see figure 2 below). Though the digital features in connected cars are adding great customer value, they are also exposing connected cars to multiple touchpoints for possible cyberattacks. As connected cars have more and more in-vehicle software units, hackers have access to electronic systems and data, posing potential threats to critical safety functions and data privacy.

Figure 2: Cyberattack scenarios in connected cars 

Source: Frost & Sullivan

In the past few years there have been multiple instances of cyberattacks on connected cars, where hackers have taken full control of the vehicles. The major challenge is lack of clear regulatory guidelines and standards for the connected car ecosystem. As such, the cybersecurity problem is related to data protection and privacy. Cybersecurity and data protection/privacy are two sides of the same coin: cybersecurity presents the outside-in scenario and data protection is the inside-out scenario.

One important point to highlight here is that regulators are having a tough time formulating such laws. Part of the challenge is the involvement of multiple stakeholders in the connected car ecosystem. This influences current supplier contracts with OEMs and other third-party relationships for software development, testing and managing over-the-air (OTA) updates.

Regulators face a difficult situation in adoption of standards across the entire automotive value-chain. For the last few years, however, regulators have been working on a cybersecurity framework for the automotive industry that will cover the entire value-chain. This year, the United Nations Economic Commission for Europe (UNECE) passed a law called the Vehicle Cyber-Security Management System (CSMS), to be implemented by automotive manufacturers. The law will make cybersecurity an integral part of the entire connected car ecosystem and OEMs need to implement a certified CSMS across the entire lifecycle of any given connected vehicle in near future.

Next Up: Data ownership

Among the many regulatory issues in the connected car ecosystem is, who owns the data generated by connected car ecosystem. In the next part of this series, we will take a deeper look at ownership of data in the connected car space.


Image credit: Erik Mclean

Share this post