25 juin 21

“Leaving personal data in a car is a breach of GDPR”

“GDPR is probably the most successful export of the European Union,” says Andrea Amico, CEO of Privacy4Cars. But it is also something vehicle fleet managers often struggle with. Privacy4Cars helps fleets respect data privacy regulations like GDPR by deleting personal data from a vehicle when it is sold or returned to a leasing or rental company.

Why is the service you offer necessary?

“I’m sure you have a smartphone that you have synced via Bluetooth or plugged in the USB port of your car because you wanted to take a phone call or use one of your apps (e.g. navigation) in your car. What people don’t realise is that when you do that, you create a mini clone of your phone, stored inside the car. Your car now contains some of your personal data.”

“It’s not only about your contacts, it can be much more. You can find tracks of the last photos you have taken, social media you are on, your browser history, calendar entries, text messages. There’s a lot of data in cars and we don’t realise this.”

“The problem is, if you have the car keys, the car thinks you are the owner and you can get access to everything. This is concerning for consumers but also for businesses because this information is regulated, particularly in Europe.”

“The European Data Protection Board, which is the EU agency that deals with GDPR and other privacy laws, issued a set of guidelines on how GDPR and ePrivacy applies to vehicles. They clearly spell out that rental car companies (and in general fleets) “have effective control over the processing […] as such they have the responsibility to ensure the confidentiality of the data”. In other words, the personal information stored in the dashboard must be deleted at every handoff. Not doing so constitutes a breach of GDPR and ePrivacy laws.”

How does Privacy4Cars avoid this?

“We have a suite of services. People in the field can use an application to remove personal information and most importantly, to keep track of this removal. One thing is doing what you’re supposed to do, but if your business cannot prove it, you may have not shed any liability.”

“We also have a software development kit (SDK), a small piece of code anyone can put inside their own application. So if you are a carsharing programme, for instance, you can offer the functionality without having to write any code. We just power that part of the process as a white-labeled experience so your users can self-serve and take care of their privacy from inside your own app – and again, your business gets your compliance records.”

“We also offer identity theft protection for vehicle owners and we track data that is no longer just in the car but is spread in a million other places.”

What risks do companies expose themselves to if they don’t delete personal data?

“We always ask people to name a recent policy they introduced, and often they’ll say rules around COVID. We then ask them how they went about doing that: ‘Did you get everyone into a conference room, explain the policy and leave it at that? Or did you have a policy document that people needed to sign? Did you put signs on the doors? Did you send reminders? Did you ask people to confirm they were following the policy on a regular basis?’ Of course they always say the latter. Because as with all matters in compliance, just writing a legal document or telling once people what to do is not enough. For one, it’s not going to happen. Two, if someone files a lawsuit against you or a regulator asks you how you are applying GDPR, you won’t impress any judge.”

“So we help people stay out of trouble by having a structured process. Most law firms will agree you need to have a policy and you need to have records that prove that you live and breathe that policy every day.”

Are car rental companies one of your target groups?

“We started with the idea that car rental companies were going to be our first customer and we haven’t got a single one yet. It is not because they don’t have an obligation under the law or because they are not aware of the issue: it all comes down to economics.”

“Imagine you are a car rental company and you have 100,000 to 200,000 cars that are coming back every day globally. Even if removing personal data only takes a minute, you’re adding 200,000 minutes of wages that you did not have before. So that’s why they are reluctant to do it.”

“I keep telling them they are fundamentally misunderstanding the problem and they are putting themselves at risk of being sued, which has already happened in the United States. Those lawsuits can get very expensive very fast.”

“I expect more creative and innovative rental companies will find ways to make privacy a source value for their customers, either by differentiating themselves, or by offering privacy-centric services.”

What is your ambition for 2021?

“We have already established ourselves as the standard for wholesale in the United States and Canada, where our service is available at over 350 locations. We want to continue expanding internationally, for example we now have a reseller agreements in Europe, in the Middle East, Australia, New Zealand, and India. As privacy laws expand globally, we can help more businesses and consumers protect the Personal Information captured by vehicles.”

“We also want to grow the depth of the services that we provide and with that comes also the depth of the types of customers that we serve. Today we serve mainly customers in the wholesale arena and a few very large dealerships but there are many more segments – with fleets rapidly growing.”

Photo: Andrea Amico, CEO, Privacy4Cars

Authored by: Benjamin Uyttebroeck