On March 24, the BC Freedom of Information and Privacy Association (FIPA) released a report titled, “The Connected Car: Who Is In the Driver’s Seat” (the “Report”). The 123-page Report describes the increasing use of digital features and services in today’s automobiles and, among other things, recommends that the federal government enact data protection regulations aimed specifically at the auto sector. The Report is authored principally by Phillippa Lawson, formerly the Executive Director of the Canadian Internet Policy and Public Interest Clinic.
There is more and more software being used in vehicles, and there are a growing number of digital services available to owners of cars and trucks, often provided by companies not affiliated with the original equipment manufacturer (OEM) of the vehicle. This trend towards enhanced digitization in the auto sector is not new, and we at McCarthy Tétrault have chronicled it as well, most recently in a comprehensive paper titled: “The Networked Automobile and Legal Liability” (for a copy of this paper, please email us at firstname.lastname@example.org).
Both our paper and the Report discuss the use of in-vehicle digital technologies to support telematics, infotainment services, on-board system and engine monitoring, and other features and services that bring owners of vehicles great benefits. However, these digital trends raise issues with respect to data management and consumer privacy. These concerns are highlighted in the Report, which recommends, as does our paper, that organizations active in the auto sector must, as a consequence of these emerging technologies and as a function of good corporate practice, regularly review their privacy policies to ensure they reflect these new technologies and are compliant with Canadian privacy law.
The Report recommends that OEMs and others in the auto industry establish a Privacy Management Program within their respective organizations that addresses privacy compliance in a meaningful and systematic way. This is all good, common sense, and industries throughout the Canadian economy have been doing this since Canada’s federal privacy law (PIPEDA) came into force in 2000. We wholeheartedly agree with this recommendation of the Report, and have been working with industry players for years in helping to craft, implement and periodically review privacy practices and procedures.
However, the Report seriously overreaches when it recommends that the federal government enact data-protection regulations under PIPEDA, aimed specifically at the auto sector. There are many reasons why industry specific regulation under PIPEDA is a very bad idea.
Before turning to some of those reasons, it should be noted there are serious flaws in the Report that presumably lead it to make this misguided recommendation for industry sector privacy regulation. For example, the Report’s description of Canada’s current privacy laws is not evenhanded and balanced.
As well, and most importantly, in order to make its case in favour of a separate regulatory regime under PIPEDA for the auto sector, the Report analyzes a so-called Automakers Pledge, which is a privacy code established by the US automakers for use in the US. A reader of the Report is led to believe that this Pledge is intended for use in Canada, when it is not.
We are of the view that auto sector specific privacy legislation – indeed any sector specific privacy legislation – is a bad idea, in large part because of the compelling rationale of having a single federal privacy law that is applied uniformally and equally across all provinces and all industries and communities to ensure that everyone is subject to the same rules. This is particularly relevant when considering digital, and especially networked technologies, because the inexorable trend, and consumer demand, is seamless connectivity across a multitude of services and devices, with the result that we increasingly do not have “sectors” any more in our business landscape or in our personal environments. Put another way, the economy’s sectors and consumer practices now overlap through a broad and constantly evolving range of networked connections and services – attempting to regulate that space on a sector or industry basis with overlapping, potentially conflicting standards would create a web of confusion, unnecessarily frustrate business, and likely all without achieving the desired benefit of greater protection for consumers.
For example, the owner of a vehicle may be using an infotainment system operated by a digital music company; the car’s GPS system is supplied by an electronics company; the owner’s telephone contacts and in-home security system sync to and are accessible through the vehicle; the vehicle’s telematic system is installed on behalf of an insurance company; etc. The overwhelming technology trend is to have convergence of all types of service providers on all digital platforms, whether on your phone, or laptop, or, increasingly, your car.
As a result, industry specific privacy legislation makes no sense and would simply create an incredibly complex environment with no appreciable benefit.
Rather, the benefit of our current PIPEDA is that (with some exceptions) it applies to everyone and all businesses, regardless of their digital activity. Thus, you get consistency of regulation, and a common, workable privacy law framework for all organizations.
Presumably, if FIPA is successful convincing the federal government on the merits of auto sector specific privacy laws, then other sectors will be next. The Report itself admits that the same digital, network connectivity trends impacting the auto sector are being experienced by the economy generally. If auto specific rules are enacted, we anticipate a similar process will be proposed for the banks, the telcos, the retailers, etc.
Therefore, not only automakers – but all business and other organizations – should be very concerned about how the Report is received in Ottawa and by provincial privacy regulators.