The DPOInsider covers the latest news and developments in data compliance and privacy every Friday. The DPO's favourite weekly read ☕️

Vehicle Manufacturers' Data Collection Raises Privacy Concerns

Motorists are being alerted to the potential privacy risks associated with modern vehicles, as manufacturers are found to be gathering an extensive range of personal data from drivers. This includes, surprisingly, details related to their sexual activities. An investigation into 25 car brands revealed that none passed the consumer privacy evaluations conducted by the Mozilla Foundation, a digital rights non-profit. The study highlighted that a staggering 84% of these car companies either share, review, or even sell the data they obtain from vehicle owners.

The depth of data collection goes beyond what one might expect for vehicle operation or brand-customer relationship purposes. Shockingly, six of the car brands were found to potentially gather highly personal details, such as medical records and genetic data. Common data points like driving speed, destinations, and in-car music preferences were also noted. Specific brands, like Nissan, were identified to gather data on "sexual activity", while Kia's privacy policy mentions the potential collection of details about one's "sex life", along with other personal attributes like political opinions and religious beliefs.

The sources of this data collection are vast, ranging from in-car connected services to third-party platforms like Google Maps or Sirius XM. This data, once collected, can be used to deduce further personal details about the driver, such as their interests, intelligence, and abilities.

While the automotive industry's primary focus has been the transition to electric propulsion, the rise of internet-connected and potentially autonomous vehicles presents a new frontier. This connectivity could lead to a surge in sales of in-car services like music streaming or autonomous driving features. However, the profitability of these services could be significantly enhanced if manufacturers gather more extensive data on their customers.

Despite the extensive data collection, only two brands, Renault and Dacia (both under the same parent company), confirmed that drivers could erase their personal data. This is particularly noteworthy as these companies are based in Europe, where the General Data Protection Regulation (GDPR) offers robust data protection rights to consumers.

TikTok hires Britain's NCC for auditing data security

TikTok's decision to collaborate with Britain's cybersecurity firm, NCC, is a strategic move that showcases the platform's commitment to bolstering its data security measures. This partnership, part of TikTok's "Project Clover", is a proactive response to the growing concerns surrounding the platform's data handling practices, especially in light of its ownership by Chinese company ByteDance.

Several governmental entities have expressed reservations about TikTok, leading to its exclusion from staff phones in certain contexts. The primary apprehension stems from the potential misuse of user data by the Chinese government for strategic purposes. By enlisting NCC for an independent assessment of its data controls, TikTok is signaling its dedication to ensuring robust data privacy and security for its users.

Moreover, TikTok's initiative to set up three data centers in Europe, with two in Ireland and one in Norway, is a commendable step towards data localization. With the Irish data center already in operation and data migration in progress, TikTok is taking tangible steps to ensure that European user data remains within the region. Elaine Fox's assurance of storing personal data of European Economic Area (EEA) and UK users in a secure designated area, even before the completion of all European data centers, further emphasizes TikTok's commitment to data protection.

Engaging with European policymakers in the upcoming months will be a pivotal phase for both TikTok and NCC. This engagement will offer a platform to elucidate the intricacies of their data security framework, fostering an environment of trust and transparency.

In summation, while "Project Clover" was unveiled amidst increasing scrutiny from lawmakers, the measures TikTok is implementing are noteworthy. For those of us in the data privacy realm, it's essential to acknowledge such endeavors by major platforms. It not only sets a benchmark for global companies but also underscores the significance of user trust and the lengths to which companies should go to preserve it.

Other data privacy news

Generative AI: A pragmatic blueprint for data security

The rapid rise of large language models (LLMs) and generative AI has presented new challenges for security teams everywhere. In creating new ways for data to be accessed, gen AI doesn’t fit traditional security paradigms focused on preventing data from going to people who aren’t supposed to have it.

UK Electoral Commission Fails Cybersecurity Test Amid Data Breach

The UK’s Electoral Commission has admitted to failing a crucial cybersecurity test at the same time that hackers breached its systems, compromising the data of 40 million voters.

Freecycle gives users the gift of a security breach notice

Freecycle, the charity aimed at recycling detritus that would otherwise be headed for landfill, has become the latest organization to suffer at the hands of cyber attackers and admit to a breach.