Connected cars and vehicles overall are among the main Internet of Things use cases. The automotive industry invests in car data while the insurance industry, which is among the fastest growing industries from an IoT spending perspective, is equally interested in access to vehicle and driving-related data.
However, there are concerns and debates over the ownership of vehicle data and the rights of the consumer or driver who should, according to many, be the sole owner of this data and have the right to say who can access it, for which purposes.
Although this article is mainly related with data ownership, privacy and personal data protection in the scope of the EU GDPR, the ePrivacy Regulation and the European context, it is really for everyone involved with IoT and certainly with the usage of vehicle data, regardless of country because 1) it shows the attitudes in the EU with regards to privacy and personal data, 2) the GDPR and ePrivacy regulation concern everyone (so, also non-EU insurers and car manufacturers selling to EU consumers) and 3) it shows the possibilities and value of IoT data, as well as the regulatory and data ownership concerns in the rapidly growing usage of IoT in insurance, connected vehicles and beyond.
IoT, car-generated data and consumer rights
IoT is playing an increasing role in the automotive industry and in the insurance industry. And both meet each other in areas such as connected vehicles and the data-driven business models behind it.
Illustrating the sheer value of IoT data and related data for several industries and the ‘fight’ over access to, in this case, vehicle-generated and in-vehicle data which offer innovation opportunities, EU insurers want EU rules that give car drivers and not car manufacturers the control over who can access their car data and why.
Aren’t personal data protection and the rules regarding data that can be traced back to individuals, making the personal data and the data subject identifiable through, among others in-vehicle data as identifiers, tackled in the GDPR (General Data Protection Regulation) and isn’t IoT – as a means – tackled in both the GDPR and in its ‘lex specialis’, the ePrivacy Regulation (which is, we need to keep reminding it, not the same as the GDPR and which many people still seem to discover)? Double yes.
We wrote before about IoT and regulation in the context of both GDPR and the ePrivacy regulation, where we also mentioned topics such as telematics (hot in car insurance indeed) and connected vehicles, specifically from the ability to trace back data to an individual or data subject. The GDPR introduces ample new online identifiers and data from RFID tags and far more belong to that category.
The discussion over the usage of vehicle data isn’t new either and both European car manufacturing companies, represented by the ACEA (European Automobile Manufacturers Association), one of the many industrial bodies asking for a more ambitious EU industrial strategy, and Insurance Europe, the European (re)insurance federation, have published position papers, explainers, you name it.
Insurance and telematics in the evolution of smarter, connected vehicles and the role of the automotive industry
As, among others explained in an article on digital transformation in the insurance industry, insurers increasingly leverage IoT in a scope of new pricing models and new services in function of data regarding the policyholder’s behavior and more.
This kind of approach happens in healthcare whereby 20 percent of healthcare payers are expected to have special programs in place for people who are willing to share personal health data by 2020 as explained in our article on digital transformation in healthcare.
And it happens in car insurance. In fact, in the insurance industry, telematics (although far from new) will remain the main IoT use case in the next few years as mentioned in our article on IoT spending 2020. And it’s not just about premiums and personalized insurance using those famous telematics boxes, a.k.a. black boxes. It’s also in claims, cost calculation (e.g. renewals), potential bonuses, tracking the car in case of theft and alerts on incidents, enabling insurers to focus on the policy holder’s ‘experience’, and far more (you can imagine collaborations between healthcare, insurance companies and so on as a claims process involves many stakeholders).
At the same time we have the famous connected vehicle, poised to be one of the main cross-industry IoT use cases, which in turn are poised to be among the fastest growing IoT use cases overall.
Moreover, the connected vehicle also should be seen in a broader ecosystem perspective, just as is the case with insurance claims, in this case the perspective of ‘smart transportation’ overall.
In the insurance industry, telematics will be the leading IoT use case, cross-Industry IoT investments such as connected vehicles and smart buildings, will rank among the top segments (IDC, forecast 2020).
And of course all this data has value. Whether it concerns location, driving behavior and loads of in-vehicle or vehicle-generated data there is always a context in which it can be leveraged, aggregated and analyzed. This can range from earlier mentioned models, to the interaction between cars and with a connected environment for smart transportation, policy-making purposes, optimization of vehicles, the production of new cars (also think digital twins) or even (anonymous) data monetization for new services or analytics which can serve numerous purposes.
Close to every company and industry becomes one of digital services , software, data (IoT and others) and analytics, certainly also automotive and insurance. Personalization, experiences, actionable data, services and platforms are the name of the game and the sources of revenues (and innovation). However, with data and revenues come questions and debates, especially about the ownership of the data.
The driver in the vehicle data driving seat – consent, access and purpose of car data
In telematics and insurance you typically have a consent model whereby the potential sharing of data is regulated as is the scope in which the data are used.
The boxes normally have at least some sensors (e.g. motion sensors and accelerometers), actuators and transducers, a GPS system, a cellular system and the needed software that aggregates, analyses and can offer loads of insights regarding the driver’s behavior and, if combined with other in-vehicle data acquisition systems as they increasingly pop up in ‘the connected car’ could lead to even more insights. In telematics the data is owned by the driver, or at least should be. And all is part of a contract.
Now what is the issue with car manufacturers then, according to insurers? On November 29, 2017, Insurance Europe, the association of European insurers, urged EU policymakers to make sure that drivers, and not vehicle manufacturers, control the access to their vehicle data and the purpose(s) for which the data gets accessed.
The organization emphasizes that vehicle data which can be traced back to whomever owns or drives the car fall are to be treated as personal data in the scope of the GDPR.
However, Insurance Europe states, car manufacturers develop systems which give them access to in-vehicle data whereby they control the data flows. And this, the association says, doesn’t put all the stakeholders, including of course the insurance industry, on the same footing. And thus, the mentioned in-vehicle data access systems from vehicle manufacturers, the reasoning goes, should also enable drivers to be in the data access, consent and purpose driving seat.
With the rationale that the manufacturing of a vehicle and the responsibility over the safe functioning of it does not mean that “vehicle manufacturers have the right to bypass drivers and become in-vehicle data gateways” the association has launched a petition for drivers to remain in the driving seat when it boils down to in-vehicle data with regards to what car manufacturers do as well, under the name #Data4Drivers.
The purpose: getting EU policymakers to take legislative action. And of course the business. When the driver owns all the data, those who are closest to the driver and need consent can go for the money and the services on an equal level and within an ecosystem. So, to be continued….
Next in regulations and compliance: EU DORA Digital Operational Resilience Act