Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his thoughts on privacy and connected and automated vehicles.
I’ve been involved in privacy law since the enactment of the Personal Information Protection and Electronic Documents (PIPEDA) Act 2004 and I previously worked at the Information Privacy Commission (Ontario). As I have experienced privacy problems from the perspective of regulation, academia and private practice, I have a keen sense of the legal and policy issues as they relate to business and technology, my primary area of focus.
Some years ago I did some research funded by the Office of the Privacy Commissioner of Canada. The project was to develop a privacy code of practice for connected and automotive vehicles (CAVs). I completed the project, wrote an article for the Canadian Journal of Law and Technology, created a website and was interviewed by the CBC. It didn’t go much beyond that, although I do get the occasional interview request. Of course with the current trade war with the US and tariffs on vehicles and aluminum, privacy in the auto industry is the last thing on anyone’s mind.
The public’s interest in privacy waxes and wanes as our expectation of what constitutes a reasonable expectation of it steadily erodes. Though it is unfortunate to lose such an important constitutional and democratic value, the current ennui with privacy with respect to cars is understandable. Autoworkers are fighting for their jobs so privacy is very much a secondary issue to them.
Attempting to develop a code of practice for CAVs taught me a lot about the practical and political aspects of privacy law.
The research examined the development of a privacy code of practice specifically for CAVs. Vehicles collect vast amounts of data and Canadian law lacks specific rules for data protection in connected vehicles, which are now highly networked to the telecommunications and transport infrastructure. While there have been calls for sector-specific legislation, the key stakeholders, namely the original equipment manufacturers (OEMs) argued at the time that since cars are manufactured for a North American market any privacy regulation specific to Canada would be passed on to costs to consumers. Perhaps that should be reconsidered in light of the current trade dispute, but let me stop dreaming and get back to my main point.
The value of car data
Car data is valuable, your car model, driving habits, routes, locations visited etc. provide detailed digital portrait of your life. This makes it a very lucrative commodity when sold in aggregate to companies that want to sell to you. It can also be used by threat actors, such as criminal or estranged partners.
To get you to sign-up or rather sign-away your privacy rights the sales team at your car dealership will present a false dichotomy of privacy vs. safety “If you want roadside assistance at 2 am when you’re in an accident, heaven forbid, we’ll need your location data.” Opting out is usually not a realistic option.
My project idea was to create a code of practice for connected vehicles. This would increase transparency and balance consumer privacy with industry needs, there are socially beneficial uses of personal data after all. It should be noted that PIPEDA codified the Canada Standards Association (CSA) model code, which why the ten fair information principles are a schedule to the Act. I wanted to move beyond the generic privacy principles and explore the substantive merits of collection, use and disclosure of personal information in this important industry sector. Developing a code requires a determination of its scope and application. It forces prioritization of data in terms of sensitivity and this in turn could direct the focus of regulatory emphasis in the sector.
Accepted by academia, rejected by industry
Unfortunately, my project was met with derision by many in the automotive industry. I was invited to a meeting with automotive executives to discuss the research and told that my “project was a solution to a problem that did not exist.” I would not know what happen in the real world because I’m in an academic ivory tower removed from commercial realities.
Ouch! After that meeting I decided to qualify to practice law in Ontario and start my own law practice. As a foreign trained lawyer this process requires serious commitment – a story for another day.
Though I was smarting at the overt disrespect displayed by the executive, I came to realize that he did have a point. My regulatory and academic experience taught me to view privacy as an objective. If privacy was embedded in the design of new technologies from the start, companies would win the trust of consumers, or so the argument goes. However, there is no engineering consensus on the method to systematically design privacy, a concept that lawyers find difficult to define and therefore protect. From a business perspective, privacy is a variable. One of many variables that are must be factored when making an organizational decision. Under these conditions, privacy law tends to yield to the prerogatives of management. Its implementation becomes a matter of compliance and ostensible accountability. While the project wasn’t the groundbreaking research I hoped for, the insights I gained about privacy, law, business and technology were still very valuable and have helped me bridge the gap between theory and practice in this area.
Rajen Akalu
647 299 5079
rajen@akalulaw.com
