Data PrivacySafeguarding Privacy in Autonomous Systems and Connected Vehicles: Is Your Data Taking a Backseat?

Introduction

 Autonomous Vehicles (“AVs”) are rapidly transforming transportation with promises of higher convenience, effectiveness, safety and connected systems. The major concern arising from this technological shift is data privacy. However, for these systems to work effectively, they collect enormous amounts of data gathered from a number of sensors, Global Positioning System (“GPS”), cameras, and AI algorithms. These cars may use the information to make decisions in real-time while creating a better user experience but all this does is collect personal information such as location information, driving patterns, and in some cases even biometric information, all of which present serious privacy hazards.

It is very challenging to keep the security of this broad data ecosystem in a space where AVs and related systems must deliver the expected benefits. That is because vehicles are connecting to third-party services, cloud computing platforms, and to external infrastructures in addition to one another as it gets more networked. These areas proliferate many vulnerabilities for malicious use, illegal spying, and data breaches. This balance between innovation, strict privacy laws, and the application of advanced Privacy Enhancing Technologies (“PETs”) will protect users in a more interrelated world and face such threats better.

The Type of Data collected by Autonomous Systems and Connected Vehicles

AVs collect significant amounts of data for various purposes. The type of personal information that is collected and the individuals or entities with whom such information is shared will depend upon the goals and objectives of the AV. Privately owned cars can collect data from a connected smart device, including behavioural data and geolocation data.

Future AV fleets probably will operate in a manner that goes exactly like current ridesharing services such as Uber and Lyft. The user’s pick-up and drop-off locations, as well as the specific route taken to get there, will be gathered by the ridesharing service. A user’s contact list, favourite music, and information from other applications may be gathered if they connect their smartphone with the vehicle.

After 1996, the manufacturers of all automobiles had to fit an On-Board Diagnostic port (“OBD-II”) in order to collect the data that assisted in safety diagnostics. For instance, ports could keep track of if the user drives in an area where driving is not permitted, jolts break or crosses a speed limit. Users’ contact list, music preferences, and more may be compiled if they associate a smart device with the entertainment system. Specific geolocation data will also be collected in case a user makes an AV rental that involves pickup. Self-driving rental cars may require biometric information, such as fingerprint or retinal scan, to verify the user before they could unlock and get into the car.

Crucial Privacy Concerns in Gathering Information

The secondary use of Personally Identifiable Information (“PII”) is a major concern in the AV arena. Information shared by rental and ridesharing services may be used by third parties to target users with their products using passengers’ PII. For instance, suppose a user rents an AV for the purpose of taking them to the airport once a month. Such information, when compromised to external parties or cyber-thieves, exposes users to identity theft.

Autonomous cars requires Vehicle-to-Everything (“V2X”) communication technologies for exchanging information with other cars, cloud-based services, and neighbouring infrastructure. In this case, the entry points are multiplied. An insecure V2X system may intercept sensitive data or even hijack the control systems of the vehicle.

When the user re-enters the AV the next time, they are likely to find that the rental service has provided some of that user’s data to a third-party advertiser for hotels, airlines, or other travel-related services. Pop-ups and forced radio advertisements will appear to them on the dashboard or rental application by third parties.

For instance, entertainment producers may sell or float passenger data to third parties who later sell that data to advertisers to sell those goods to their customers based on what those customers like or prefer. Apart from this, rental companies may permit third parties to make available to them behaviour data. As reported by US’s Federal Trade Commission (“FTC”) and NHTSA Joint Workshop- Car rental may provide safety data, information about speeding over a limit, and other similar data to the motor insurance companies that may decide consumer prices.

A connected car and self-driving system are fitted with many sensors of cameras, GPS, Light Detection and Ranging (“LiDAR”), and radar. These devices continuously collect, in real time, information about the surroundings, traffic conditions, weather, and what is even taking place within a car, for instance, in the optimization of vehicle performance.

Apart from the provision of infotainment, navigation, and management of vehicles, cars also connect to other networks outside. Other kinds of personal information, compiled by this layer of data collection, include user preferences, driving habits, and location monitoring. The more likely chance that such data will be misused and used to expose people to such things as data breaches, profiling, surveillance, etc., is when the same data is not protected properly or shared without the user’s agreement.

Privacy Enhancing Technologies and Cybersecurity for Autonomous Systems

To reduce the risks to privacy, numerous PETs may be adopted in the autonomous system and connected vehicles, including Data Minimization and Anonymization (“DMA”). These approaches ensure that personal information collected is minimized and identifying data anonymized before storage and sharing will reduce the impact of breaches. End-to-End Encryption (“EEE”) communications between vehicles, cloud servers and other network entities ensure that unauthorized parties cannot intercept sensitive data during its transmission.

Another method known as Secure Multi-Party Computation (“SMPC”), allows for the sharing and processing of data between multiple parties without revealing any individual’s private information, making it especially useful for data aggregation in large-scale smart city projects.

Without strong cybersecurity safeguards, linked cars and autonomous technologies cannot guarantee privacy. The likelihood of hacking rises as cars depend more on software and connection.

Automakers are incorporating multi-layered security frameworks to guard against cyberattacks on car systems in order to address these issues. Among these are Secure Boot Mechanisms (“SBM”), which guarantee that only reliable software can run on a car’s computer. Manufacturers can fix security flaws without physically accessing the car by using Over-the-Air (“OTA”) Updates. On the other hand, Intrusion Detection Systems (“IDS”) keep an eye on car networks in order to identify and stop illegal activity.

The Future of Privacy in Autonomous Vehicles and Connected Devices

The core of the future of privacy in self-driving cars will be the development of more stringent privacy-by-design frameworks and the producing of PETs. All stages- development through deployment-will need to incorporate privacy as AVs will consume unwavering volumes of data from both internal and external sources. This will include the use of advanced EEE, DMA technologies, etc. to ensure that confidential information stays safe even where autos interface with cloud platforms, other external systems, and each other.

Regulatory adaptations, together with technology innovations, will drastically define the privacy context in which autonomous autos operate. Governments will need to revise and enforce privacy laws regarding these complex systems of data sharing on which AVs depend as the technology becomes central to people’s lives. There needs to be a cooperation at the regulatory as well as the tech firm and automaker levels while developing international standards of privacy also. Business will be required to make rules stronger and more transparent for data control and transparency in which consumers will want.

AMLEGALS Remarks

As autonomous systems and connected vehicles increasingly shape modern mobility, the need for robust privacy protections is more critical than ever. These technologies handle vast quantities of personal information—from real-time location data to sensitive biometric details—that demand careful and responsible handling. Safeguarding data within this space extends beyond regulatory compliance; it is essential to building consumer trust and fostering privacy-conscious innovation. The path forward for the connected vehicle industry will require close collaboration between manufacturers, regulators, and technology developers to establish enforceable privacy standards. By proactively addressing privacy concerns, the industry can ensure that users benefit from the latest advancements while maintaining control over their personal data.

Businesses should refer to the respective country’s regulations; update privacy notifications; review transfers of data; and apply user data rights. In order to not to suffer from data breaches or cyberattacks, antivirus makers have to respect Privacy by Design, integrating privacy considerations during development and appropriate opt-out procedures on sales or shares of data as required by the DPDP Act in India. Through Automotive Information Sharing and Analysis Center  and International Organization for Standardization , the AV industry also gets common intelligence on cybersecurity risks. Cooperation with stakeholders helps to solve the specific industry-wide problems of cybersecurity and privacy. Major players of the industry have already heavily invested in cybersecurity to minimize threats. Proactive participation in this manner is important in the prevention of legal and safety fallout from lack of adequate data protection safeguards and retention of trust with customers.

Team AMLEGALS assisted by Mr. Poorvag Desai (Intern)

For any queries or feedback, feel free to connect to mridusha.guha@amlegals.com or liza.vanjani@amlegals.com