Anyone who’s been along to Infosecurity Europe in the past few years will know that there’s a problem with today’s cars.
Many of us can remember the ‘hacking on demand’ demos at Infosec, with a hands-on demonstration of the weaknesses of some vehicles. Modern vehicles are device-centric, packed with AI, sensors, cameras, GPS and in-car software. They deliver unprecedented connectivity.
However, these advances also bring significant security, privacy and regulatory risks that businesses can’t afford to ignore.
Growing Regulatory Scrutiny
We’ve already seen regulatory intervention too recognizing these risks. In 2022, Volkswagen was fined €1.1m ($1.3m) by a German regulator for failing to properly inform test drivers that in-vehicle cameras were recording them and for its failure to do a proper risk assessment.
In 2023, Tesla saw over 100GB of sensitive internal data – including customer and employee information – leaked by insiders. At least one class action has been issued in the US on the back of the breach. These cases highlight the vulnerability of connected vehicle ecosystems and the significant potential for reputational and financial damage when security controls fall short.
These risks are likely to grow. There are 26 million electric vehicles (EVs) already on roads globally, a figure projected to reach 145 million by 2030. Connected vehicles (including EVs) generate vast amounts of data, from driver profiles and telematics to location tracking and nearby pedestrians, which passes through a complex web of manufacturers, insurers, app developers and law enforcement.
This has brought increased scrutiny from regulators. The General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) 2018, ePrivacy rules, and new frameworks like the EU Data Act and NIS2 are reshaping how automotive businesses collect, use, secure and share personal data. Non-compliance is not just a legal risk – it can mean significant fines and lasting reputational harm.
For those in the connected and autonomous vehicle (CAV) sector, understanding and addressing these data protection risks is essential to staying on the road.
Data in the Driving Seat: What Connected Cars Collect
Today’s vehicles come with increasingly sophisticated sensors, AI systems and cameras that continuously gather information. This ranges from driving behavior (speed, braking patterns) to sensitive personal data like health indicators, weight, biometric details (facial recognition, fingerprint scans) and precise location. This information is routinely processed about drivers, passengers and other road users. This data, combined with details like car registration and VIN, is personal data if linked to an individual.
The global sharing of this data among various automotive players, such as dealerships, financiers, insurers, app developers, law enforcement and anti-fraud companies, raises complex privacy and security concerns.
Without robust strategies to safeguard personal information and ensure legal compliance, organizations risk falling foul of stringent regulations.
Understanding the Regulatory Landscape
Compliance with data protection law in the automotive space is increasingly complex, requiring companies to navigate multiple and evolving regulations. The GDPR, UK DPA and ePrivacy laws impose strict requirements on how personal data is collected, used and shared.
These obligations generally apply primarily to organizations – data controllers and processors – rather than individual drivers using their vehicles for purely domestic purposes.
Following Brexit, EU GDPR has been incorporated into UK law as UK GDPR, maintaining consistent principles. Other significant legal developments are reshaping the landscape. The EU Data Act, in effect January 11, 2024, with most obligations from September 12, 2025, grants users’ greater control over vehicle-generated data.
The US BIS Connected Vehicles Rule, effective March 17, 2025, addresses national security risks from foreign technologies in connected cars. Additionally, the EU AI Act, in force since August 1, 2024, introduces strict requirements for "high-risk" AI systems, including many in CAVs.
The EU’s NIS2 Directive (for road transport) and Cyber Resilience Act are also relevant to any regulatory risk analysis.
Managing Compliance Risks in the Automotive Sector
A key challenge for connected vehicle businesses is managing overlapping, evolving regulations, making it essential that organizations adopt comprehensive data protection measures:
- Transparency: Companies need to inform drivers and others about data collection, usage and sharing. This should be communicated clearly at key touchpoints (e.g., vehicle purchase, software updates), via contracts, service agreements, on-board computers, or visible stickers and QR codes.
- Data minimization: Only essential data should be collected and retained for the shortest necessary period. Continuous video or real-time location tracking should be carefully assessed and avoided where less intrusive data (like mileage) suffices. Organizations need to be careful about precise geo-location data too which has already featured in two major AI-related investigations leading to fines from a regulator in Italy.
- Lawful processing: A valid legal basis for processing personal data is essential, whether explicit consent or legitimate interest. A legitimate interests assessment (LIA) ensures balance between organizational goals and individual rights. Consent, if used, must allow individuals to activate data processing settings and easily withdraw.
- Security: Under GDPR Article 32, organizations must implement appropriate technical and organizational measures to ensure data security. This includes pseudonymization, encryption, maintaining system confidentiality and integrity, and regularly testing effectiveness (e.g. penetration testing). Adherence to industry standards like those from the International Organization for Standardization (ISO) and Society of Automotive Engineers (SAE) is critical.
- International Data Transfers: Moving personal data across borders adds complexity. The Schrems cases emphasize that data transferred to third countries must receive equivalent GDPR protection. This often requires Transfer Impact Assessments (TIAs) and additional safeguards like Standard Contractual Clauses (SCCs), especially for transfers outside the EU/UK.
The connected car industry brings distinctive data protection hurdles:
- Consent complexities: Obtaining valid, informed, specific and freely given consent for large amounts of passively gathered driver data is challenging. Consent must also be easy to withdraw – a challenge when obtained at vehicle handover, and more troubling when future drivers or second-hand buyers may not be aware or agree.
- Cybersecurity threats: As vehicles connect, the risk of malicious actors exploiting vulnerabilities grows. Hackers can gain access to personal data or even control a vehicle remotely via cloud-based platforms. Manufacturers implement bug bounty programs and collaborate with security researchers (e.g. Pwn2Own Automotive) to identify weaknesses.
- AI and data risks: AI in autonomous vehicles relies on large datasets. The EU AI Act introduces strict requirements for "high-risk" AI systems, including many in connected cars, demanding high standards for transparency, data quality, security and human oversight. AI literacy is mandatory too. Without proper supervision, AI also carries risks of data leakages, unintended discrimination, and highly damaging hallucinations.
Dashcam Footage
Dashcams record footage inside and outside the car. While valuable for accident evidence, dashcams raise significant privacy concerns. In commercial settings, dashcams may inadvertently capture sensitive or identifiable footage of individuals. Facial recognition algorithms further escalate privacy risks when combined with other vehicle data.
The risks are even greater when some devices seem to connect automatically to unknown IP addresses in overseas locations.
The Volkswagen fine serves as a timely reminder of legal pitfalls with camera recording. This underscores the importance of clear privacy notices, secure data storage and stringent data retention policies.
The UK Information Commissioner (ICO) and Irish Data Protection Commissioner (DPC) guidance emphasizes a "layered" approach to transparency (e.g., visible stickers with QR codes) and advises against continuous recording, especially with audio, unless strongly justified.
Practical Steps for Automotive Businesses
To mitigate data protection risks, automotive businesses should embed privacy and security into every stage of product development and operations. Practical steps could include:
- Conducting regular data protection impact assessments (DPIAs): Often mandatory for modern technologies or large-scale monitoring. DPIAs help identify and address privacy risks early, sometimes alongside AI Impact Assessments.
- Apply privacy by design and by default principles: Design connected car technologies with privacy in mind from the outset. Default settings should always be the most privacy-friendly option.
- Implement robust security measures: Such as encryption, access controls, regular vulnerability testing and rapid response to data breaches. Protections must also ensure individual driver data is secured when vehicles are shared.
- Maintain clear and transparent communication: With individuals about data collection, processing purposes, retention, and sharing. Information should be available at key touchpoints (e.g., purchase, journey start).
- Establish comprehensive data sharing agreements: Work with third parties (other controllers and processors) to define data protection responsibilities, ensuring valid legal bases and prescribed processing terms. Systems must also manage requests from law enforcement.
- Enforce data minimization and retention policies: Collect only essential data and retain it for the shortest period necessary, generally avoiding real-time location data or continuous video where possible. Consider using anonymised data.
- Stay vigilant: Continuously monitor regulatory developments and emerging cybersecurity threats (e.g. ransomware for EVs), adapting practices accordingly. This includes ensuring data subject rights (access, objection) are met, promptly responding to Subject Access Requests (SARs) – where individuals ask to see a copy of the personal data an organization holds about them – and managing third-party data requests.
Conclusion
The rise of connected and autonomous vehicles presents enormous opportunities for the automotive sector – but also significant data protection and security risks. With personal data collected and shared at unprecedented levels, businesses must take proactive steps to protect privacy, comply with evolving regulations and safeguard against reputational damage.
By embedding robust data protection measures, ensuring transparency, and staying ahead of legal changes, automotive businesses can navigate these challenges – and seize the opportunities of a connected future.