It is certain that our cell phones and electronic devices collect a wide variety of data about us. On top of the new technologies to which we expose our home life (like Alexa or Google Home), our cars can be thought of as smartphones with wheels.

Cars are being provided with more software than ever and with built-in navigation systems that memorize where we go (e.g. office, home or favourite café), the frequency with which we go there, how long we stay, and so on. Even car-sharing services have a built-in box that collects data about our driving styles.

Granted that gathering information can improve driving performance and safety, the collection of other kinds of information could result in an invasion of privacy. As everybody knows, entertainment services constantly collect personal information, like what kind of music we usually listen to, how many times we listen to a song, and might even be able to combine these data with other information inferring our mood when we listen that type of music. When looking at cars, sensors can collect data about our driving habits (how fast we drive, how hard we brake, whether we always use seatbelt or not), which could be valuable to insurance companies for many reasons (and some might not be in favour of drivers).

More than likely, these kinds of data end up in the hands of manufacturers and app owners, along with a report about our personalities, an indirect marketing research about consumers that is always available and updated.  Our personal data drive companies to send us tailor-made advertisements on our habits and tastes, where we live, where we work and where we travel more frequently to.

What about drivers’ privacy then? When it comes to the debate on privacy issues, experts and non-experts usually focus on companies like Facebook, but today’s connected cars (and tomorrow’s autonomous vehicles) show the unlimited commercial opportunities that come from collecting users’ personal data.

This data flow can be very useful when we want to share data with some specific company (or person). But what happens when we do not want to share data with the ones that are receiving them?

This is the problem we are facing nowadays. Data oversharing is the transmission of data to companies we do not want to communicate with. Very often, we are not even aware that the sharing of data is taking place and which data we are being transmitted.

Considering all the data that cars are and will be able transmit, they are going to have a prominent position in this respect. Let’s just think that this year, a single car could produce as much as 30 terabytes of information per day. Only a small subset of it is useful for safety. Likely, we would not be pleased to see that all the information collected are transmitted to third parties.

If concerns about privacy issues are shared among countries and institutions worldwide, the possible general answers and legislative practices can often be substantially different. For instance, North America and Europe seem to adopt, at least for now, two different models.

Focusing on Europe, where does the General Data Protection Regulation (GDPR) stand in all this? Well, in very general terms, the GDPR is about data protection.  Under this regulatory framework, sensitive personal data (the ones that our futuristic car will collect about us) will require users’ express consent in order to be collected.  It is still a matter of debate whether the present rules are enough to impose an alert that data is being transmitted to third parties or whether it will be necessary to have a specific GDPR for cars.

The European Commission, in the report “Access to In-vehicle Data and Resources” (2017), reflected on this issue and concluded that, also according to Articles 6 and 9 GDPR, consent to the processing of data inside the vehicle may not be necessary in a number of situations, the most common of which would be: (i) processing needed to perform a contract; (ii) processing needed to protect the vital interests of the data subject. In general, however, consent should always be considered necessary if personal data are used for commercial purposes. For example, if a system was to collect vehicle data relating to the driver in order to offer commercial information services to the data subject, the data subject’s consent is likely to be required. Similarly, if a Data Controller wishes to disclose the data of a third-party vehicle, provision should be made for the collection of consent. The question of “how” the consent could be given by all persons on board remains valid and unsolved. The best hypothesis could be to consider the consent implicit in the fact of having remained in the car and of having used the on-board systems. However, this possibility should also be discussed in-depth as it might not solve the entire range of issues that are implied in personal data collection and sharing.