Every morning the favorite radio station plays, phone memory is full of contacts and the navigation system knows all the places you usually go: First, the private address.

Modern cars know a lot about drivers and their driving habits, constantly store data and often share it with the manufacturer. For example, in accordance with the General Data Protection Regulation (RGPD) applicable to the European Union, users must accept these terms. However, it is not always clear what data is shared and what happens to it.

Modern cars are constantly storing data and often sharing it with the manufacturer. Photo: Shutterstock

In a car with many different parts, countless data is collected; a vehicle is powered by up to 120 control units. “All providers use microchips for security and comfort functions, among other things, but also for the infotainment system,” says Sven Hansen of the German trade magazine k’t. “While driving, a lot of data accumulates in the control units to which the driver has no access, but which are so specific that conclusions can be drawn about the driver and his behavior at the wheel,” explains the expert.

Much of this data is not kept for long, but rather they are permanently overwritten. In addition, drivers only have access to a small portion of this information, including data from the navigation and entertainment systems. “But even the engine data be able to draw conclusions about a certain behavior at the wheel, such as engine speed or how many times the accelerator pedal has been pressed,” says Hansen.

Who can see this data? According to the GDPR, the manufacturer must explain for what purpose the data is collected in the car and what happens to it. Telematics services or, for example, insurers are the first to be interested in optimizing their products with the help of this information.

Nathalie Teer, Head of Mobility and Logistics at the German IT industry association Bitkom, distinguishes between data that must be collected and data that is used for comfort functions and optionally purchased services. “The amount and the associated data also depend on the vehicle and the brand,” says Teer.

According to Teer, the law specifies many parameters that must be collected for security and testing purposes: “Some data is only received by the manufacturer and is not visible to customers”, he explains, adding that this is, for example, the information read from the control unit during the general inspection.

Instead, Teer continues, optional functions, such as music services, driving settings or navigation, can be easily accessed: “Users must actively accept certain functions and be informed about the location of the data.” The expert adds that it also concerns the data shared with third parties, whether through the dashboards of the vehicle’s infotainment system or connected apps, Drivers are often given notes to issue permits, remove them, or clear data.

Photo: Shutterstock

All vehicle data is relevant for data protection, says Christoph Krauss. “As soon as the data of a vehicle can be linked to the vehicle identification number or license plate, they must be regarded as personal data, because movement profiles can be created with it,” explains the Network professor. Security of the University of Applied Sciences in Darmstadt, Germany. Krauss coordinates the Secure Autonomous Driving area of ​​the Athens research center, dedicated to cybersecurity.

Krauss explains that some data is particularly safety-relevant, such as brake control data. Manipulation of this data can have devastating consequences. Many value-added functions also use personal data. In addition, when the mobile is synchronized with the car, data such as location search, filling levels, locking systems and vehicle diagnostics are transmitted remotely. The car also sends information when using the automatic emergency call system eCall and communication with other road users.

However, a cart does not store all of its data locally; part of them They end up on the manufacturer’s servers or go to third-party providers. Krauss explains that this depends on the make, model and year of the vehicle.

“Motorists can hardly protect themselves against cyber attacks and have to trust that manufacturers have properly secured their vehicles and back-end systems,” says the scientist. “For potential attackers, the manufacturer’s backend, with its large amount of data, is clearly more interesting than a single vehicle, so those connections are most likely to be attacked,” Krauss points out.

There have been repeated attempts to steal or manipulate data records in the past, Krauss continues, which is why modern vehicles have a large number of security measures: systems are divided into domains, so safety-critical systems such as the brake are not easily accessible.”

In July 2022, two regulations of the United Nations Economic Commission for Europe (UNECE) came into force for the new type approvals: R155 (Cybersecurity Management System) and R156 (Software Update and Software Update Management System). The European Union has adhered to this in order to draw up guidelines for this. These regulate, for example, the digital separation of owner and vehicle. In addition, they also contain specifications related to the cybersecurity of vehicle concepts or mechanisms for secure software updates.

Vehicle manufacturers must also demonstrate that they have a Cybersecurity Management System (CSMS) with appropriate processes and measures in place to prevent or promptly remediate breaches. computer security attacks throughout the life of the vehicle. Measures taken by manufacturers to implement UN/ECE Regulation R155 protect vehicles against unauthorized access. From July 2024, the regulations will apply to all new production vehicles. Suppliers must also comply with the new rules.

And what happens to the data when the car is sold? Sven Hansen recommends resetting all systems. In addition to the entertainment system with navigation and address book, favorite radio settings and any comfort settings will also have to be reset. “Owners often forget to clear apps or cloud links to the car, which would allow them to continue accessing the vehicle,” Hansen notes, advisingly, “But electronic traces should be completely removed,” he points out.

The German automobile club ADAC recommends using pre-installed apps on the infotainment system, such as those for stream of music, are written out separately before the vehicle is sold. It is also important to remove links to remote applications that can be used to remotely control the vehicle or its functions via mobile phone. Complete deletion of personal data in the infotainment system is only possible with the “Factory Reset” function.

“Legally, drivers have the option to check and delete their data,” explains ADAC technical chairman Karsten Schulze. “In practice, however, this is not possible, as it is not clear what data is collected for whom and for what,” says the expert, adding that consumers are overwhelmed by so much data flow and that there is a need for more transparency.

Ideally, you would have a list of all the data collected for each car model, says Schulze. “Drivers can then decide for themselves which data they want to erase,” says the expert, adding that it would also be practical to have an interface on board the car that allows access to the data and can be used to available to others, third-party providers, if desired. In this way, he adds, independent workshops can also work better and more easily on the cars of the future.

Sven Hansen advises anyone selling a car to inform the manufacturer’s data protection officer that there has been a transfer of ownership and ask him to delete all data: “Every customer has the right to do this and is safe from misuse of data “.

Hansen warns against this it is not yet possible to completely reset a vehicleand that data from the previous owner always remains in the vehicle, even if it is only the automatic transmission’s memory function for shift times.