A recent Ars Technica article on the subject of “lifetime” in-vehicle software updates begs another tech concern for repairers and consumers — what happens to the data that’s collected?

Automotive Editor Jonathan Gitlin recently sat down with Dirk Hilgenberg, CEO of Volkswagen Group’s software division, CARIAD, to discuss how long the company will stand behind its use of Google’s Android Automotive software in VW, Porsche, Bugatti, and Lamborghini vehicles. Software support will last for 10 years past end of production (EOP), or for as long as the function is available.

In some cases, there are legally mandatory cybersecurity and safety updates and patches to comply with. Brands will also have the option to extend support longer. Hardware support will continue for 15 years past EOP.

“We have to guarantee updatability on all legal aspects,” Hilgenberg told Gitlin. “So that’s why we are, as you can imagine, very cautious with branches of releases because every branch we need to maintain over this long time.”

However, Sam Abuelsamid, principal research analyst at Guidehouse Insights, told Gitlin he’s skeptical of how OEMs will be able to commit to long-term support of software.

But software updates for the latest and greatest tech plus cybersecurity patches or updates to protect customers’ private information shouldn’t be the only concern. It’s important to note that all data collected from synched mobile devices or input directly into vehicles’ systems, including infotainment, stay with the vehicle unless cleared by repairers following OEM procedures.

During January’s Collision Industry Conference (CIC) meeting, two attorneys warned that shops can be held liable for dissemination, whether intentional or not, of any customer personally identifiable information (PII) that passes through their hands.

Stamford-based attorney and Silver Golub & Teitell partner Steven Bloch, said the chain of custody of PII should be of the utmost importance to shops.

“Understanding the information that you’re sharing with your industry partners and your vendors through your various license agreements and the other transactions that you’re conducting with them first and foremost, of course, is the protection of the customer’s PII and that’s effectively the concern of the shops.

“What are their responsibilities there? What are the rules of the road and how are they conducting their operations with respect to protecting that customer PII? Shops are the entry point for this data and they hold responsibility under the various developing laws and regulations.”

Bloch and Lawrence H. Pockers, a Philadelphia-based attorney with Duane Morris, said shops should put together a list of standard operating procedures and best practices that meet state laws and potential federal legislation for what has to be included in customer disclosures and notifications, guidelines for protecting PII, and getting customer consent.

CIC’s “Golden Rules” for data protection and sharing is also a good list to follow when it comes to PII:

1. 1. “Only use end-users’ data for the service(s) they intended for it to be used; never collect
      or use their data against them, or for business purposes other than those expressly intended
      and permitted.
   2. “Always provide the end-user clarity, transparency, and continuing education on the data
      you collect, the business purposes for which it is being used.
   3. “Never misappropriate end users’ data, or knowingly allow any third parties to covertly,
      dishonestly or unfairly access or take data generated by the end-user, for their own use.
   4. “Give end-users the choice to determine what data is and isn’t shared, and the opportunity
      to opt-out of data collection outside of the primary intended purpose.
   5. “Provide end-users with a clearly published, straightforward process to inquire about data
      that has been acquired from their business and the immediate chain of custody that data has
      encountered.”

As described by the Society of Collision Repair Specialists (SCRS)’ Education Committee in July 2022, repairers can offer data clearing to customers that intend to sell their vehicles or won’t be buying back their totaled vehicles.

Committee member and co-presenter Ron Reichen pointed out that PII is harvested by many vehicles through GPS, OnStar connections, cameras, and infotainment systems. And when phones are connected to or synced with vehicles even more data is collected, including personal contact lists, recent call history, browsing history, credit card information, texts, emails, social media feeds, and more.

When a total loss vehicle leaves a shop, it goes through a lot of hands – transporters, tow yards, and auction employees, and others that could have access to the data then after the car is sold it meets more hands to either be disassembled, and recycled, rebuilt, or sold offshore for PII to end up in a foreign country.

The committee determined it would be a best practice for shops to get authorization from their customers to reset or clear PII data for TL vehicles or vehicles they intend to sell and have them sign a release to avoid any liability associated with the procedure. The procedure, according to Data Enhancement Gateway (DEG) Administrator Danny Gredinberg would be not-included. Doing so wouldn’t erase crash data that could help insurance adjusters, legal teams, or others when it comes to determining fault or facts of a crash.

Images

Featured image credit: M_a_y_a/iStock