Driving personal data protection into personal vehicles (2025)

An area often overlooked in data protection discussions is the modern automobile. Increasingly connected and data-driven, vehicles collect vast amounts of personal and behavioural data, from location tracking and driving patterns to biometric identifiers and in-car communications.

Usually thought of as private spaces, cars have been transformed by connectivity in such a way that privacy can no longer be reasonably assumed. Actions as simple as connecting a phone may pose significant data protection risks involving consent, data ownership, and data sharing with third parties such as insurers and manufacturers.

While vehicle data may seem impersonal at first, they reveal much about the individuals using the vehicle. Automobiles may collect a variety of data, including location and GPS history, steering and acceleration patterns, infotainment preferences and voice recordings. Such information falls within the definition of personal data and will be regulated by the Digital Personal Data Protection Act, 2023 (DPDPA), once in effect.

The requirements imposed by the DPDPA are built on data protection principles such as lawfulness, purpose limitation, data minimisation, accuracy and data security. Although such obligations are crucial for safeguarding personal data, ensuring compliance for vehicle data is far from easy.

Lawful data collection under the DPDPA is based primarily on consent. However, obtaining valid consent for vehicle data is uniquely challenging. Vehicles often have multiple drivers, and may be leased or resold. This makes it unclear as to whose consent is required to collect data. Businesses in the automotive sector may struggle to ensure that all users of a vehicle during its life cycle provide consent in a manner that satisfies the stringent requirements of the DPDPA. The principle of data minimisation under the DPDPA requires that only the data necessary for a specified purpose is collected and processed.

However, the complex systems and third-party integrations in connected vehicles often result in excessive data collection. For example, advanced driver assistance systems, such as adaptive cruise control require data on vehicle speed and movement to function effectively. However, they may also collect and retain full driving histories or in-cabin monitoring data, going beyond what is necessary for immediate safety functioning. The DPDPA also imposes robust data security measures to prevent unauthorised access or data breaches. Failure to secure vehicle data may have serious consequences. If a malicious actor gains access to sensitive vehicle data, such as location history or driving habits, they can possibly track a driver’s routine or manipulate critical vehicle systems such as brakes or acceleration, leading to accidents and fatalities.

The automotive ecosystem involves a range of participants from original equipment manufacturers and dealerships to repair services and digital service providers. Many third-party suppliers offer navigation, infotainment and diagnostics services within a vehicle, creating fragmented responsibilities and complicating compliance.

Despite these challenges, manufacturers and service providers can adopt practical strategies to protect user privacy. Privacy-enhancing technologies should be integrated at the product development stage. Manufacturers can embed consent management systems, enabling drivers to easily provide or withdraw consent for each in-cabin service through intuitive interfaces. Such systems could differentiate between primary and temporary users, helping to maintain compliance for shared or leased vehicles. Data deletion mechanisms, such as factory resets that erase personal data on resale or lease return, will ensure that sensitive information does not carry over between owners.

To reduce the likelihood of identification, techniques such as anonymisation or pseudonymisation can be used, allowing service providers to process data without exposing individual identities. Manufacturers can design systems to process only real-time, non-retained data needed for immediate safety, for example, avoiding the unnecessary storage of full driving histories or unrelated behavioural data.

Embedding privacy by design and minimisation principles into vehicle technologies, and adopting a life cycle view of consent and data management, will enable the automobile industry to navigate the complexities of vehicle data and comply with data protection law.

Ada Shahrbanu is a senior associate and Hamsadhwani Alagarsamy is an associate at Spice Route Legal.