A new report by Privacy International shows how car rental companies and car-share schemes are failing to protect drivers' personal information, such as their location, smart phone contents, and place of residence.

The report is here: https://privacyinternational.org/node/987

Key points

Privacy International (PI) rented a series of internet-connected cars and examined the information which was collected and retained on the rental cars' infotainment system*. Every car PI rented contained readily apparent personal information about past drivers and other passengers, including information such as their past locations, smart phone identifier, and entered locations, including a school.

PI contacted rental companies and car-share schemes in continental Europe, the UK, and the US** to enquire about the companies’ internal policies and procedures as to how they handle driver information that is stored on their cars' infotainment systems.

None of the rental companies and car-share schemes had clear internal policies as to how they handle this personal information. Further, of the rental companies that responded to PI's requests for information, all referred us to terms and conditions which state it is the driver’s responsibility to delete their own data prior to returning the car. While some cars appear to give drivers the ability to ‘factory reset’ their car, this option is difficult to locate, and it remains unclear what information is actually deleted from the car during the reset.

Only one rental company said that they are planning to create an internal policy on deleting driver information, as part of their efforts to comply with forthcoming European data protection rules (General Data Protection Regulation).

Information on cars

Today our environments are connected to the internet. Seamlessly, our phones and other devices sync with our homes, cities, and cars. Our cars stream books, podcasts, and music while we drive. We ask for directions, take phone calls, and answer messages through the interface of our car. That information - our contacts, our frequent or desired location, messages, calls, and more - interact with cars' infotainments systems, to create our connected experience. At present, the largest rental companies and car-share schemes have said they do not have internal polices about how this driver information is secured, stored, shared, or deleted. Privacy International is concerned by this lack of clarity.

What PI is asking for

Car rental companies and car-share schemes should delete driver and passenger information when drivers return cars. They should provide clear and simple instructions to customers about how they can delete their personal data, as well as any passenger’s data. Car rental companies and car-share schemes should minimise their data processing and only process personal data with driver/passenger unambiguous consent, or if strictly necessary for the delivery of the service. Further, they should adopt privacy-by-design, including taking measures to protect personal data from unauthorised access. Car manufactures should also make removal of all personal data clear and simple for drivers and passengers to do, with a data deletion button.

Privacy International, joined by multiple NGOs working on consumer and privacy-rights have today sent letters to the rental companies and car-share schemes mentioned in PI’s report, asking for what is detailed above.***

Millie Graham Wood, Privacy International Solicitor said:

“When we hire a car, the last thing on our mind is the data we are potentially giving away to companies, manufacturers, and the next driver. However, internet-connected cars know our current location, patterns of movement, connect to our smart phones to download our contacts and messages, may collect our browsing habits and know our music taste. The volume of data collected by infotainment systems and telematics units is growing. This report shows how basic information, which could identify who we are and where we go, is currently left open and accessible to everyone, on cars used by popular rental companies. We are calling on rental companies to make it simple and clear for people to delete their personal information when they return a rental car. We encourage individuals who see someone's data on the car to report it to the company."

Video about this project: https://www.youtube.com/watch?v=uemTaOz5juk

*An infotainment system refers to the hardware and software in a car which provides a combination of entertainment, communications, and information content presented to the driver or passengers. Most infotainment systems are now controlled via a touch-sensitive display in the screen of the dashboard. Infotainment and navigation systems can hold a variety of data depending on how sophisticated a vehicle’s internal software and hardware. The most basic models include previous vehicle position; mobile phone data once a phone is Bluetooth paired; navigation history, stored locations, stored ‘Points Of Interest’.

**PI contacted: Alamo, Enterprise Holdings International (EHI) which owns Enterprise, Hertz, National, Sixth, and Thrifty.

*** PI is joined by: ANEC - the European consumer voice in standardisation, Campaign for a Commercial-Free Childhood, Consumer Action, Consumer Federation of America, Consumer Watchdog, EPIC, Hermes Center for Transparency and Digital Human Rights, and the Norwegian Consumer Council.

-END-