The Energy & Commerce Committee of the U.S. House of Representatives held a hearing on October 21st titled “Examining Ways to Improve Vehicle and Roadway Safety” to consider (among other matters) Vehicle Data Privacy legislation for internet-connected cars.
The proposed legislation includes requirements that auto manufacturers:
- Retain data no longer than is determined necessary for “legitimate business purposes.”
- Implement “reasonable measures” to ensure that the data is protected against theft/unauthorized access or use (hacking).
Manufacturers that fail to comply face a maximum penalty, per manufacturer, of up to $1 million. The penalty for failure to protect against hacking is up to $100,000 per “unauthorized” access.
Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, of the Federal Trade Commission (FTC), testified that the proposed legislation “could substantially weaken the security and privacy protections that consumers have today.”
Although the FTC applauded the goal of deterring criminal hacking of the auto systems, the FTC testified that the legislation, as drafted, may disincentivize manufacturers’ efforts in safety and privacy improvements. The testimony echoed that of other industry critics who believe that what is considered “authorized” access is too vague, which may prevent manufacturers from allowing others to access vehicle data systems, such as for repair or research on an auto’s critical systems.
Finally, the FTC criticized the provisions creating a council to develop cybersecurity best practices. Since the council could operate by a simple majority, it could act without any government or consumer advocacy input, diluting consumer protections.
The hearing agenda, as well as the text of the draft legislation is available here.
The FTC’s prepared statement, as well as the text of the testimony is available here.