October 14, 2015 — The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade met to discuss proposals to improve motor vehicle safety. Much of the hearing focused on a recent proposal by committee staff to incentivize the adoption of new technologies to improve vehicle safety, which raises several privacy issues. Specifically, privacy and cybersecurity protections were highlighted, as well as the roles of the National Highway Traffic Safety Administration (“NHTSA”) and the Federal Trade Commission (“FTC”). Chairman Fred Upton (R-MI) set the tone for this conversation with his opening statements, stating that “what was once science fiction, is today a reality.” Representative Marsha Blackburn (R-TN) emphasized that there will be a quarter billion connected cars by 2020.
The first panel consisted of testimony by representatives of NHTSA and the FTC. Both representatives were critical of certain aspects of the draft.
Dr. Mark R. Rosekind, Administrator of NHTSA, raised several concerns regarding the draft proposal during his testimony. First, he argued the proposal gives car manufacturers the power to create best practices that may undermine NHTSA’s mission. Though the draft requires automakers to submit these best practices to NHTSA, it does not give NHTSA the authority to accept or propose changes. Additionally, the draft does not provide NHTSA enforcement authority. Instead, the draft allows for fines of up to $1 million for violations of privacy policies. Rosekind argued, however, that these fines do not present sufficient deterrent effect. Second, Rosekind suggested that best practices should be developed in conjunction with NHTSA, not by an industry majority. The proposal establishes a council for the development of best practices that would be comprised of at least 50 percent of car manufacturer representatives.
Finally, he argued that NHTSA is better positioned to address vehicle technology concerns because of its experience in this area. NHTSA has a council for vehicle electronics, which has been looking at these issues since 2012. Moreover, NHTSA and FTC have met, as recently as last year, to discuss Vehicle-to-Vehicle (“V2V”) technology, and to coordinate their efforts. He supported a collaborative approach with industry on vehicle technologies, pointing to the Automatic Emergency Braking Systems (“AEB”) model as one technology where industry successfully cooperated with NHTSA to successfully create and institute industry best practices.
Maneesha Mithal from the Division of Privacy and Identity Protection at the FTC’s Bureau of Consumer Protection identified three problems with the draft proposal. First, there is no FTC enforcement authority for manufacturers who do not follow adopted best practices or engage in deceptive practices. The draft provides manufacturers with a safe harbor, placing manufacturers outside of the FTC’s authority once they have adopted best practices. Ms. Mithal believes this safe harbor is too broad and provided an example. Because the privacy requirements of the draft only apply to vehicle data collected from owners, renters or lessees, a manufacturer could misrepresent how they are collecting consumer data on their website and the FTC could not bring action. Second, the draft contains a provision denying researchers the ability to identify vulnerabilities in vehicle systems, i.e., the draft de-incentivizes research and other positive uses of data, imposing penalties of up to $100,000 for hacking. Third, she suggested that allowing car manufacturers to independently develop best practices might guarantee weaker regulations.
Elaborating on the third point, Ms. Mithal stated that though the draft identifies eight areas to be considered in the development of best practices, these are optional. Further, there is no requirement to update best practices as new technologies enter the market and NHTSA is given too little discretion. In her concluding remarks, Ms. Mithal stated the staff draft provides substantial liability protection to car manufacturers in an exchange for weak practices developed by an industry majority.
After the panel of regulators, representatives from the two major automotive trade associations provided testimony. Several key points were made on the subject of privacy and cybersecurity.
Mitch Bainwol, President and CEO of the Alliance of Automobile Manufacturers, emphasized the great investments being made by manufacturers in the development and adoption of safety measures. Mr. Bainwol cited a statistic estimating smart vehicle investments by manufacturers of new vehicles at $175 million per year. Additionally, Mr. Bainwol pointed to a claim by NHTSA that developments in technologies that reduce driver error could prevent up to 80% of driver error related accidents.
John Bozzella, President and CEO of Global Automakers, began his testimony by listing the issues that presently command his attention, the adoption of connected cars in particular. He emphasized that (i) the benefits of connected car technologies significantly outweigh the challenges; (ii) automakers regularly engage with privacy advocates; and (iii) there is a conscious effort in the industry to stay ahead of privacy and cybersecurity concerns. Speaking to the last point, he spoke of the auto industry’s Intelligence Sharing and Analysis Center (“ISAC”) and the positive effect it will have on many of these concerns.
The Future of Privacy Forum continues to monitor legislative efforts for privacy in connected cars and related technologies. We look forward to working with automakers on how to protect privacy and ensure the adoption of safe and innovative vehicles technologies.
Hector DeJesus, Legal Extern, Future of Privacy Forum