Author and about :- Intisar Aslam and Zainab ul Kubra are the students of National University of Study and Research in Law, Ranchi

The self-driven cars of the contemporary day have fascinated the techno-driven world. Oblivious to the underlying truth, car purchasers have been a part of an exchange that, apparently, was a transaction of sale until now. A report from the Mozilla Foundation has revealed that more than 76% of the researched brands sold the personal data of car buyers to data broker businesses. This personal data, inter alia, spans classified information, genetic data, sexual life data, etc. While the world was embroiled in the worries of regulating artificial intelligence, the car brands turned their steering towards their customers’ personal lives. 

A 2016 research by McKinsey & Company estimated that the overall revenue from car data monetization might add up to USD 450-750 billion by 2030. This huge turnover underscores just how critical the automotive data is projected to become, thereby justifying the shift in focus of the automobile manufacturers to transform themselves into data-selling entities. However, concerns emerge when data selling becomes so pervasive that there seems no end to this ‘shadow’ business of monetizing personal data by car makers.

The central argument of the authors is that selling car data is unlawful under global privacy laws and there is a lack of any available remedy to the data principals. The first part of the article assesses the lawfulness of selling car data and highlights possible escape provisions by car companies. The second part suggests an interim remedy to data principals until robust provisions are adopted by global jurisdictions.

  1. Global Privacy Laws: A Regulator or An Enabler?

The monetization of personal data by car companies through sales to unknown data brokers is expanding. At the same time, the legal framework regulating the same varies sharply across different jurisdictions. While the California Consumer Privacy Act [“CCPA”] explicitly addresses selling, the privacy regulations of the EU and India lack such express provisions.

Though this creates room for these companies to escape legal obligations, the language of these regulations indicates that the drafters intended to include it. Both- the General Data Protection Regulation [“GDPR”] and the Digital Personal Data Protection Act [“DPDP”]- include dissemination as a method of processing that is similar to selling barring its element of valuable consideration. Given that: (i) these regulations are privacy-centric; (ii) in the absence of any contrary language; and (iii) on the application of liberal rules of interpretation, selling can be included within the laws of these jurisdictions.

The General Data Protection Regulation of the European Union

With regards to GDPR, Article 6(1) outlines bases for lawful processing which includes specific consent, contractual performance, legal obligation, and protection of interests- vital, public, and legitimate. The car companies fail to meet any such basis, as firstly, the consent is used for an unauthorized economic purpose- a purpose other than for which the data was collected. Secondly, the collection of personal data is not necessary to ensure vital, public, or legitimate interests or to fulfil any legal obligation but rather to serve the purpose of undue profit-making. Articles 18(1)(b) and 28(3)(b) bring selling under their ambit incidentally. The former provides the data subject a right to restrict the processing, while the latter obligates the processor to ensure the confidentiality of personal data. However, these provisions, yet again, fail to offer any remedy in breach of the provisions through data selling. Lastly, Article 34 mandates the data processors to communicate the ‘breach’ of personal data to the data subject. However, this provision has blurred the difference between data breach, which is beyond the data controller’s control, and ‘voluntary’ disclosure. Therefore, the car companies can put themselves outside the umbrella of this provision and continue to cash in on personal data under the garb of selling i.e., voluntary disclosure even without notifying the data subject. 

The California Consumer Privacy Act of the United States

With regards to the USA, the CCPA provides the data owners with the right to opt out from selling. Moreover, it allows data owners to submit a request for deletion of data. However, the issue arises when data controllers are mandated to enter into an agreement with the third party, to whom they sell the data. This agreement sets limits on the usage of data.  Thus, in case of usage of data beyond the permitted contours, applying privity, the data owner would not possess the right to sue and would remain subject to the data controller. The absence of any time limit within which the controller is bound to respond to requests exacerbates the situation. Lastly, in possible cases of collusion of businesses, the data owner is left remediless without even getting to know who is processing their data.

The Digital Personal Data Protection Act of India

As discussed earlier, the stance of India’s DPDP is akin to the EU’s GDPR with regard to selling data. But, for the purposes of this article, it is noteworthy to mention Section 11(1)(b) of the Act which gives the data principal the right to know the identities of all the fiduciaries and processors with whom the data is shared. However, this provision raises a two-fold concern: (i) the mere existence of a right does not guarantee the grant of a remedy; and (ii) the manner of enforcing this right is not “prescribed” and has been left to be decided by a delegated authority.

  1. John Doe Airbags: Can Injury to Car Owners be Warded Off?

As per the Mozilla report, there is little to no information on how the data is obtained, processed, or even sold. The only fact that remains in light is that some data broker businesses are involved in selling car data. This lack of knowledge of the operation of these businesses can be remedied through their identification. However, since the identity also remains anonymous, a John Doe order remains a good option. John Doe orders are a common feature in common law courts of the UK [post-Brexit and pre-Brexit], the USA, and India. As for the EU, a mixed legal system is followed. Given the foregoing and in the absence of any available remedy, John Doe orders can be issued by the EU courts in the interest of equity, justice, and good conscience. This doctrine has its genesis in Romano-Canonical learnings common to the European continent.

Along the lines of Thomas Fuller, “Be you ever so high, the law is above you”, John Doe orders arise out of quia timet actions against unknown persons. They are based on the principle that “if a litigating finger is directed at unknown defendants, the inability to identify him by name is a mere misnomer.” In the present scenario, the immediate aim is to prevent the unauthorized selling of car data to unknown data broker entities while the modus operandi of these entities can be discovered with time.

Against this backdrop, a John Doe order can ensure a pro tempore remedy to the car buyers in case of unauthorized monetization of their personal data. However, given the nature of order, it must fulfil the basic essentials of an injunction which have been similar spanning any common law jurisdiction whether the UK, the USA, or India. In the UK, the American Cyanamid Co v. Ethicon Limited laid down a protocol [“American Cyanamid Guidelines”] outlining three basic essentials- first, existence of a significant issue, second, whether damages would suffice as a remedy and third, an evaluation of balance of convenience. Similarly, the USA regards a prima facie case and irreparable injury as essential prerequisites [“US requisites”] to issuing a preliminary injunction.In India, in addition to the US requisites, the balance of convenience must also be established in favor of granting an injunction.

As for the prima facie case, the ‘undue’ collection of data is evident when looking at the privacy policies of these car brands using qualifying phrases like ‘such as,’ ‘including,’ or ‘etc.’ in outlining what data is collected. This indicates that what is being provided is merely a partial representation and not the entirety. As a final shot, the report reveals that a few companies agree that they ‘might’ sell the data to third parties. Data once sold cannot be retrieved and the situation is exacerbated by the fact that such monetary dissemination can become a series of changing hands making it impossible to trace the data. In such a scenario, irreparable harm is bound to occur. Lastly, the balance of convenience means the comparative mischief or inconvenience to the parties. This balance shifts in favor of the plaintiff for two reasons: (i) an injunction would merely halt the unauthorized revenue or profits of the car manufacturers and the unidentified data brokers; and (ii) This unauthorized revenue or profit per se is not an entitlement or right neither in isolation nor when compared with the right to protect and have control over one’s personal data.

  1. The Conclusion

The unregulated monetization of personal data by car owners in the absence of any remedy is unsettling. While global privacy laws guarantee rights to individuals, ambiguities allow their exploitation by car companies for unauthorized profits. John Doe orders, therefore, can act as an interim relief to the aggrieved car buyers. However, considering a burgeoning market for trading and monetizing car data, global laws require a much-needed revisit. The nations must emphasize that privacy trumps profits before data selling becomes a lucrative hub for data misuse in future.

Share this post