What Mario Bonfanti thought was simply an annoying emissions problem with his Range Rover Evoque has spiralled into a data protection issue that should concern every motorist who pairs their phone with their car. The 26-year-old energy advisor took delivery of his new Evoque in September 2018, but by February 2020 it had suffered four breakdowns related to its diesel particulate filter, a problem common to Land Rover models and recently highlighted by Autocar.
Frustrated by his car’s poor reliability, Bonfanti approached Rejectmycar.com, a firm that helps motorists in dispute with dealers and finance companies. According to Bonfanti, it was revealed during court proceedings that Park’s Land Rover Ayr, the dealership that sold him the Evoque, had downloaded all the electronic data stored in it. The aim of Park’s had been to examine the session file created at the time the vehicle broke down and which would establish how the Evoque was being driven. However, the global download it is alleged to have performed harvested data not only from the vehicle’s ECU but also from the memory in its multimedia system. As Bonfanti’s phone was directly synced, or shared, with the car, this data included his phone ID and serial numbers, his contacts and his messages.
Ian Ferguson of Rejectmycar.com claims Park’s Land Rover Ayr downloaded the Evoque’s data without his or his client’s permission, so breaking the terms of the Data Protection Act 2018. On the face of it, its actions may seem harmless: an innocent act by a garage trying to repair a car. Except that with up to 100 people working in a typical large dealership, collecting, processing and storing data is, says Ferguson, a job that must be performed responsibly and with respect for the law if customers’ privacy is to be safeguarded.
Examples where it hasn’t been include the Scottish Premiership footballer whose phone contacts were taken from his car’s memory and shared with others when the vehicle was at a dealer for routine servicing, and a lawyer who, while their car was also in a workshop, had their destination data harvested – data including the addresses of clients on witness protection programmes. Neither of these cases relates to Park’s Motor Group.
“My firm alone represents 24 people who claim their vehicle data was accessed without permission by car dealers,” says Ferguson. “Based on this, I would guess that each day, hundreds of motorists are unwittingly making their data available to car dealers. Who knows where it ends up?”
The Evoque is now back, unrepaired, on Bonfanti’s drive, where it has been since March last year, while he awaits the outcome of his claim relating to illegal data access and his rejection of his car under the terms of the Consumer Rights Act 2015. Park’s Land Rover Ayr did not respond to Autocar’s requests for comment.
Dealers aren’t the only motor businesses accused of taking data without permission. Ross Hadfield is an independent motor engineer who helps establish the cause of accidents. He claims some major investigation companies routinely download the data stored by a vehicle without the owner’s say-so. “Despite a car’s ECU being classed as a ‘terminal unit’, and so requiring the owner’s permission to access the data within, many vehicle assessors working for insurers download the data anyway,” says Hadfield. “I’ve experience of insurers using such data to reject claims unfairly.”