What Mario Bonfanti thought was simply an annoying emissions problem with his Range Rover Evoque has spiralled into a data protection issue that should concern every motorist who pairs their phone with their car. The 26-year-old energy advisor took delivery of his new Evoque in September 2018, but by February 2020 it had suffered four breakdowns related to its diesel particulate filter, a problem common to Land Rover models and recently highlighted by Autocar.
Frustrated by his car’s poor reliability, Bonfanti approached Rejectmycar.com, a firm that helps motorists in dispute with dealers and finance companies. According to Bonfanti, it was revealed during court proceedings that Park’s Land Rover Ayr, the dealership that sold him the Evoque, had downloaded all the electronic data stored in it. The aim of Park’s had been to examine the session file created at the time the vehicle broke down and which would establish how the Evoque was being driven. However, the global download it is alleged to have performed harvested data not only from the vehicle’s ECU but also from the memory in its multimedia system. As Bonfanti’s phone was directly synced, or shared, with the car, this data included his phone ID and serial numbers, his contacts and his messages.
Ian Ferguson of Rejectmycar.com claims Park’s Land Rover Ayr downloaded the Evoque’s data without his or his client’s permission, so breaking the terms of the Data Protection Act 2018. On the face of it, its actions may seem harmless: an innocent act by a garage trying to repair a car. Except that with up to 100 people working in a typical large dealership, collecting, processing and storing data is, says Ferguson, a job that must be performed responsibly and with respect for the law if customers’ privacy is to be safeguarded.
Examples where it hasn’t been include the Scottish Premiership footballer whose phone contacts were taken from his car’s memory and shared with others when the vehicle was at a dealer for routine servicing, and a lawyer who, while their car was also in a workshop, had their destination data harvested – data including the addresses of clients on witness protection programmes. Neither of these cases relates to Park’s Motor Group.