Currently reading: On the download: How car dealers could be stealing your data
Personal data is supposed to be private, but dealers and insurers have been accused of downloading it from cars without permission

What Mario Bonfanti thought was simply an annoying emissions problem with his Range Rover Evoque has spiralled into a data protection issue that should concern every motorist who pairs their phone with their car. The 26-year-old energy advisor took delivery of his new Evoque in September 2018, but by February 2020 it had suffered four breakdowns related to its diesel particulate filter, a problem common to Land Rover models and recently highlighted by Autocar.

Frustrated by his car’s poor reliability, Bonfanti approached, a firm that helps motorists in dispute with dealers and finance companies. According to Bonfanti, it was revealed during court proceedings that Park’s Land Rover Ayr, the dealership that sold him the Evoque, had downloaded all the electronic data stored in it. The aim of Park’s had been to examine the session file created at the time the vehicle broke down and which would establish how the Evoque was being driven. However, the global download it is alleged to have performed harvested data not only from the vehicle’s ECU but also from the memory in its multimedia system. As Bonfanti’s phone was directly synced, or shared, with the car, this data included his phone ID and serial numbers, his contacts and his messages.

Ian Ferguson of claims Park’s Land Rover Ayr downloaded the Evoque’s data without his or his client’s permission, so breaking the terms of the Data Protection Act 2018. On the face of it, its actions may seem harmless: an innocent act by a garage trying to repair a car. Except that with up to 100 people working in a typical large dealership, collecting, processing and storing data is, says Ferguson, a job that must be performed responsibly and with respect for the law if customers’ privacy is to be safeguarded.

Examples where it hasn’t been include the Scottish Premiership footballer whose phone contacts were taken from his car’s memory and shared with others when the vehicle was at a dealer for routine servicing, and a lawyer who, while their car was also in a workshop, had their destination data harvested – data including the addresses of clients on witness protection programmes. Neither of these cases relates to Park’s Motor Group.

9 Mario bonfanti

Back to top

“My firm alone represents 24 people who claim their vehicle data was accessed without permission by car dealers,” says Ferguson. “Based on this, I would guess that each day, hundreds of motorists are unwittingly making their data available to car dealers. Who knows where it ends up?”

The Evoque is now back, unrepaired, on Bonfanti’s drive, where it has been since March last year, while he awaits the outcome of his claim relating to illegal data access and his rejection of his car under the terms of the Consumer Rights Act 2015. Park’s Land Rover Ayr did not respond to Autocar’s requests for comment.

Dealers aren’t the only motor businesses accused of taking data without permission. Ross Hadfield is an independent motor engineer who helps establish the cause of accidents. He claims some major investigation companies routinely download the data stored by a vehicle without the owner’s say-so. “Despite a car’s ECU being classed as a ‘terminal unit’, and so requiring the owner’s permission to access the data within, many vehicle assessors working for insurers download the data anyway,” says Hadfield. “I’ve experience of insurers using such data to reject claims unfairly.”

Depending on the type of download, in addition to the electronic data recording (EDR) that insurers are seeking and which contains data relating to aspects of the car’s performance, including ABS activation, steering angle and throttle position, personal data is also captured. “I reckon up to 5000 cars a week have their data downloaded in bodyshops alone,” says Hadfield. “That’s a lot of phone numbers and other personal information that goes who knows where?”

A spokesperson for the Association of British Insurers said: “We are not aware of this practice taking place and insurers should, of course, always comply with relevant data protection legislation.”

The Information Commissioner’s Office, the agency that oversees the Data Protection Act, the scope of which extends beyond the EU’s General Data Protection Regulation (GDPR), says it’s not aware of data issues affecting the motor industry. A spokesperson told Autocar: “It’s not an issue we’ve seen specifically from the motor industry. However, all organisations need to be clear and transparent when collecting personal data.”

Back to top

8 Ian ferguson

The ICO may not recognise there’s an issue, but the European Data Protection Board, the organisation that ensures the consistent application of data protection rules throughout Europe, is sufficiently concerned about data protection within the motor industry that in January last year it published a 30-page guidance document on the subject. In addition to declaring all vehicle data, including data generated by the car, to be personal, in that it is directly relatable to an individual through the vehicle’s VIN number, it reminds businesses that where they take data, their reasons for doing so must be “specified, explicit and legitimate”. It continues: “Prior to the processing of personal data, the data subject (the vehicle driver or owner) shall be informed of the purpose of processing, the data recipients, the length of time the data will be stored and the subject’s rights under the GDPR.”

This will be news to Bonfanti, whose data, he alleges, was downloaded from his Evoque by Park’s Land Rover Ayr 15 days before it sought his permission. “I was more worried for my family than for me,” he says. “Some of my older relatives, especially, are private and cautious people who would be concerned about the possibility of their personal information being shared. If something were to happen to them or any member of my family as a consequence, I’d feel responsible.”

Who's responsible?

Back to top

In 2017, Privacy International rented a selection of cars from major hire companies and found that all of them contained the personal details of previous renters and the locations they had visited. When challenged, the rental companies couldn’t agree whose responsibility – hirer or hiree – it was to delete the information.

More recently, a survey by Which? last year found that four in five people who had sold their car had failed to clear its infotainment memory containing personal data. Half of them had synced their phone to their car. Unlike systems including MirrorLink, Apple CarPlay and Android Auto, this connection method enables phone data to be stored in the car’s memory. Exactly how much depends on the system. Some have a memory in the Bluetooth module that is erased each time the phone is disconnected. Well, almost erased – the location address of the data is erased but not the data itself.

Sue Robinson, chief executive of the National Franchised Dealers Association, said: “Members must at all times comply with data protection regulations, including the General Data Protection Regulation. All vehicles sold through dealers must have all personal data removed from on-board computers and other devices that contain such information.”


Covid guidance: Car dealers can offer test drives during lockdown 

New moves: How dealers are trying to stimulate car sales 

The man who saves buyers from tricky car dealers

Join the debate

Add a comment…
Citytiger 15 March 2021

Moral of the story, dont buy a DPF equipped diesel if all you do is drive round town clogging it up, DPF problems are not purely a Landrover problem, and any journalist worth his or her salt knows that.  

Smiffy2408 14 March 2021
Moral of the story. Don't buy a Range Rover product.
MkVII Golf GTI 14 March 2021

I personally think a bunch of these claims sound like law-firm conjecture rather than hard evidence. I don't know of any car that locally stores text messages. Typically the car just relays what the phone tells it to show. Most cars also sync contacts every time the phone connects to the car. There may be some way to manually request the contacts be stored in they car's infotainment system but I have no clue if this guy did that with his car or not.  

I understand wanting to maintain your privacy, but things like this guy is complaining about just seem to be a bit over the top. He acts like they had installed a secret listening device or even a GPS tracker in his car. In reality it seems like a harmless case of the dealership trying whatever they could to fix a frequently broken down car. I would always assume data is going to be downloaded from my car if it's in the shop. Most owners manuals explicitly state that EDRs and other types of data can be pulled from the car. The guy is acting like his family had damaging information stolen from them. I just don't really see that. If I was a betting man I'd say it's in the hopes for getting some £!