The bill does have an entire section on privacy, even though that didn’t make it into the title. But, as privacy advocates note, while it requires manufacturers to develop a privacy plan that spells out to consumers what is collected, used, shared and stored, and also tells them what choices they have regarding those practices, there is nothing in the bill that says who owns the data, and how owners can access or delete it.
In response, the Electronic Privacy Information Center (EPIC) issued a statement arguing that, as they had recommended in testimony while the bill was being drafted, “consumers (should) control the personal information that is created and stored by the vehicles they operate, rent, and own”.
Based on support for the bill, EPIC and other advocates have an uphill climb. It was reported out of committee on a unanimous (54-0) vote.
The major focus of the bill is to create “a regulatory structure that allows for industry to safely innovate with significant government oversight,” according to committee chairman Greg Walden (R-Ore.).
It also includes a section on cybersecurity, but the language is not terribly reassuring there either, when it comes to vehicles moving at 65mph (105kph) miles per hour or more. It requires only that manufacturers have cybersecurity practices that will guard against “reasonably foreseeable” risks. Try getting agreement on that in a courtroom.
Besides the lack of anything explicit about who owns the data generated by the vehicle, EPIC also objected, in a letter to the committee in June, to a provision that forbids states, “from issuing any rule, regulation, or law that is not identical to a previously issued Federal Motor Vehicle Safety Standard (FMVSS) issued by NHTSA (National Highway Transportation Safety Administration), including in the areas of software and communications systems”.