The incorporation of technologies such as connected vehicles, autonomous driving systems, vehicle-to-everything (V2X) communication, and the Internet of Things (IoT) has made the automotive industry increasingly dependent on the collection, storage, and processing of substantial volumes of personal customer information, vehicular data, and financial records. The existing DPDP Act imposes the liability on the original equipment manufacture’s (OEMs) to ensure the collection and processing of data is in accordance with the standardsprescribed therein. The revolution in the areas of connectivity and data analytics places the automotive sector at a vital juncture wherein the diverse aspects of vehicle interaction with their surroundings and each other are resulting in huge surge in data collection.  While these advancements in technology offers various benefits, they also pose significant challenges related to data privacy and security for vehicle manufacturers and their affiliated service providers. While we await the robust and comprehensive rules, let’s navigate through key aspects related to automotive sector and the critically acclaimed game-changer Act of 2023:

Reconceived Consent Architecture: Vehicle manufacturers gather personal data from buyers throughout all stages of sale and facilitate service providers' access to data stored in vehicles through various interfaces. This relationship requires a comprehensive data sharing agreement that delineates the separate independent responsibilities associated with processing operations. Collection of vehicular data via sensors, diagnostic systems, and telematics devices should require renewed consent from the vehicle operator whenever the scope of such data usage increases. Collected data requires to be encrypted to ensure its anonymity if the integrity of an interconnected vehicle system is compromised. Data access further needs to be strictly limited and access logs to be regularly audited to detect and address any suspicious or unauthorized activities.

Compliant Cross Border Data Transfer: The extensive supplier network within the automotive industry necessitates the implementation of minimal and secure methods for cross-border data transfers. In order to reduce the risk of data breaches during transfer, vehicle manufacturers operating in foreign jurisdictions should collect vehicular data within a domestic entity's cloud before sharing it internationally. Direct gathering of data by component suppliers located abroad through vehicle-installed components should be restricted and instead, such data should first flow through in-vehicle network terminals.

Data Fiduciary and Significant Data Fiduciaries (“SDFs”): As mentioned earlier,Manufacturers of vehicles gather data from buyers at the time of sale, as well as throughout the use of the vehicle by the customers, in order to fix recurring issues that can occur in a specific model in vogue on the roads. With that said, the rise of autonomous vehicles, data gathering by fiduciaries shall become an important aspect of the day-to-day monitoring of vehicles, and as such, SDFs will have a higher level of responsibility to ensure the protection of the data of customers in light of the standard of regulations laid down by the DPDP Act, 2023.

Grievance Redressal: Under the provisions of the DPDP Act, 2023, it becomes highly important for vehicle manufacturers to establish a proper method for grievance redressal in cases of breach or leak of the data of customers. Vehicle manufacturers handle highly sensitive data which may include location details of a customer, therefore, manufacturers will have to adhere to higher standards of data protection and also create effective and modernized forms of grievance redressal to comply with the existing legal mandates.

Conclusion

Vehicles, in modern society, and in all shapes and forms, have become a necessity in the daily lives of individuals, as well as businesses for conducting day-to-day activities. With the advent of digital era and modernization of automotive companies competing globally to launch tech-forward products enabling remote diagnostics, real-time data monitoring, personalise services among others, the dependence of automotive industry on data is robust and gigantic. Recently, as per a study conducted by Deloitte Touche Tohmatsu Limited, it was observed that nearly 69% of Indian consumers are concerned about their private data being shared and processed.  Hence, owing to that fact that the vehicle manufacturers will have to handle and process large amount of data of customers, it is tantamount for manufacturers to work in strict adherence with the provisions of the DPDP Act, 2023 and establish strict protection and self-regulatory policies when it comes to the protection of the data of the common people. To pave the way for developing consumer trust and ethical harnessing of data, the automotive sector shall aim to incorporate few compliance program in their manual and further aim to adhere to privacy rights management as its core organisational objective.