Federal Government Acts on Connected Vehicle Privacy and National Security Concerns
Concerns regarding how connected vehicles use and provide access to consumer and automotive data were top of mind across the federal government this week, spurring multiple developments including two new rulemaking proceedings at the Department of Commerce (Commerce) and the Federal Communications Commission (FCC or Commission) and a congressional request for additional action by the Federal Trade Commission (FTC). Stakeholders in the connected vehicle space, including automakers, suppliers, and wireless providers, should monitor these developments closely as they likely will have impacts for the future of connected cars in the United States.
Commerce Issues ANPR Seeking Comment on the Security of Connected Vehicles.
On February 29, 2024, the Biden Administration, in cooperation with the Department of Commerce (Commerce), announced an investigation into national security risks from connected cars that incorporate technology from China and “other countries of concern.” According to the press release, the White House is focused on “[n]ew vulnerabilities and threats” that “could arise with connected autos if a foreign government gained access to these vehicles’ systems or data.”
Commerce’s investigation into this issue commenced with the Department’s Bureau of Industry and Security (BIS) releasing an Advanced Notice of Proposed Rulemaking (ANPR) seeking comment from the auto industry and public on connected vehicles’ national security risks and potential mitigation. The BIS ANPR specifically requests comment on, among other things, details about the supply chain for connected vehicles in the U.S., including information about integral hardware or software, and what impact international supply chain disruptions might have on the U.S. connected vehicle market.
The BIS ANPR also seeks comment on the relationship between automotive manufacturers in the U.S. and their international suppliers. According to the ANPR, particularly useful responses may include the type of information that is shared between automotive manufacturers of connected vehicles in use in the U.S. and their international suppliers “in the normal course of business, how this information is shared, what access or administrative privileges are typically granted, and if suppliers have any capability for remote access or ability to provide firmware or software updates.”
BIS will use information gathered from the record to develop regulations governing the use of technology in connected vehicles from certain countries. Comments on the ANPR are due April 30.
FCC Announces NPRM Focused on Protecting Domestic Violence Survivors from Abuses of Connected Car Features.
The day before the White House’s announcement, on February 28, 2024, FCC Chairwoman Jessica Rosenworcel announced that she has circulated a Notice of Proposed Rulemaking (NPRM) to the other Commissioners that, if adopted, would begin a proceeding aimed at preventing domestic abusers from using connected car features to harass and intimidate their partners.
According to the Commission’s press release, the NPRM would “examine how the agency can use existing law to ensure car manufacturers and wireless service providers are taking steps to assist abuse victims and seek comment on additional steps the Commission can take to safeguard domestic violence survivors.” To this end, the NPRM would seek comment on “the types and frequency of use of connected car services” available on the market and “whether changes to the Commission’s rules implementing the Safe Connections Act are needed to address the impact of connected car services on domestic violence survivors.” The NPRM also reportedly would seek comment on “proactive[]” steps connected car service providers can take to protect survivors.
As described in the FCC’s press release, media reports of connected car services being used to stalk and harm abuse victims served as the impetus for Chairwoman Rosenworcel’s proposal. Following these reports, the Chairwoman sent letters to automakers and wireless service providers last month asking them a series of questions about connectivity options in vehicles sold in the United States. The Chairwoman’s questions focused on topics such as connected car applications that track vehicle locations; automakers’ policies and procedures to remove connected features upon request; and companies’ retention, sharing, and selling of drivers’ geolocation data collected by connected apps, devices, or other vehicle features.
The NPRM comes on the heels of new FCC regulations implementing the Safe Connections Act of 2022, which seeks to ensure that domestic violence survivors can separate the phone lines from accounts shared with their abusers and can retain access to wireless service once the lines are separated. The Commission released an Order adopting the rules on November 16, 2023. Under the Order, wireless providers must comply with several requirements such as authenticating the identities of survivors who make line separation requests, establishing “secure remote means” in various languages and accessibility formats for survivors to submit line separation requests, and separating phone lines within two business days after receiving a request. Providers also will be required to omit calls and text messages to certain domestic violence hotlines from customer-facing logs. Compliance with the Order will be required beginning later this year.
Shared vehicle ownership is different in kind from a joint wireless service account comprised of multiple phone lines, and exploitation of connected car features in a domestic abuse situation raises distinct concerns than what the Safe Connections Act was designed to address. The NPRM may give some insight into whether and how the Commission believes the Act could be applied in the connected vehicle context. The FCC press release suggests that the new NPRM is being voted on through the Commission’s “circulation” process rather than at an FCC open meeting, which means that the agency will not release a public draft of the item before it is adopted.
Congress Implores FTC Action on Automakers’ Data Privacy Practices.
On February 27, 2024, the day before the FCC announced the NPRM, Senator Ed Markey (D-MA) sent a letter urging the FTC to investigate automakers’ data privacy practices. Citing concerns with misuse of consumer data, such as tracking domestic violence victims, and linking to the same media reports as the FCC, Senator Markey urged the FTC “to use the full force of its authorities to investigate the automakers’ privacy practices and take all necessary enforcement actions to ensure that consumer privacy is protected.”
Looking Ahead
The timing and focus of the federal actions mentioned above suggest that the Biden Administration, Congress, and federal agencies are intently focused on issues surrounding connected car privacy and security. Stakeholders in the automotive industry should track the Commerce and FCC proceedings closely, participate in the rulemaking processes, and keep abreast of further regulatory developments at the FTC or other agencies in the near future.
***
Wiley’s Connected & Autonomous Vehicles, Privacy, Cyber & Data Governance, National Security, and FTC Regulation practice groups have broad experience in navigating rulemakings surrounding cutting-edge technology and the evolving legal landscape. If you have any questions about these connected vehicle developments, please contact one of the attorneys listed on this alert.
