March 12th, 2015
“Smart” Cars – In the Fast Lane to Government Regulation
By: Thomas A. Warns
https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3
Last month, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced legislation aimed at establishing federal data security and privacy standards for Internet-connected automobiles, generally referred to as “smart cars.” This development was novel in many respects worthy of mention.
First, the report comes on the heels of an FTC report in January which recommended a technology-neutral data security approach to the “Internet of Things.” That report suggested general standards for all internet connected objects; instead, the Senate bill for smart cars continues to general trend of “sectoral” data privacy legislation. In contrast with practices typical in the EU, the United States generally legislates on an industry by industry basis when it comes to data privacy, rather than creating one standard for all. Many businesses praise this approach because it allows for flexibility in approaching the different nuances of industries with different practices; consumer advocates warn that the lack of any statutory privacy baseline leaves consumers unable or unwilling to effectively wade through the different privacy standards in each field.
The Senators’ bill is based on a report that examined the data privacy practices of sixteen car companies, and found that these manufacturers collected driver and passenger data but had “alarmingly incomplete or inconsistent” privacy and data security practices. The bill alleviates these problems by demanding certain testing of wireless security, making consumers explicitly aware of when information is collected, giving them the option to allow the collection, prohibiting manufacturers from using the information for advertising purposes, and creating a new security rating to be displayed on vehicles, much like fuel economy information is also included on new cars.
This broaches several relevant issues in the regulatory sphere. First, it is a massive deviation from the self-regulation that persists in the U.S. automobile industry prior to the legislation. Some will question the wisdom of this decision. Industry leaders often prefer self-regulation because it allows companies to innovate in a rapidly changing technological field; Congressional laws take so long to pass, and are so difficult to amend, that they may become outdated rather quickly, and only serve to stifle development in important fields. Likewise, they would argue that regulation will impede the efficient allocation of privacy that has already been achieved by the market. While consumers may express opinions that data privacy and security have value to them, they often assign a very low value to it when they are confronted with voluntary transactions that trade information for a product or application. Perhaps consumers believe that the collection of data by companies to target advertising is completely benign, or perhaps will even enhance their welfare, since they are given more relevant advertisements. The companies want this information because it lowers the costs of advertising for them, potentially creating a socially desirable outcome. If some consumers do truly value their privacy at a higher value than many others, then companies can compete to deliver the most data-secure smart cars.
That picture, however, may be challenged on several grounds. Consumers may not be able to fully comprehend the “cost” of surrendering their personal information. For one, it is almost impossible to quantify the information into a monetary value, like we do with most other transactions. For another, consumers aren’t even sure what data collection means. Privacy policies may spell out some of the terms of use, but it is often unclear how long the collection will last, what exactly will be collected, who the information is shared with, and whether it will be stored and aggregated with other information from other sources indefinitely. If consumers are unable to understand the cost when deciding to surrender their personal information, a top-down command and control style regulation may be the optimal solution.
One of the virtues of this bill then, is that it attempts to combat the information gap that may lead to a widespread market failure. The bill lets customers explicitly know when their information is being collected, and forbids the information from being shared for advertising purposes. Knowing when their data is being collected may make the “cost” more salient and encourage more drivers to opt-out of the data collection; the flip-side of this argument, however, is that drivers may not opt-out when informed of later data collection out of a sense that all hope is lost, and that they have already lost control over their data. Likewise, the complete prohibition on sharing info for advertising purposes may cut off a revenue stream for car companies, and force price hikes onto the backs of consumers who may otherwise prioritize a price discount over data privacy.
This Senate bill will undoubtedly improve personal data privacy for drivers, but it may do so at the expensive of socially good data collection and use by car companies. Perhaps a better alternative would be co-regulation, which has had demonstrated success in the field of environmental law. Co-regulation involves placing the regulator, the regulated, and interested third parties in a position to negotiate directly with each other over regulations, rather than indirectly through notice and comment rulemaking. This allows each stakeholder to make tradeoffs and over concessions in ways that best reflect their own priorities.
As Professor Ira Rubinstein notes, co-regulation tends to succeed because there is greater legitimacy and industry “buy-in” when the industry has a hand in creating its own rules. The effect of this is likely a decrease in litigation, as there are fewer court battles over the interpretation of an agency’s regulation when the regulated parties and interested citizen groups participated in writing it. One criticism to this approach is that it places too much weight in the hands of interested private parties, as opposed to disinterested government agencies working towards the public good. Anyone who has studied administrative law, however, knows that agencies are already subject to capture by special interests. Further, as long as the agency involved ensures equal participation by industry and consumers, and is the ultimate arbiter of any regulation, fairness can be protected. While this co-regulatory approach would be intelligent, smart car regulation is likely destined to drive down a road towards traditional agency regulation with notice and comment rulemaking.
Read the story, “Smart Car Legislation Suggests a Different Approach to the Internet of Things Regulation”, at https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3