We need a data protection authority along the lines of the food inspection agency, says Dr. Volker Lüdemann, Professor of Commercial and Competition Law at the University of Osnabrück and since November 2014 chairman of the university’s Ethics Commission, in an interview with All about M2M. On the Internet of Things everything can communicate with everything; it connects the physical world with the world of information. In sharing sensor data smart devices chat incessantly and imperceptibly about users’ behavior.
Professor Lüdemann, what is Osnabrück University’s data protection expert currently working on?
A major concern of my research in this area is the connected car and autonomous driving. For Germany as a country with an automotive tradition the connected car is the supreme discipline, as it were. Alongside the smart home it is set to become the second-largest application area with a market volume of up to €200 billion in the years to come.
An impressive forecast, and that is precisely why many people are wondering about data protection. Do we really run a risk of becoming transparent citizens?
If we let things carry on as they are, we certainly do. People are nowhere near adequately aware of the need for data protection. Digitization and being connected are fundamentally changing our communication situation. On the Internet of Things we may not necessarily be a part of the communication but machines are automatically sharing information about users, constantly and, for the moment, imperceptibly. In a modern midrange car, for example, around 80 control devices with sensors are connected as part of its security systems. The car leaves a data trail. In itself this data is not especially informative, but its potential lies in connecting and evaluating it. Those who have access to it can put it to commercial use, be they Google, carmakers, or software manufacturers. We are in the process of charting the course for the future in that our data is the oil of the 21st century.
A fine comparison, but why is data such an important raw material?
Precisely because it is raw. On the Internet of Things, data is generated in bulk and is practically free from manipulation. That is what is really new. Take electricity meters, for example. In the past, the meter reader called round once a year and made a note of the reading. Today a smart meter can deliver information in much greater detail. It transmits 31.5 million datasets in the course of a year. Evaluated, this data reveals a precise user profile because nobody can influence his data over such a long period, and if data of this kind is available from a whole lot of users and is crosslinked and joined by data about traffic flows and visits to shops or hospitals, I suddenly know how an entire city functions.
Both light and shadows, then. We are delighted with predictive car maintenance and reliable traffic congestion reports or with fitness trackers that measure our heart rate and warn us of the risk of a heart attack. Experience with the smartphone shows that what is practical, comfortable and profitable will prevail. What must business and the state now do?
Clearly we all want to use the Internet of Things and it has many advantages. The task the state now faces is to balance the advantages and disadvantages. There is little the individual can do, especially as data is collected for the most part entirely unnoticed. Now is the time for the state to step in. In Germany there is a fundamental right to informational self-determination. The state is duty bound to set up a legal and supervisory system to ensure that this right is upheld. My solution approach is that we need a powerful data protection authority that ensures a basic level of security in much the same way as the food inspection authorities do. Consumers lack the knowledge and, above all, the opportunity to do so themselves. In future, all connected things should be pre-set at a basic level from which the user can only deviate explicitly.
How might personal data be protected on a practical, day-to-day basis? Must I give my explicit consent in future to my data being transmitted and evaluated before making every journey in a connected car?
The automakers are very open-minded in this debate. For them, data protection has become a sales argument. Take company cars, for example. The car is registered as owned by the employer and is insured on the basis of the user’s driving behavior. In other words, the vehicle records data of all kinds about destinations, style of driving, and frequency of breaks. In the works setting this data would stay in a protected area, but if the employer has changed the setting and, say, additional data is collected, a warning light is switched on in the car and the driver has the option of deliberately adjusting his behavior accordingly. It is much the same as a warning about video surveillance.
eCall will be mandatory for all new cars in the EU from March 31, 2018. You call it a Trojan horse. Where is the problem with the automatic electronic emergency call?
In principle eCall is great, but a closer look at the legislation reveals that the project would never have been launched solely to optimize the rescue of accident victims. In principle there are two versions. The statutory system is totally unproblematic in terms of data protection law. It lies dormant until the airbags are activated. It then transmits the requisite dataset, the emergency services are notified, and the rescue chain is set in motion. The carmaker, however, can install a system of his own and deactivate the statutory system. This system is totally unregulated, it relays all data continuously and is, as an open Internet interface, the killer application for the automobile industry. Where is the automatic emergency call sent? Which rescue service is notified and which hospital does it go to? Which recovery service comes to tow the damaged vehicle to which car repair shop? This decision might in future lie in the hands of those who receive the data and can evaluate it.
The agreed version of the EU’s Data Protection Regulation will be submitted to the Council of Ministers for approval on April 21 and is scheduled to come into force at the beginning of 2018. Which innovations or improvements will it bring in terms of data protection?
At first glance the regulation reads well, but the devil is in the detail of its implementation by EU member-states. My impression so far is that the innovations are not much of an improvement and that there will be practically no perceptible changes for the general public. The regulation deals mainly with serious penalties for breaches of data protection and with collaboration with international data protection authorities. It fails to tackle the fundamental issues. Internationally, the preconditions vary widely. In the United States, for example, and in the UK’s legal tradition data protection is not a constitutional right. Initially, everything is permitted there and restrictions may be imposed later. That is why agreements such as Safe Harbor and now the Privacy Shield are so hard to balance out.
Autonomous driving. Where are we heading there? How am I to imagine the future of the automobile?
Autonomous driving is no longer a remote and distant prospect. The collision of a Google car with a bus a few days ago made that clear. The Google Car may not yet be better than a human driver but the test driver on board the Google car sized up the situation just as wrongly as the car and failed to intervene. And along with driving as such, allied business models will change fundamentally. In a few decades’ time owning a car of your own will no longer play the role that it does today. Thanks to autonomous driving the road user may have what might be called a mobility subscription. As in car sharing he may book an SUV or a convertible as required. The car will drive up at the specified time and will drive off again at the end of the journey. Vehicles may all have the same level of motorization and drive bumper to bumper. In view of traffic planning and environmental pollution in megacities that would be a conceivable scenario. The car as such would no longer be a status symbol and an expression of one’s individual personality. The interior would be much more important because you no longer have anything to do with the driving. The car will become a platform for infotainment and entertainment, so in the future there might be an Apple Car or a Samsung Car, etc. The carmakers are aware of this trend and are developing new business models. But if they are to become mobility service providers they will definitely need access to the driving data.
As chair of Osnabrück University’s Ethics Commission do you now see autonomous driving from a further angle?
The latest development in this field in the United States is that computers are now authorized to drive vehicles there. The precondition was that computers must demonstrably drive better than people. Ethical aspects are a major problem here. How is the car to be programmed in case of doubt? To protect its passengers or to protect the outside world? In the United States quantifiable legal ethics applies and ten human lives count for more than one. In Europe human life is the supreme value in itself. The discussion is ongoing but for Europe there is no solution as yet. Here too the legal framework must now be established.
Volker Lüdemann is Professor of Commercial and Competition Law at the University of Osnabrück, Scientific Director of the Niedersächsisches Datenschutzzentrum and since November 2014 has chaired the university’s Ethics Commission. A qualified lawyer, he was previously an authorized officer at Volkswagen Versicherungsdienst GmbH in Wolfsburg.