Ola fracas reveals data privacy conundrum in electric vehicle industry

Questions are being raised on ola as to what extent can these new-age automobiles track user data and to what ends can they be utilised

Until now, the biggest concern with electric vehicles (EVs) has been about them catching fire. But a new issue has appeared after Ola Electric publicly shared the telemetry data of a user who had met with an accident. 

Guwahati-based Reetam Singh suffered an accident while riding his father’s Ola S1 Pro last month. Subsequently, Singh’s father alleged in a series of tweets that the faulty braking system of the electric vehicle was the reason behind the accident. 

In a bid to counter the bad publicity resulting from the viral tweets, Ola shared on Twitter granular data about the vehicle’s speed and the riding behaviour before the accident. Later, the victim said that the company had not taken his consent before making the data public and asked it to take down the post.

“According to various judgements of the Supreme Court, along with the Aadhaar case judgement and the Puttaswamy case judgement on data privacy and protection of private citizens’ data, you were entitled to share the data only with law enforcement or insurance agencies,” wrote Balwant Singh, the victim’s father, in an email to the company.

“The public revealing of telemetry data is a serious violation… amounting to offence under the IT Act, IPC, and Contract Act whereby you revealed sensitive information to the public without my consent,” he added.

Following the incident, questions are being raised as to what extent can these new age automobiles track user data and to what ends can they be utilised.

“In such circumstances, there is potentially a breach of privacy, even though the PDP (Personal Data Protection) Bill is not in place and GDPR is not applicable in India. Telematic data like information on performance, operations and usage of products are classified as personal information,” said Salman Waris, a partner at Delhi-based law firm TechLegis.

“The disclosure of such data to third parties or in a press release may constitute breach of existing data privacy provisions under the IT Act unless the same had been done under prior informed consent, and for purposes for which such consent was legally obtained under a written contract,” he added.

However, there is also a counter argument in this particular case. According to Shraddha Deshmukh, an independent lawyer who has  worked on data privacy matters, it is within Ola's rights to defend its reputation using telematic data from vehicles in order to communicate that its product is safe.

"The Ola privacy policy explicitly mentions that the company can use your data to enforce the legal rights in its favor. Once the user has given their consent to the company to collect their vehicle's data and agreed to this policy, they can't backtrack later," she explained. 

Typically, EV makers say that tracking real-time telematic data is essential for maintaining the vehicles and monitoring their performance. Take for instance, the Ola Electric privacy policy. It states, “To further improve your product and safety, to facilitate the (helpdesk) servicing of your product and to give you insight on your driving behaviour, we will collect certain telematics data from the vehicle,”

“This may include personal information, such as vehicle identification number, and other device related information, such as performance, usage, operation, condition of your vehicle, etc. We collect such information either in person (such as during a service appointment), or via remote access or through (the company’s) app,” it further adds.

According to Dinkar Agrawal, Co-founder and COO of Oben Electric, EV companies tracking such data ultimately benefits the users as they can be alerted instantly in case of any malfunction in the automobile. “The most important data points reside in sensors at the battery level which can tell you about the voltage, the current and revolutions per minute (of wheels) – and they are good enough indicators for most purposes,” he explained.

“It helps in early warning and ensures the safety of the user. However, we don’t want to force a situation where the user has to share data against his wishes. That’s why we give them the choice of opting out of such tracking while letting them know that it will reduce some functionalities,” said Agrawal.

Another concern that experts have about the data collection practices of EV makers is regarding location data. “If you remember, there were reports claiming that Amazon contractors were listening in to people through their Alexa devices. The tech business models of today are nothing but selling us the most appropriate ads by hacking into our deepest personal data,” said a senior counsel in the Supreme Court who does not want to be named.

“Youngsters might be thinking, ‘Oh, I will take my partner on a date on the shiny new EV.’ They  don’t know that someone sitting behind a desk is tracking all your whereabouts. And unlike Google and others based in the US, no Indian company will bat an eyelid before sharing your data with the government, the police, or anyone who turns up with a big enough carrot or stick.”

Industry insiders say that such risks are not new and continue to grow as India still doesn't have a data protection law. Under the draft Personal Data Protection Bill, collecting real-time data of the individuals is permissible till the point data fiduciaries follow their obligations. 

“Consent is the bedrock on which the PDP Bill has been constructed. Moreover, the burden of proof to show that the data principal has given their consent is on the data fiduciaries. Therefore, if the data principal consented to real-time data collection, data fiduciaries shall do the same, provided they proffer legitimate purposes for the processing of such personal data,” said Kazim Rizvi, founder of policy think-tank The Dialogue.

There are other fears still about the data threats of EVs like what happens if a bad actor hacks into the EV company’s servers and gains remote access to navigate – or stop – the wheels. Those who have already bought into the attraction of a vehicle connected to the cloud, and others who are considering such a purchase, are giving it a re-think. 

“It does not make any sense to me why EV companies should retain the ability to remotely affect the vehicle that has already been sold to a customer,” said Vikash Mishra, CEO and co-founder of MoEVing, a start-up that manages EV fleets end-to-end for businesses.

“For a B2B company like us, it is understandable as we need granular data to optimise the fleet and also own the vehicles. Unless an OEM has also financed the purchase to an individual customer and the loan is to be paid back, there’s no reason why the company should have remote access,” he added.