Automotive Information Governance & Data Privacy Trends

Please join us for the next installment of the Morgan Lewis Automotive Hour Webinar series, focused on automotive information governance and data privacy trends.

Key Takeaways

The rapid evolution of connected and autonomous vehicles (AVs) is redefining the automotive industry, bringing both unprecedented opportunities and complex regulatory challenges. As vehicles increasingly generate, process, and transmit vast amounts of data, companies must navigate a dynamic legal landscape that spans data privacy, artificial intelligence, and cybersecurity laws across multiple jurisdictions.

The following key takeaways highlight the major trends and regulatory developments shaping automotive information governance in the United States, European Union, and United Kingdom as well as practical insights for ensuring compliance and managing risk.

1. Mapping Data and Regulations

• The growing use of AVs requires tracking of a complex mix of data types, including sensor, user, and system-generated data.
• Compliance with a wide range of data, privacy, AI, and cybersecurity laws across jurisdictions (EU, UK, US) is essential for operational and legal alignment.

2. Understanding Jurisdictional Frameworks

• The EU/UK legal framework involves:
  • Data Protection Laws: General Data Protection Regulation obligations such as accountability, data subject rights, and cybersecurity.
  • AI Regulations: The EU AI Act categorizes AI systems by risk and imposes strict obligations on high-risk AI systems.
  • Cybersecurity: The NIS 2 Directive and EU Cybersecurity Act require robust security and incident response systems.
• In the United States, laws and regulations are passed by a patchwork of state and federal authorities:
• Federal agencies like the Federal Trade Commission, Consumer Financial Protection Bureau, and National Highway Traffic Safety Administration (NHTSA) oversee various privacy and cybersecurity aspects, while federal laws, such as the Driver’s Privacy Protection Act, regulate specific privacy and data issues but do not uniformly address automotive data.
• State-level frameworks vary widely, with California leading in consumer privacy protections, while laws in Virginia and Utah represent models emphasizing opt-in consent and specific exemptions.

3. Guidance and Industry Standards

• In the United States, industry-developed guidelines, such as NHTSA’s Cybersecurity Best Practices, provide specific actionable advice for the automotive sector.
• EU/UK directives and industry standards emphasize secure data management, risk assessment, and collaboration across the supply chain.

4. Importance of Compliance Programs

• Effective compliance requires the following:
  • Engineering and Design: Incorporating security and privacy by design principles
  • Transparency: Informing consumers about data collection and usage
  • Supply Chain Management: Addressing data sharing in contracts and ensuring alignment with applicable laws
  • Employee Training: Establishing organizationwide awareness of compliance standards
  • Incident Response and Liability: Preparing for breaches and allocating liability through contracts and insurance.

As the automotive industry continues to transform with the rise of AVs, staying ahead of regulatory developments is critical. Companies must adopt proactive and comprehensive compliance programs that address the intricate web of data privacy, AI, and cybersecurity laws across jurisdictions. By leveraging industry standards and fostering transparency, innovation, and accountability, organizations can navigate these challenges while maximizing the opportunities presented by this new era of automotive technology.

Questions? Please contact Octavia Litvinov.

Morgan Lewis Automotive Hour is a series of automotive and mobility industry–focused webinars led by members of the Morgan Lewis global automotive team. The 2024 program is designed to provide a comprehensive overview on a variety of topics related to clients in the automotive and mobility industry.