According to The New York Times, a lawsuit filed by Romeo Chicco in the Southern District Court of Florida, United States, accuses General Motors (GM) and LexisNexis Risk Solutions of providing his personal data to insurance companies without his consent. These insurance companies refused to provide services to him based on reports generated by LexisNexis using data on distances traveled, speeding, sudden braking, and acceleration, all collected by his GM Cadillac. The affected individual mentioned that he would never have approved the public use of this data, while GM spokesperson Malorie Lucich stated that a clause in their privacy statement associated with their optional application, which Romeo had installed on his mobile phone, mentioned the possibility of sharing data with third parties. Although this case is ongoing in the United States, similar phenomena could occur in the European Union, where the General Data Protection Regulation (GDPR) establishes legal guidelines for the authorization and use of personal information. Therefore, it is worth analyzing this case as if it had occurred in this territory.
According to the GDPR, personal data includes any information related to an identified or identifiable person, such as name, address, and identification number. In this case, GM was using Romeo Chicco's personal information, leading insurance companies to reject his application.
Moreover, Romeo accuses not being aware of allowing the use of his data for this purpose. Regarding this, the GDPR states that the use of personal data must be explicitly justified, fair, and transparent. That is, the individual must give open consent to the use of their personal data, and its processing must be clearly informed. In this case, none of these points are fulfilled. Furthermore, Romeo's data does not meet the other conditions for lawful data processing established in the GDPR: the data is necessary for the performance of a contract in which the person is involved, the data is necessary to comply with an applicable legal obligation, the data is necessary to protect the vital interests of the individual, or necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the company. According to all the mentioned aspects, GM would be violating the customer's right to transparency.
The impact of GM's data usage on Romeo was negative. This contradicts the principles or values derived from "How we act", which General Motors displays on its website:
Both express the company's intention to prioritize what is right and the customer above all else. Contrary to this, a potential economic benefit for the company rather than Romeo's could be the main motivator for GM's data sharing, highlighting an ethical issue.
This practice would affect all Cadillac owners who have the application installed and active. Therefore, the current status of the case is in the search for a class-action lawsuit. These deficiencies in the use of personal data by GM were evident through the harm Romeo suffered with the insurers; however, the lack of clarity in data usage could lead to larger problems. For example, the use of personal data to facilitate or hinder obtaining life insurance.
The use of massive customer data through IoT raises doubts about the direction of personal data security in the automotive industry. According to research conducted by Mozilla and presented in an article in 2023, 84% of car brands openly share users' personal data with service providers, data intermediaries, and undisclosed entities. Furthermore, 76% of manufacturers admitted to selling customer data. The same study revealed that 92% of brands offer users limited or no control over their personal data. All of the above qualifies the automotive industry, as Mozilla puts it, into a privacy nightmare.
To correct and prevent future GDPR violations and ethical breaches, GM should take the following measures, in order of priority:
Romeo Chicco's case emerges as the tip of the iceberg of a personal data security problem in the automotive industry that may be affecting not only General Motors customers but customers of much of this industry.
Establishing standards for the treatment of personal data by companies is necessary and requires oversight from governmental organizations. However, it is even more necessary for companies to develop robust ethical guidelines that support internal policies of transparency and risk management, allowing them to be a source of trust for increasingly aware customers of the dangers of exposing their personal data.