On the download: How car dealers could be stealing your data

“My firm alone represents 24 people who claim their vehicle data was accessed without permission by car dealers,” says Ferguson. “Based on this, I would guess that each day, hundreds of motorists are unwittingly making their data available to car dealers. Who knows where it ends up?”

The Evoque is now back, unrepaired, on Bonfanti’s drive, where it has been since March last year, while he awaits the outcome of his claim relating to illegal data access and his rejection of his car under the terms of the Consumer Rights Act 2015. Park’s Land Rover Ayr did not respond to Autocar’s requests for comment.

Dealers aren’t the only motor businesses accused of taking data without permission. Ross Hadfield is an independent motor engineer who helps establish the cause of accidents. He claims some major investigation companies routinely download the data stored by a vehicle without the owner’s say-so. “Despite a car’s ECU being classed as a ‘terminal unit’, and so requiring the owner’s permission to access the data within, many vehicle assessors working for insurers download the data anyway,” says Hadfield. “I’ve experience of insurers using such data to reject claims unfairly.”

Depending on the type of download, in addition to the electronic data recording (EDR) that insurers are seeking and which contains data relating to aspects of the car’s performance, including ABS activation, steering angle and throttle position, personal data is also captured. “I reckon up to 5000 cars a week have their data downloaded in bodyshops alone,” says Hadfield. “That’s a lot of phone numbers and other personal information that goes who knows where?”

A spokesperson for the Association of British Insurers said: “We are not aware of this practice taking place and insurers should, of course, always comply with relevant data protection legislation.”

The Information Commissioner’s Office, the agency that oversees the Data Protection Act, the scope of which extends beyond the EU’s General Data Protection Regulation (GDPR), says it’s not aware of data issues affecting the motor industry. A spokesperson told Autocar: “It’s not an issue we’ve seen specifically from the motor industry. However, all organisations need to be clear and transparent when collecting personal data.”

The ICO may not recognise there’s an issue, but the European Data Protection Board, the organisation that ensures the consistent application of data protection rules throughout Europe, is sufficiently concerned about data protection within the motor industry that in January last year it published a 30-page guidance document on the subject. In addition to declaring all vehicle data, including data generated by the car, to be personal, in that it is directly relatable to an individual through the vehicle’s VIN number, it reminds businesses that where they take data, their reasons for doing so must be “specified, explicit and legitimate”. It continues: “Prior to the processing of personal data, the data subject (the vehicle driver or owner) shall be informed of the purpose of processing, the data recipients, the length of time the data will be stored and the subject’s rights under the GDPR.”

This will be news to Bonfanti, whose data, he alleges, was downloaded from his Evoque by Park’s Land Rover Ayr 15 days before it sought his permission. “I was more worried for my family than for me,” he says. “Some of my older relatives, especially, are private and cautious people who would be concerned about the possibility of their personal information being shared. If something were to happen to them or any member of my family as a consequence, I’d feel responsible.”

Who's responsible?