One of Australia’s most popular EV manufacturers has responded to claims it is sending data on its customers back to China.
BYD sold 12,500 vehicles across Australia last year and more than 15,000 between January and September this year.
But the Chinese manufacturer, distributed here by EV Direct, came under fire on all fronts last month for how it handled delicate information about its customers.
Many modern cars offer internet connectivity to run features such as voice command, GPS navigation and SOS systems that automatically phone emergency services in the event of a crash.
These collect information such as the car’s location and driver inputs – acceleration, braking and cornering – and in some cases, share this with third-party providers.
Last month, the US Government announced plans to ban Chinese-made software from cars on its roads over concerns for “national security”.
Australia has said it is “closely monitoring” the situation for now, but Shadow Home Affairs Minister James Paterson has questioned “how it is in our national interest for companies headquartered in an authoritarian state to … retain access to enormous amounts of data”.
A News.com.au article last month featured a BYD owner who claimed his car’s internal SIM “could be dialled by an external party, allowing audio from inside the vehicle to be transmitted to the caller without the driver’s knowledge”.
“In the video, the owner dials the car’s SIM number, and while audio from inside the vehicle is transmitted to their phone, there’s no visible indication on the car’s touchscreen or digital display that a call is taking place,” the article read.
“Even more concerning is that there appears to be no way to terminate the call from the vehicle.”
Upon hearing the reports, EVDirect worked with Telstra, the SIM provider, to resolve the issue within 48 hours.
In response to questions, EVDirect CEO David Smitherman told Region: “BYD treats the protection of customers’ personal information with the utmost importance”.
“BYD stores that personal information in Australia, on secure Australian servers in compliance with Australian privacy regulations,” he said.
“Data is not collected from Australian BYD owners on how they drive or use their vehicle.”
Mr Smitherman confirmed BYD “does not transfer any customer data” to its Chinese headquarters, but as “standard in the automotive industry, some diagnostic data is shared with the manufacturer for warranty and the improvement of future technology”.
“This diagnostic data sharing complies with relevant legislation and regulations regarding the methods of transfer and anonymisation. These measures are in place to ensure the highest standards of data protection.”
He also addressed concerns over the BYD app.
Like many car makers from Toyota to Tesla, BYD offers a smartphone app that can be used to remotely lock or unlock the car and adjust the air-conditioning, but this is “optional”.
“We want to be really clear about this: BYD does not have the ability to take control of any vehicles sold in Australia, remotely.”
It’s not just BYD, or the Chinese, embroiled in the software debate either.
Not-for-profit consumer advocacy organisation CHOICE wrote to 10 of the most popular car brands in Australia and “asked detailed questions about the data they collect, what they do with it and whether they allow consumers to opt in or out of their connected features”.
“We discovered Kia, Hyundai and Tesla were the worst offenders when it came to protecting the privacy of their customers,” CHOICE senior campaigns and policy adviser Rafi Alam said.
“Our investigation found Toyota, Ford, MG and Mazda also collect – and sometimes share – customer data.
“Toyota, Australia’s biggest car brand, collects both vehicle location data and information on a driver’s acceleration, braking and cornering behaviour.”
All of the surveyed car companies provided “opt-out” functions either through the display screen or on the app. But CHOICE argued this wasn’t clear enough and many “drivers are opted-in automatically when they buy a car or download the app and may not even know it’s happening”.
“The results of our investigation are a timely reminder that Australia’s privacy laws are woefully out of date, and certainly not fit for purpose in a market where cars are collecting and sharing personal information en masse,” Mr Alam said.
In Hyundai Australia’s response, seen by Region, the brand said it shared voice recognition data on an “aggregate and non-identifying basis” with Cerence, a third-party provider of automotive voice and AI products.
Hyundai said it may disclose personal information to third parties for reasons including “connectivity services” (such as Live Traffic), troubleshooting or “to conduct research and develop new and improved products, services, and business and marketing strategies”.
“At Hyundai, we take customer data protection very seriously, and implement robust measures to ensure safety and privacy,” the brand stated.
However, Dr Vanessa Teague from the Australian National University’s College of Engineering, Computing and Cybernetics told CHOICE that assurances biometric information could be shared in a de-identified manner was “complete baloney”.
“The idea that you can de-identify an image, or a voice is de-identified, it’s nonsense,” she said.
“What these car companies are doing is totally unacceptable. It should be illegal. These practices are good evidence that we need the Privacy Act updated or the Privacy Act enforced, because none of this should be acceptable in our country.”