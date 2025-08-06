Anyone who’s been along to Infosecurity Europe in the past few years will know that there’s a problem with today’s cars.

Many of us can remember the ‘hacking on demand’ demos at Infosec, with a hands-on demonstration of the weaknesses of some vehicles. Modern vehicles are device-centric, packed with AI, sensors, cameras, GPS and in-car software. They deliver unprecedented connectivity.

However, these advances also bring significant security, privacy and regulatory risks that businesses can’t afford to ignore.

Growing Regulatory Scrutiny

We’ve already seen regulatory intervention too recognizing these risks. In 2022, Volkswagen was fined €1.1m ($1.3m) by a German regulator for failing to properly inform test drivers that in-vehicle cameras were recording them and for its failure to do a proper risk assessment.

In 2023, Tesla saw over 100GB of sensitive internal data – including customer and employee information – leaked by insiders. At least one class action has been issued in the US on the back of the breach. These cases highlight the vulnerability of connected vehicle ecosystems and the significant potential for reputational and financial damage when security controls fall short.

These risks are likely to grow. There are 26 million electric vehicles (EVs) already on roads globally, a figure projected to reach 145 million by 2030. Connected vehicles (including EVs) generate vast amounts of data, from driver profiles and telematics to location tracking and nearby pedestrians, which passes through a complex web of manufacturers, insurers, app developers and law enforcement.

This has brought increased scrutiny from regulators. The General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) 2018, ePrivacy rules, and new frameworks like the EU Data Act and NIS2 are reshaping how automotive businesses collect, use, secure and share personal data. Non-compliance is not just a legal risk – it can mean significant fines and lasting reputational harm.

For those in the connected and autonomous vehicle (CAV) sector, understanding and addressing these data protection risks is essential to staying on the road.