Interview with Jonathan Price, Legal Counsel at JLR
JLR’s legal strategy has shifted dramatically over the past two years, largely in response to the new legal demands brought about by the rise of the connected car
Big changes are happening in two areas: contracting with a new class of supplier and a developing landscape on customer privacy
Jonathan Price outlines the changes being made at JLR to prepare the company for the next phase in the evolution of vehicle manufacturing
Jonathan Price: I’ve been at JLR for a little over two years now. During that time, the company’s entire approach to connected cars has evolved dramatically, and as a result, the way legal gets involved has also changed.
Previously, when vehicle manufacturers were purchasing software, it was almost always linked to hardware systems, bundled together with an item of hardware from a tier-one supplier. Today, it’s vastly different: we purchase apps, cloud-hosted services, online content and stand-alone software.
These changing circumstances mean that in my role today, I spend a lot more time supporting JLR’s procurement team. Because of the changing nature of the products we are sourcing, we are increasingly working with companies that have either never worked with the automotive industry before, or never with JLR. This requires a high level of support from the legal team.
I joined JLR specifically to address this need. Our approach has evolved as the number of uses for this technology has expanded. Originally, connected car technology was solely focused on telematics, but its scope has grown rapidly and now, every month, new software products and services are being added to the range of connected technologies. Obviously, as this continues, the amount of work for legal to do in this area grows.
You need a real overview and knowledge of various parts of the law, but just as important is to understand the context and implications of the technology. A technology that has a certain risk level when implemented in a mobile phone can have a different set of legal risk factors when placed in a car.
Jonathan Price: You need a real overview and knowledge of various parts of the law, but just as important is to understand the context and implications of the technology. A technology that has a certain risk level when implemented in a mobile phone, such as location-based services, can have a different set of legal risk factors when placed in a car, on matters to do with security, warranty and safety.
Personal data is defined as follows in the UK Data Protection Act: (note 1)
Personal data means data that relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Non-personal data can therefore be defined as data that does not relate to an identifiable individual.
Jonathan Price: We and other automotive manufacturers deal with the issues in our own ways on things like end user terms. I’m not sure anyone in the industry has found the perfect solution – I’m not even sure a perfect solution exists.
Jonathan Price: Our product design and engineering teams are focused on
developing products that have Privacy by Design principles integrated from outset. Having products and features with built-in acceptance methods planned from the outset makes it much easier to present customer friendly solutions.
I work closely with JLR’s Data Privacy team to advise on the privacy issues
surrounding connected car features. On the legal side specifically, we have been putting in place trigger points during the product creation process. This means that as our teams work to develop the next great features, we can make sure that legal and compliance requirements are being considered upfront at the appropriate time as the features are being developed, not an afterthought. As we’ve been working to implement this, we’ve been looking at what works and what doesn’t, and learning quickly from each project.
One important thing to consider here is that, eventually, these privacy issues
will not be the exclusive domain of the connected car team – in the longer term, connected features related to autonomous cars and safety systems will be common on many vehicles. It’s important that we get this right today in order to prepare for that future.
Eventually, privacy issues will not be the exclusive domain of the connected car team but will involve many areas of vehicle design and engineering.
Jonathan Price: There are different levels of data that we need to address
here. The first is non-personal data [see box-out below], which isn’t caught by data privacy regulations, but nonetheless has security and confidentiality requirements. Dealing with this is simpler, from a legal point of view. Then there is customer data, which is increasing in volume as more connected car services are being added, and vehicle manufacturers start to build more direct relationships with customers, moving away from the traditional dealership-based model of interaction.
The question of how each level of data gets used is an interesting one, in particular how ‘big data’ can be used to benefit our customers and business
within the framework of privacy laws and other legal considerations. It’s
important to think not only on what is legal in this area, but also what customer expectations will be, based on their experiences in other sectors. Some services will only work if the customer is willing to make available their personal data – such as mixing non-personal data with personal data to create a mapping system populated by personalised recommendations. In examples such as this, and particularly in ones where the customer has never experienced anything similar before, my job is to highlight the legal risks, and guide the business about where we feel the boundaries are for the customer.
PbD is the philosophy and approach of embedding privacy into the design of technology (note 2).
By putting the privacy agenda into every stage of the product development process, OEMs will be in a position to identify possible privacy and security risks and take proactive measures to prevent them from occurring.
PbD principles are considered best practice in the management of privacy concerns.
Jonathan Price: Unless we’re collaborating directly on a specific project with another company, I think we’ll all continue to work on our privacy solutions individually – we all have our own businesses to protect, and further, our own customers to be responsible for. However, I expect that new data protection regulation in Europe will act as a catalyst for a more harmonised approach to these privacy questions by vehicle manufacturers, because there will be stricter boundaries and guidance laid out in the new legislation. Countries like Russia and China also have their own particular requirements, which could mean automakers have to go about compliance in very similar ways.
As the technology evolves, more standardisation will also be necessary. We expect that in the future there will be connectivity not only between the car, the manufacturer and third party service providers, but also to roadside infrastructure and other vehicles. This means that these systems must be able to talk to one other, so there will certainly have to be technical standards that allow this to happen.
Some services will only work if the customer is willing to make available their personal data - such as mixing non-personal data with personal data to create a mapping system populated by personalised recommendations.
Jonathan Price: Tackling the issues needs a close working relationship and collaborative approach between legal and connected car teams, which we have at JLR. There has to be a strategic approach that builds systems from the ground up to meet the expected legal requirements, such as presenting terms to customers in a way that’s user friendly but also scalable and adaptable, because these features aren’t going to stand still. There’s plenty to do and lots of challenges - but it makes for a really exciting automotive area to work in.
• Jonathan Price (Legal Counsel, JLR) says JLR’s approach to legal has changed dramatically over the past two years thanks to the advent of the connected car
• Connected car technologies have new legal implications for OEMs, which need increasing involvement of legal team
• The profile of the average supplier is changing – they are more software focused, and perhaps have never worked with a vehicle manufacturer before
• JLR is embracing Privacy by Design, which integrates privacy considerations into the whole design process
• Non-personal and personal data need to be treated differently, but the two will increasingly be entwined as engineers and designers look to offer more integrated services to consumers
• Jonathan believes the auto industry is in a learning phase to work out the best possible solutions to legal compliance for the connected car and greater standardisation will happen over time
Legal Counsel - Production Software and Connected Car, Jaguar Land Rover
Jonathan Price is a member of Jaguar Land Rover’s UK in-house legal team. He is responsible for legal support for the company’s procurement of vehicle software, connected car features/services and related matters. Jonathan graduated from Oxford University in 2000 and qualified as a solicitor in 2005. Before joining JLR in 2013, he was a senior associate at Eversheds LLP where he acted for a wide range of technology suppliers and customers advising on commercial contracts, IT outsourcing projects, and specialising in e-commerce and data protection.
We would very much like to thank Jonathan Price for his time and insights into this very interesting topic; Capucine Nivet and Angelique Tourneux from BearingPoint; Tanja Schwarz, Sharon Springell and Ludovic Leforestier from the BearingPoint Institute team.