Publications

Electric vehicles (EVs), smart cars and connected vehicle technologies are becoming increasingly embedded within both commercial and everyday life.  At the same time, they are creating something we haven’t really had to deal with before: that cars constantly collect, store and share data about where go, how we drive and even what we do inside the vehicle.

This does not mean that all EVs are spying on drivers, but it does mean the data they generate is now a real policy and business issue, raising complex questions.

With around 80% of all EVs sold in Australia being built in China, which has different privacy principles, the conversation is heating up regarding privacy, surveillance, cybersecurity, governance and data ownership.

What data do electric vehicles collect?

EVs and connected vehicles collect significantly more information than traditional vehicles. While many of these functions enhance convenience, safety and efficiency, they also create extensive digital footprints.

Depending on the manufacturer involved, EVs may collect:

• vehicle telemetry data, including speed, braking patterns, acceleration, battery usage, diagnostics, and maintenance information;
• location data, including GPS history, driving routes, charging locations and travel patterns;
• behavioural information relating to driving habits and vehicle usage;
• synced device data, including phone contacts, messages, calendars, and other synced app data;
• driver profile and biometric data, including voice command recordings and digital assistant interactions, and camera and sensor recordings associated with driver-assistance and autonomous driving features.

Why this raises privacy and surveillance concerns

Surveillance and profiling

The nature of the information collected by EVs creates the potential for highly detailed behavioural profiling. Continuous location tracking, driving habits, charging patterns and general vehicle usage data can collectively reveal significant insights into an individual’s routines, movements, associations and lifestyles.

Secondary data use

Importantly, the data collected by smart cars may not remain solely within the vehicle itself. Data may be transmitted to manufacturers, software providers, cloud service providers, insurers, third-party applications integrated into the vehicle ecosystem and in some cases foreign entities.

These collective concerns become more pronounced where data may be:

• shared with third parties;
• used for analytics or targeted advertising;
• incorporated into insurance risk assessments;
• accessed by law enforcement agencies; or
• utilised to train AI systems.

As connected vehicle technologies continue to evolve, questions regarding who owns vehicle-generated data – and who can access or control it – are likely to become increasingly contentious.

Lack of transparency

Many drivers remain unaware of the extent to which their vehicles may collect and process personal data. Even where disclosures exist, privacy policies are often lengthy, technical and difficult to meaningfully understand.

Cybersecurity risks

Connected vehicles effectively operate as internet-enabled devices, creating additional cyberattack targets. Cybersecurity incidents involving connected systems may expose both operational and personal information risks, particularly where vehicle ecosystems are integrated with mobile apps, cloud storage platforms and payment systems.

National security and critical infrastructure risks

Globally, concerns have been raised about whether connected vehicles (especially those built in countries with different data access laws such as China) could be used to collect sensitive location, infrastructure and behavioural data, as well as travel patterns of high profile individuals.

While connected vehicles are not currently classified as critical infrastructure in Australia, their growing integration has led to broader discussions regarding whether aspects of the connected vehicle ecosystem should be subject to heightened regulatory oversight.

Managing commercial and governance risks for businesses

Organisations should start treating connected vehicle technology as part of their wider privacy and governance planning.  In particular businesses operating EV fleets should consider:

• whether existing workplace policies adequately address vehicle monitoring;
• how telematics data is collected and used;
• who inside (or outside) the organisation can access to vehicle-generated information; and
• whether appropriate cybersecurity protections are in place.

Vehicle tracking and telematics systems may collect detailed information regarding employee movements, locations and driving behaviour, potentially giving rise to obligations under applicable workplace surveillance legislation and employment frameworks.

Similarly, organisations operating charging infrastructure and mobility services may collect substantial volumes of customer information through mobile applications, payment systems and connected platforms.

Governance and risk management

Businesses should start treating connected vehicle technology the same way they manage any other digital system that handles personal data.

This may include:

• doing due diligence regarding technology vendors;
• reviewing contractual risk allocation;
• having incident response plans in place;
• assessing data governance and retention practices; and
• considering insurance for cyber and privacy incidents.

How Australian law might apply

At a global level, regulators are beginning to scrutinise connected vehicle ecosystems more closely, with specific concerns emerging in relation to:

• the scale of personal information collected by connected vehicles;
• insufficient transparency regarding data practices;
• cybersecurity vulnerabilities;
• the sharing of information with third parties; and
• the integration of AI-driven technologies into mobility systems.

While Australia does not currently have a regulatory framework specifically tailored to EVs and connected vehicles, existing privacy and cyber obligations may apply.

Depending on the circumstances, information generated by connected vehicles may constitute “personal information” under the Privacy Act 1988 (Cth), particularly where the data can be used to reasonably identify an individual.

What organisations can do now

As connected vehicle ecosystems continue to expand, organisations should consider taking proactive steps to manage legal and operational risks.

Depending on the nature of the organisation and its technology usage, this may include:

• conducting Privacy Impact Assessments for connected vehicle technologies;
• reviewing supplier and technology contracts;
• implementing or updating fleet monitoring policies;
• assessing cybersecurity and incident response capabilities;
• reviewing data retention and destruction practices;
• considering employee notification and consent processes; and evaluation cross-border data handling arrangements

This article was published on 29 June 2026 by Carroll & O’Dea Lawyers and is based on the relevant state of the law (legislation, regulations and case law) at that date for the jurisdiction in which it is published. Please note this article does not constitute legal advice. If you ever need legal advice or want to discuss a legal problem, please contact us to see if we can help. You can reach us on 1800 951 006 or via the Contact us page on our website. (www.codea.com.au).