Australians have long embraced technological innovation, and nowhere is this more apparent than on our roads. Vehicles that once operated in splendid isolation are now sophisticated, data-generating computers on wheels - 'connected cars'.
A connected car is a vehicle equipped with internet connectivity, allowing it to communicate with the outside world and access various smart functions. This connectivity enables features like GPS, keyless entry, and data transmission from vehicle sensors to the manufacturer, and the car can also interact with other connected devices and infrastructure.
In early May 2025 the Australian Privacy Commissioner, Carly Kind, delivered a forthright assessment of the privacy landscape surrounding these vehicles. Her remarks coincided with the recent and ongoing privacy law reforms, including a first wave of changes recently implemented via the Privacy and Other Legislation Amendment Act 2024 (Cth) (2024 Amendment Act). She indicated that she would be consulting with key stakeholders on privacy concerns in the automotive industry. This reinforces the indication by Australian Information Commissioner Elizabeth Tydd in Senate estimates in February 2025 that the OAIC had already commenced preliminary inquiries into the privacy impacts of connected vehicles.
When considered together, developments signal a decisive shift. For manufacturers, dealers, insurers, fleet operators and mobility-as-a-service providers, the message is unmistakable: privacy is fast becoming a core safety feature, and non-compliance carries real legal and commercial peril.
Why Connected Cars Matter to Privacy Regulators
In her recent speech, Commissioner Kind framed privacy as an issue of power. Modern vehicles collect data about driver behaviour, location, biometric identifiers, voice snippets, in-cabin imagery and data from paired devices. Consumers may not expect this level of monitoring, let alone understand the potential implications for them personally.
Research cited in the speech shows that only two in ten drivers are aware their car transmits information back to the manufacturer, while an overwhelming majority wish to control who receives their data. This alleged asymmetry - deep knowledge on the part of the manufacturer, limited awareness on the part of the user - creates precisely the 'power imbalance' that privacy law is designed to address.
Specific risks highlighted include over-collection, opaque privacy notices stretching to tens of thousands of words, bundled consents that are neither fully informed nor freely given, and secondary uses ranging from insurance underwriting to AI model training. The Commissioner also drew attention to security threats - unauthorised remote access to vehicle functions, location tracking by abusive partners, and the exposure of highly granular movement data that can be used for profiling or targeting purposes.
A New Privacy Act for a Connected Age
Whether action is required to address the Commissioner's concerns should be considered in the context of recent form. The 2024 Amendment Act, which took effect on 10 December 2024, strengthens individual rights and regulator powers in ways that directly implicate the automotive ecosystem:
A statutory tort of serious invasions of privacy (commencing no later than 10 June 2025) creates a private right of action for intentionally or recklessly intruding upon seclusion or misusing personal information where the invasion is serious and the privacy interest outweighs countervailing public interest. Continuous location tracking or surreptitious in-cabin recording - particularly of passengers or minors - could fall squarely within scope.
Expanded OAIC enforcement tools, including tiered civil penalties, infringement notices and compulsory compliance notices, empower the regulator to police 'administrative' failings such as inadequate privacy policies or failing to provide adequate opt-outs for direct marketing activities.
Enhanced transparency requirements when using personal information for automated decision-making (to take effect in December 2026). Where telematics data drive insurance pricing or credit assessments, organisations will need to think carefully about what additional disclosures they will need to provide about these activities and the information involved.
New obligations to implement both technical and organisational security measures, reinforcing the responsibility that organisations have to safeguard the information they collect and hold. Hard-coded encryption and secure over-the-air updates will no longer suffice if staff are not trained to recognise privacy impacts in product design and maintenance. More than ever it will be crucial for businesses to take a ‘privacy by design’ approach when developing and launching new technological innovations.
Criminal sanctions for doxxing underscore the sensitivity of geolocation, imagery and biometric data collected by vehicles. Improper disclosure of such data - whether by rogue employees or through lax security - could attract sentences of up to seven years imprisonment.
Click to expand
Implications for Industry Stakeholders
The convergence of the Commissioner’s policy agenda and Parliament’s legislative action creates a compliance imperative:
Click to expand
The Road Ahead
Australia’s updated privacy framework and the OAIC’s thematic focus on connected cars present twin headlights illuminating the same route: a future in which data stewardship is integral to mobility.
Organisations that treat privacy as a design parameter - akin to crash safety or emissions - will enjoy consumer trust, smoother regulatory relations and competitive edge. Those that regard it as a compliance afterthought may soon find themselves navigating litigation, penalties and customer backlash.
For drivers, the reforms promise greater visibility and control over how their vehicular data travels. For the automotive sector, the task is to translate legal risk into engineering reality, ensuring that the connected convenience of tomorrow does not come at the cost of today’s fundamental - and increasingly enforceable - right to privacy.
