Heightened regulatory scrutiny brings new privacy and safety obligations 11 min read
Connected vehicles are no longer just a tech trend; they’re a regulatory priority. With privacy and safety regulators sharpening their focus, organisations need to understand the legal risks and prepare for compliance.
The key question is, why now? Despite connected vehicles being available in Australia for many years, the last 12 months have seen regulators increased their focus on their impact and risks.
In February 2026, the Office of the Australian Information Commissioner (OAIC) confirmed that preliminary investigations were being undertaken into connected vehicles, and that others had been contemplated.1 This follows statements in February 2025 by Elizabeth Tydd, the Australian Information Commissioner,2 and in May 2025 by Carly Kind, the Australian Privacy Commissioner, announcing that 'the OAIC will be ensuring that there is compliance [with the Privacy Act] to the fullest extent as we look into issues concerning connected cars'.3
Connected vehicles also attracted the attention of the eSafety Commissioner, who highlighted the emerging risks of use of connected services in surveillance, particularly in the context of safety and coercive control.
In this Insight, we look at:
- the emergence and features of connected vehicles
- the increasingly complex web of interconnected laws and regulations that will impact the automotive sector and its supply chain
- what organisations should be doing to prepare for, and navigate, this regulatory landscape.
The intersection of automotive innovation and regulation
Connected vehicles have transformed from mechanical machines into sophisticated digital platforms, continuously generating, transmitting and relying on vast volumes of data. As automotive technology converges with telecommunications, cloud computing and AI, vehicles now operate within complex ecosystems of sensors, networks and software that enable real‑time navigation, remote functionality, enhanced safety features and personalised services.
This evolution has also reshaped the legal landscape. Regulators worldwide are scrutinising how connected vehicles collect, use and share data, with particular attention on privacy, cybersecurity, consumer protection and telecommunications compliance. The result is a rapidly expanding web of obligations that manufacturers, suppliers, mobility providers and other industry participants must carefully navigate.
This guide equips organisations operating in the automotive sector with a clear understanding of the key legal risks associated with connected vehicle technologies and the regulatory frameworks that govern them. It outlines the core privacy, data protection and telecommunications issues that arise, and provides practical direction for managing compliance in an increasingly connected mobility environment.
By 2031, 93% of new cars sold in Australia are expected to have embedded mobile data connectivity.4
Connected and autonomous vehicles
What are connected vehicles?
Put simply, connected vehicles are vehicles with an internet connection. They collect data from, or share data with, drivers, other road users, roadside infrastructure, car manufacturers, fleet operators and wireless services.
Key features include remote control (engine start, locking), safety functions (SOS calls, child detection), and connectivity (smartphone pairing, live weather and traffic updates). Each of these relies on data and creates new compliance challenges.
Connected vehicles comprise both electric vehicles (which are typically connected), as well as existing fuel-based vehicles with connected services. For electric vehicles, the interconnection between connected services and vehicle operation and performance is even more entwined, with many key functions being controlled through the core operating system. This is in addition to providing connected services as an add-on to a vehicle's traditional functions.
Autonomous vehicles
Autonomous vehicles take things a step further. Often referred to in the same breath as connected vehicles (as 'connected and autonomous vehicles', or CAVs), the key difference is that autonomous vehicles build on the connectivity and sensor data utilised in connected vehicles to automate some functions that would ordinarily be undertaken by a human operator. Autonomous functions range from minor features (such as lane centring or cruise control) to full autonomy (as seen in US cities such as San Francsico, where self-driving taxis are proliferating).
Data-driven opportunities
While connected vehicles offer various safety and efficiency measures, they also collect and transmit large volumes of data. This creates opportunities for new services and features, but also enlivens significant (real and potential) privacy and cybersecurity obligations, since every data point collected can trigger regulatory requirements.
These are not just confined to features offered by manufacturers and dealers, but new data-supported business opportunities for all players in the automotive sector ecosystem, including fleet managers, insurers and auto-financiers.
| Data collected | Data driven opportunities5 |
|---|---|
|
|
Legal landscape
Connected vehicles sit at the crossroads of multiple regimes—privacy, consumer law, telecoms and motor vehicle standards—creating overlapping compliance obligations.
| Topic | Relevant laws | Relevance to automotive sector ecosystem and connected vehicles |
|---|---|---|
| Privacy and data protection | Privacy Act 1988 (Cth) | Significant volumes of data collected by connected vehicles will often be personal information, and the manner in which it is collected, used and disclosed will be regulated. |
| Surveillance device laws | Various federal, state and territory surveillance device laws (eg the Surveillance Devices Act 2004 (Cth)) | Provides prohibitions from using various surveillance and listening devices, usually prohibiting their use without knowledge or consent of the other person. Lack of transparency around connected car surveillance and monitoring capability, or inappropriate configuration of such capability, may give rise to risks under these laws. |
| Consumer protection | Australian Consumer Law Unfair Contracts Regime |
Consumer guarantees apply to vehicles. Consumer law and unfair contracts relevant to the offering of terms and conditions for connected services (which are often separate to the vehicle itself). |
| Telecommunications law |
Telecommunications Act 1997 (Cth) Radiocommunications Act 1992 (Cth) |
Regulatory framework governing the provision of telecommunications connectivity offered with vehicles, and the use of relevant spectrum by devices and sensors. |
| Motor vehicle regulation |
Road Vehicle Standards Act 2018 (Cth) Motor vehicle service and repair information sharing scheme (in Part IVE of the Competition and Consumer Act 2010 (Cth)) |
Road Vehicle Standards Act establishes standards for road vehicles in Australia. Motor vehicle service and repair scheme requires access to technical repair information for independent repairers—particularly relevant to connected vehicles where issues may be software-based rather than mechanical. |
| IOT/Smart Device Standards | Cyber Security Act 2024 (Cth) | Sets out minimum cybersecurity standards for smart devices. Excludes 'road vehicle components', but potential to be expanded to cover any connected components not adequately covered by the Road Vehicle Standards Act. |
| Privacy regulatory focus: In February 2025, the Office of the Australian Information Commissioner (OAIC) announced it had 'commenced preliminary inquiries into the privacy impacts of connected vehicles'.1 Just a few months later, the Australian Privacy Commissioner, Carly Kind, warned that 'the OAIC will be ensuring that there is compliance [with the Privacy Act] to the fullest extent as we look into issues concerning connected cars'.2 In February 2026, it was confirmed that two preliminary investigations were under way. |
Top 6 issues for connected vehicles and data
| Privacy obligations are likely to apply broadly, and the OAIC is focusing on broad application of privacy law. |
Most connected services are often linked to specific individual accounts or profiles. Where an individual is 'reasonably identifiable', then the data collected from connected vehicles will often be personal information under the Privacy Act. Some connected services will explicitly require the production or collection of 'sensitive information' (eg biometrics). This question is further complicated by issues in determining whether a person is identifiable in the context of a vehicle, particularly given:
- vehicle data is often not always about an owner—it can relate to a driver or passenger who may not be known.
- vehicles will be passed from owner to owner. Responsibility for changing vehicle registration and ownership (and associated accounts) sometimes requires manual activity for owners or users of a vehicle. This can result in personal information being collected about a person which may be associated with, or accessible by, another person if appropriate steps are not taken.
Connected services will sometimes characterise certain classes of information as 'non-personal', such as location data, vehicle performance data or diagnostic data. While such data may be neutral technical data in some context, in others it may be that 'about' an identifiable person. The OAIC is clearly focused on the risks that arise from the ability to infer data about a person, particularly through geolocation data.
"While geolocation data is not explicitly classified as sensitive personal information, where it reveals aspects of sensitive personal information—for example, health information by virtue of an individual’s proximity to a specialist practitioner or abortion clinic—the waters become muddied"
The suggestion that sensitive information can be inferred from geolocation and associated data potentially creates significant complexity for manufacturers, fleet operators or other organisations that collect or use such data.
|
Privacy by design for connected services is critical. |
Connected services often collect data automatically. This raises the question of whether users should be able to opt out of data collection, and whether all collection is reasonable.
These risks will be highest where non-essential data collection purposes are bundled in with the connected services. If users do not have the ability to differentiate between different services and collections, this can raise concerns about the validity of consent.
Privacy by design and appropriate user controls (such as avoiding mandatory collection of non-essential data) are a key way to mitigate these risks.
|
Careful and clear disclosures and consents are critical to compliance. |
A major challenge for users, manufacturers and service providers is juggling consents and disclosures involved in connected services.
Most users register for connected services via in-car or in-app registration, linked through both terms and conditions and privacy disclosures.
Given the volume of data-related activities collected by connected vehicles, a significant volume of disclosures may potentially be required to be provided to users, even if this occurs through in-vehicle dashboards or interfaces to 'The volume of data-related activities means that substantial disclosures are required, which are often delivered through in-vehicle dashboards or interfaces which may not be best suited for the task.'
The OAIC has raised adequacy of consents arising out of disclosures:
"A broad range of information being collected (often invisibly), plus the difficulty in comprehending the consequences of this information being collected, used and disclosed due to the lack of transparency, add to a situation where it is hard for consumers to provide fully informed and meaningful consent."2
The use of broad disclosures and consents in standard form terms and conditions also creates potential unfair contract risks, particularly if broad rights or consents are obtained.
|
Use cases for connected vehicle data other than direct provision of connected services with the customer may require express consent. |
A key issue is how the data collected from a connected vehicle (or service) is ultimately used. APP 6 requires use to be for a primary purpose, unless an exception applies.
The OAIC is very focused on data disclosure to third parties—in particular, data brokers and insurers:
An additional consideration is where collected data (that is personal information) is subsequently disclosed overseas. APP 8 requires reasonable steps to be taken to ensure overseas recipients do not breach the APPs in relation to the information.
"I have concerns where data collected is disclosed to third parties for a secondary purpose, beyond the provision of connected services to the car user."2
The use of broad disclosures and consents in standard form terms and conditions also creates potential unfair contract risks, particularly if broad rights or consents are obtained.
|
Cyber risk management is central to maintaining trust in connected services and autonomous vehicles. |
The biggest fear with a connected vehicle remains the idea that it may be interfered with remotely by a bad actor. Such fears are not without merit given the history of connected vehicles being remotely accessed, which includes:
- cybersecurity researchers remotely taking control of a vehicle, including disengaging its engine and brakes while it was being driven;7
- a manufacturer's dealer portal potentially allowing third parties to remotely take over millions of vehicles using only a VIN or license plate number;8
- a security specialist hacking into multiple vehicles across a dozen countries by exploiting a third-party app, gaining access to vehicle data and remote-control functions;9 and
- cybersecurity researchers remotely unlocking and starting a vehicle without a physical key.10 Indeed, Victoria Police recently stated that vehicles with electronic push start technology are being targeted by thieves, which has 'led to levels of car theft not seen in Victoria since 2002'.11
The Australian Signals Directorate also identified examples of:
- connected vehicles recording conversations without consent; and
- software vulnerabilities impacting remote access and control.12
Cyber risks are also exacerbated by the capability for surveillance and monitoring (with malicious misuse in the context of domestic violence a key tool in coercive control). The eSafety Commissioner has identified that connected vehicles are now being 'weaponised' in the context of family and domestic violence.13
Finally, the sheer amount of data generated by connected vehicles creates a greater trove of information to be protected from unauthorised access or misuse. This heightens the need for manufacturers and associated service providers to provide individual account safety and ensure the balance between convenience and appropriate controls is achieved and maintained. Such a balance is not only legally prudent but makes business sense—'Consumers are wary of how their driving data (location, habits, etc.) is being collected, stored, and used, especially given the potential for misuse or unauthorized access'.14
|
Incorporating connectivity or autonomous features into vehicles may require consideration of telecommunications laws, spectrum licensing requirements and the nature of connectivity or communication systems used. |
Some forms of connected vehicles may be classified as a 'carriage service provider' or 'carriage service intermediary' under telecommunications law. This has a number of particular regulatory consequences, including interception and data retention obligations. Many of these laws are ill-suited to connected vehicle providers or distributors.
A 2023 consultation and discussion paper from the Federal Government discussed whether the application of telecommunications laws to connected vehicles was appropriate.15 However, little movement has occurred on this front.
In addition, the development of autonomous vehicles will be impacted by the rollout and use of communications systems, including for 'co-operative intelligent transport systems'. These are interconnected communications systems that allow road vehicles to communicate with other vehicles, persons and structures.
While there is a current ACMA-issued class licence that covers the use of these systems, users must comply with the technical standards of the class licence.
Next steps
To avoid regulatory pitfalls, manufacturers and other entities in the automotive sector should prioritise these steps now:
- Review existing disclosures, consents, and terms and conditions for connected services to assess for transparency, clarity and scope of consents.
- Undertake a privacy impact assessment for any proposed secondary use of connected vehicle data. Assess the risk of whether technical or operational data could be identifiable.
- Consider how design of services, data collection options and access to connected services can be managed to mitigate against both privacy risks and potential risks from misuse of connected services (particularly the risk of technology-facilitated abuse or coercive control).
- Ensure appropriate cyber risk management steps are being taken in connection with connected services, including undertaking penetration testing, ongoing monitoring and audits.
- Review connected services scope to understand any telecommunications regulatory obligations.
- Monitor OAIC activity and changes to cybersecurity standards.
Footnotes
-
Foley M., 'Is your car spying on you? The privacy commissioner wants to know', The Age, 10 February 2026.
-
Tydd E., 'Senate estimates opening statement February 2025', Office of the Australian Information Commissioner, 26 February 2025.
-
Kind C., 'UNSW Privacy & Security Regulation for Connected Cars Workshop', Office of the Australian Information Commissioner, 2 May 2025.
-
Austroads, ‘Future Vehicles Forecasts Update 2031: Addendum to Future Vehicles 2030’, Research Report No AP-R654-21, 6 September 2021, pg. 28-29.
-
Sterk, F., Stocker, A., Heinz, D. et al., 'Unlocking the value from car data: A taxonomy and archetypes of connected car business models', Electron Markets 34, 13 (2024).
-
Kemp, K., 'Driving Blind: The Unexamined Privacy Risks of Connected Cars', UNSW, 19 November 2024, pg. 19.
-
Greenberg, A., 'Hackers Remotely Kill a Jeep on the Highway—With Me in It', WIRED, 21 July 2015.
-
Arntz, P., 'Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number', Malwarebytes Labs, 27 September 2024.
-
McFarland, M., 'Teen’s Tesla hack shows how vulnerable third-party apps may make cars', CNN Business, 2 February 2022.
-
Fearn, N., ''White hat hackers' carjacked a Tesla using cheap, legal hardware — exposing major security flaws in the vehicle', Live Science,23 March 2024.
-
Victoria Police, 'Motor vehicle theft', 10 November 2025.
-
Australian Signals Directorate, 'Introduction to connected vehicles', 30 June 2025.
-
eSafety Commissioner, 'From smart cars to tracking devices: Technology's increasing role in coercive control and family and domestic violence', 30 November 2025.
-
Beriwal, V., '2025 Connected Car Study: Inside consumer priorities', S&P Global, 3 July 2025.
-
Department of Infrastructure, Transport, Regional Development, Communications and the Arts, 'Telecommunications Legislation and Connected Vehicles: Discussion Paper', October 2023.