Driverless cars are no longer the focus of science fiction or confined to the big screen – they are a tangible reality. A report recently commissioned by KPMG estimates that connected autonomous vehicles (CAVs) will generate £51 billion per annum by year 2030, equating to a 1% increase on the UK’s GDP. Further advances in CAV technology should, it is proclaimed, bring substantial benefits to road users through anticipated improved road safety, reduced congestion and reduced emissions.
The UK Government is keen to lead the way in Europe on policy development in this sector. Following its publication of the Pathway to Driverless Cars review documents in February 2015, it has recently launched a Code of Practice for the testing of automated vehicle technologies to provide guidance for organisations seeking to conduct testing in the UK. Last month, it announced a £20m investment fund through BIS for collaborative R&D projects. And it has just established a new joint policy unit as a point of contact for stakeholder management. The Centre for CAVs is aimed at coordinating efforts across DfT, BIS and other government departments to lead policy development, including an R&D, demonstration and deployment programme, worth up to £200m, with Innovate UK.
But core legal questions hang over the development of this new technology. Changes in road traffic legislation, issues of data protection and cyber-security, questions on liability, insurance and the application of communications law are just some of the key legal challenges facing its development and successful roll-out in the UK.
This article, focusing in particular on the data protection issues and challenges for major industry players in this field, is the first in a series of articles which seeks to explore some of these key legal obstacles.
The Data Challenge
Vehicle automation technologies such as crash prevention systems, lane departure prevention systems, parking assistance and adaptive cruise control are not new and are already available on many vehicles today. Technologies that automatically manipulate a vehicle’s direction or speed are also becoming increasingly commonplace. But as vehicles are become increasingly connected with ever-more sophisticated and smart communications systems, the amount of data being processed by the vehicle’s on-board diagnostics will escalate.
New players will enter the market. App developers and after-market services will play a pivotal role. Chevrolet has just equipped 14 models of its cars to be released next year with connected car operating systems, courtesy of Apple and Google. Earlier this month, an auto repair connected driver app developed by China-based auto parts and services start-up, Tuhu, was valued at between $300m- $400m in its latest funding round.
New data needs and uses will emerge. Vehicles will, in theory, be able to capture and share externally not only the status of its internal systems and location data, but also changes in the external environment and its surroundings in real time. It is anticipated that CAV’s will have the ability to communicate directly by sending automatic alerts to each other to safely avoid collisions.
As a result, increased volumes of existing and new data will be generated, combined, stored and communicated. The value of this data could be profound. As with other new technologies paving a way in the Internet of Things (IoT), CAVs hold the potential for profiling, monitoring and making decisions about individuals. When coupled with data mining or direct marketing research techniques, the potential for un-authorised access, disclosure and malicious use of an individual personal data and its vulnerability to security breaches, greatly increases.
The future regulated use of this vehicle-to-vehicle or V2V communication is already imminent in the US, with the US Department of Transportation announcing plans for mandated rules on V2V communicative technology being anticipated for proposal as early as 2016. In Europe, the introduction of the European emergency alert system eCall, which automatically communicates the exact location of a vehicle to emergency services in the event of an accident, will be mandatory for all new cars in the EU from April 2018 following the introduction of the much-maligned EU eCall Regulation.
The protection of Personal Data
The protection of an individual’s personal data constitutes one of the key legal obstacles to address for incumbent and new players in this field. Regulators, as well as consumers, will need to gain trust and confidence that rights to keep personal data protected will not be adversely affected by these new technologies and that adequate safeguards will be put into place to ensure the security of an individual’s personal data in accordance with applicable data protection laws.
Is it personal data?
Not all data collected by CAVs will be personal data. But, the legal position in relation to CAV geo-location data, in particular, has been considered analogous to that of mobile phones. According to the EU’s Article 29 Working Party, location data from smart mobile devices will generally be “personal data” under the current UK Data Protection Act, 1998 (DPA) for data protection purposes, since individuals can usually be directly or indirectly identified, and the movement patterns of mobile devices provide an insight into the private life of their owners. By analogy, data transmitted by connected cars or fully autonomous vehicles is also likely to be considered “personal data” where this data either alone or in connection with other information identifies the individual driver, owner, occupant or any user of a CAV.
The telematics and new infotainment systems in CAVs have, in theory, the ability to generate vehicle operations data, bio-metrics data, diagnostics data and other new data products. When combined with geo-location data, data from an individual’s personal communications or linked with the individual customer identification and account data held by a CAV manufacturer or service provider, all will constitute valuable personal data.
Even if the data is anonymised or pseudonymised (pseudonymous data being personal data that cannot be attributed to a specific data subject without the use of additional information that is retained separately) by removing unique individual identifying markers, for example vehicle identification numbers (VINs) or IP addresses, data-mining techniques are likely to be able to reconstruct personal identifying information about particular vehicles and their regular occupants or owners.
Who bears responsibility?
Currently, under the DPA, any entity determining the purpose for and the manner in which personal data is collected or processed will be a data controller and be subject to compliance with the DPA. Under the new GDPR, it is quite likely that in addition to enhanced liability for data controllers, any entity processing personal data on behalf of data controllers will also have direct obligations under the legislation.
In the case of embedded technology, such as that required for eCall, which provides for mandatory data sharing between the vehicle and emergency services (with limited exceptions), the original vehicle manufacturer is likely to be the data controller and subject to the relevant data processing laws.
But the future is likely to be much more complex. The change in business model for automotive manufacturers from pure hardware developers to technology innovators will result in these manufacturers being required to team up with companies such as Google, Apple and Samsung to simplify access to and integrate general mobile applications into the vehicle. Collaboration with mobile network operators to provide connectivity to the on-board vehicle systems, and agreements with cloud service providers will be necessary for the rollout of CAVs.
Determining who has ownership of, access to and control of personal data within this network of industry players will be complex, but crucial in determining legal liability. It introduces the real potential for multiple, joint and co-data controllers, and so carefully structured agreements between these parties will be key to clearly identifying the distinct roles, responsibilities and accountabilities of each party and managing the apportionment of risk on data processing. Under GDPR, there is the potential for one of the highest levels of fines being proposed for a failure to report data breaches within a proposed 72 hour reporting timeline. In a multiple or joint data controller agreement, who is best placed to take the responsibility for such disclosure? Who is accountable?
For all businesses, even if not directly accountable, the public and reputational damage arising out of any loss or misuse of an individual’s personal data could be significant.
The issue of consent
Under the DPA, personal data must be processed fairly and lawfully and must not be processed (in the case of non-sensitive personal data) unless at least one of the conditions set out in Schedule 2 to the DPA is met.
In the case of geo-location data, the Article 29 Working Party’s Opinion is that the consent of the data subject prior to the processing of such data will be required. And under the new EU General Data Protection Regulation (2012/0011) (GDPR), anticipated to come into force in late 2017/early 2018, it may also be that unambiguous or explicit consent would be required for this form of processing. But questions already arise on how data processing laws will apply to this new technology.
How will the new rights for an individual to be able to withdraw their consent at any time under proposed Article 7(3) of the GDPR align with this technology? The Article 29 Working Party in its recent Opinion on IoT, recommends a “right to be disconnected” stating that “data controllers should offer an option to disable the “connected” feature of the thing and allow it to work as the original unconnected item…”. But will this be possible in the connected car? Can future connected technology be effectively “switched off” (e.g. such as tracking devices on mobile phones) or is it embedded technology forming an integral / necessary part of the new vehicle? Consider also the formative Schedule 2 condition under the DPA that processing is necessary for the performance of a contract to which the individual is a party, thereby avoiding the need for consent. But, in practice, contracts generally stipulate that an individual will consent to data processing for the term of the contract. It is unclear then whether, under the new GDPR, contracts which prohibit the removal of an individual’s consent during the term of the contract would be compatible with the new right to withdraw consent under GDPR. Or indeed whether the processing of data would still be lawful where an individual purportedly breaches the contract by removing its consent? And what of the Schedule 2 legitimate interests test? Much will depend on design of the vehicles and how customer sales will be structured.
And while obtaining consent or reliance upon contract performance (or indeed other conditions) may prove to be relatively straightforward in respect of the owner of a connected vehicle, how does it apply to other people who use the connected vehicle but who do not have a relationship or contract with the CAV manufacturer or service provider?
International data transfers
Vehicles are commonly driven across national borders. So what are the implications of collecting and transferring personal data across borders? Consider where a UK CAV drives from the UK to a non-EEA country and communicates with other non-EEA CAVs in that country. Is it possible that data generated by the in-car system in the UK CAV could be transmitted and shared in the non-EEA country? If data is processed outside the EEA, it constitutes an international data transfer which will only be lawful if the data controller ensures that the non-EEA country has an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of that personal data.
Although data protection laws in many other countries (particularly within the EU) contain similar provisions to those in the UK, navigating these laws across multiple jurisdictions presents a real issue for data controllers, and in particular vehicle manufacturers. The introduction of the GDPR should simplify matters in respect of EU member states, but it is also likely to increase the regulatory burden on organisations, with the predicted financial limits for fines for non-compliance increased up to 2% (potentially up to 5%) of an organisation’s global annual turnover. In addition, it is as yet unclear the implications that the currently debated Article 3 and Chapter V of GDPR, dealing with territorial scope and international transfers may have on CAV technology and data processed outside the EEA.
It is reported that autonomous or self-driving vehicles will enter mass production by 2020 as more major automotive manufacturers in recent years have committed to R&D in this area. The recent tie-up by Audi, BMW and Daimler to collectively purchase “Here”, the maps division of Nokia, for £1.97 billion showcases this commitment. BT has also just launched its own security service to test the exposure of CAVs to cyber-attacks. And Moijo, the aftermarket car solutions provider, has just this month launched its own app store for CAVs, which include a theft-tracker, an app analysing a driver’s history for cheaper insurance and a number of fleet management and diagnostic apps. It is clear that innovation in this industry has only just begun.
Vehicle manufacturers, cloud service providers, communications operators and other third party players in this market should carefully analyse the data protection risks associated with the implementation of CAV technology. The use of privacy enhancing technologies, privacy impact assessments to determine the risk of the loss and misuse of data, adopting privacy and security by design safeguards, ensuring data minimisation and informing users about the processing of personal data, are all recommendations that will become commonplace in the run up to the new GDDR. Considering stricter laws as a benchmark for data transmitted cross-border and developing innovative structures and contractual options to appropriately minimise risk are also recommended to seek to alleviate the financial and reputational risks of non-compliance.
Taking example from the US automakers’ Privacy Principles, could the key UK/EU industry players come together to develop data protection principles or standards to provide guidance and transparency to customers about the use of their personal data? This would be a welcome advancement in the evolving data privacy debate for this emerging sector.