Connected and autonomous vehicle (“CAV”) technologies are set to have a profound social and economic impact worldwide and continue to accumulate a great weight of expectation. Advocates argue that CAV technologies will improve road safety, ease congestion and reduce harmful emissions, whilst dramatically increasing the mobility of those who are not able to drive and improving the productivity of all as drivers are freed up to concentrate on other tasks.

In this article we briefly outline some of the latest developments in CAV technologies and address some of the current legal challenges to which regulators, innovators and consumers must find solutions in order for these technologies to succeed. We look at the present legal landscape and assess the challenges and opportunities arising from data protection, cyber security and insurance issues and provide our views on the ways forward.

CAV technologies: Where are they now?

The International Organization of Motor Vehicle Manufacturers (OICA) measures automation by reference to six levels, with “SAE Level 5”[1] denoting the highest level of automation. Series production of autonomous vehicles capable of driving themselves without any human intervention or intervention only in limited use cases (SAE Levels 4 and 5) is still likely to be some years away. However, there are a number of increasingly connected vehicles on the market which can communicate and exchange information over the Internet with other vehicles, infrastructure and external devices, in order to improve the driving experience and create more efficient transport networks. At the time of writing, market observers consider saleable CAVs to have progressed to SAE Level 2, with technologies such as adaptive cruise control and autonomous emergency braking enabling partial automation, though drivers are required to monitor the driving environment at all times.

These recent advances in CAV technologies are the result of competition and in some cases collaboration between a diverse range of companies drawn from the automotive and technology sectors, to disrupt the automotive industry and capitalise on growing consumer demand for smart, connected devices. Traditional automotive manufacturers, including Audi, BMW, Ford, Jaguar Land Rover and Volkswagen, are being challenged by more recently established competitors, such as Tesla, and technology companies, such as Waymo, to be first to get their autonomous vehicles on the road.

The various industry players are taking differing approaches to making autonomous vehicles available to the public. On the one hand, traditional automotive manufacturers are building increasing levels of driver assistance and automation into established vehicle designs. For example, BMW announced in early 2017 that it is partnering with Microsoft to add Microsoft’s virtual assistant “Cortana” to BMW’s vehicles’ operating systems. Similarly, Ford recently announced that it is partnering with Amazon to add Amazon’s virtual assistant “Alexa” to Ford’s vehicles’ operating systems. These virtual assistants will enable the vehicles to interact with their surroundings and other devices connected to the Internet, for example to control garage doors remotely and use voice activated commands to start and stop the vehicle. On the other hand, some non-traditional automotive manufacturers, such as Waymo, are bypassing this incremental approach to innovation and focusing only on developing autonomous vehicles at SAE Levels 4 and 5.

What is the data protection landscape for CAVs?

As vehicles become increasingly connected to the world around them, so the volume of data they collect, combine, store and communicate increases. Complex questions arise as to whether such data constitutes “personal data” and, if so, who is responsible for it and how is it secured. Whilst not all data collected by CAVs will on its own identify an individual driver, passenger or user of a CAV, in many cases it may be combined with other information to identify such individuals, and therefore it is likely to be “personal data”, the fundamental unit of protected data in most data protection legislation around the world. For example, in the EU, location data collected by smartphones is generally considered to be personal data because individuals can be directly or indirectly identified through their patterns of movement. By analogy, geo-location data collected by CAVs is likely to be considered personal data where this data alone or in conjunction with other information identifies an individual driver, passenger or user of a CAV through their patterns of movement.

In the EU, the legal framework with regard to personal data collected via CAVs and other smart, connected devices consists of two sets of rules.

The first of these are general rules on the processing of personal data, set out in the Data Protection Directive[2], which is implemented in the UK by the Data Protection Act 1998 (the “DPA”). The Data Protection Directive will be replaced by the General Data Protection Regulation (the “GDPR”) with effect from 25 May 2018 which, unlike the Data Protection Directive, will have direct effect across all Member States, meaning that it will apply throughout the EU without the need for further implementation by Member States into national laws. The UK government has confirmed that the GDPR will apply in the UK notwithstanding the UK’s decision to leave the EU.

The second set of rules relates specifically to the processing of personal data in the electronic communications sector and is contained in the ePrivacy Directive[3], which is implemented in the UK by the Privacy and Electronic Communications Regulations[4]. The ePrivacy Directive is also expected to be replaced in the near future following the European Commission’s proposal on 10 January 2017 to bring forward an ePrivacy Regulation as part of its Digital Single Market strategy to consolidate and strengthen privacy rules in the EU. The Commission has called upon the European Parliament and European Council to “work swiftly” to ensure that the ePrivacy Regulation is adopted by 25 May 2018, the day on which the GDPR comes into force, so that a single coherent structure will be in place. It remains to be seen whether the UK government will be prepared to adopt the ePrivacy Regulation in light of the UK’s decision to leave the EU, though we would expect it to be implemented and so businesses would be well advised to prepare for it in concentration with the GDPR.

How can CAV stakeholders comply with data protection legislation?

In order to keep pace with developments in CAV technologies, the business model of traditional automotive manufacturers is transforming. The focus is no longer on hardware development alone but also on producing innovative software that leverages the vast amount of data that CAVs will generate to provide improved services to drivers, passengers and users. This transformation is leading to some interesting alliances being formed by various stakeholders who are seeking to access and use such data, including providers of repair and maintenance services, road infrastructure and social networks. Whilst vehicle generated data may have potentially useful applications, such as to contact emergency services in the event of an accident, to predict when the vehicle is likely to require maintenance or repair in order to avoid a breakdown and to provide personalised infotainment services, these alliances make ever more complex the question of who has legal responsibility for what happens to the personal data collected by CAVs (and hence liability).

Currently, under the Data Protection Directive and DPA, any entity determining the purpose for and the manner in which personal data is collected or processed will be a data controller and as such subject to compliance with that legislation. Under the GDPR, however, any entity processing personal data on behalf of data controllers will also have its own direct obligations under the legislation. Stakeholders across the CAV value chain should therefore enter into carefully structured future-proof agreements which clearly identify each party’s respective obligations with respect to the use and protection of personal data and the apportionment of risk where there is a data breach. This is particularly important given the threat that supervisory authorities may impose fines of up to 4% of annual global turnover for breaches of, for example, the principles governing data processing and data subjects’ rights under the GDPR.

Gaining the trust of consumers is key to the successful rollout of CAV technologies. The threat of significant fines aside, if consumers do not trust that their personal data is protected and adequate safeguards are put in place to ensure its security, there is a risk that consumers might restrict or completely opt out of its use and sharing, which would significantly constrain the growth of the CAV market. Stakeholders should consider conducting comprehensive data protection impact assessments, analyse their potential exposure under the applicable data protection legislation and implement appropriate measures to ensure ongoing compliance. Such measures should be considered at the earliest possible stage in the development of new CAV technologies, because the principle of “privacy by design” is enshrined in the GDPR. This means going beyond making legal adjustments to the agreements in place between stakeholders and making technical adjustments in order to build in data protection to the design and operational processes of a stakeholder’s business.

What cyber security challenges do CAV stakeholders face?

Consumer trust is also important in the context of cyber security. In 2015, Fiat Chrysler was forced to recall 1.4 million vehicles in the US due to a vulnerability in the dashboard computer which allowed hackers to disable the vehicle. As vehicles become increasingly connected to the world around them, the risk of hacking and security breaches will become ever more pressing. This is a particular concern since it could lead not only to personal data being compromised, but also to lives being put at risk.

The challenge for manufacturers is to allow third party access to vehicle generated data in order to enhance their overall offering to consumers, but to do so in a way which is consistent with the principles of security, safety and privacy. A number of European bodies are currently exploring possible solutions. For example, the European Automobile Manufacturers’ Association (ACEA) and the European Association of Automotive Suppliers (CLEPA) have proposed that data is relayed to a secure back-end server maintained by the manufacturer before it is transmitted to third parties.

Alternatively, a neutral server could be established to gather the data from manufacturers’ back-end servers to be provided to third parties. This proposed architecture is known in the industry as the Extended Vehicle (ExVe) and is based on ISO 2007x standards. It is a promising development but there remain some major question marks over how it would work in practice, not least in relation to who would be considered sufficiently “neutral” to operate the neutral server (for example, Google could be a candidate for operating such a server, though it is an affiliate of Waymo).

It is therefore important that industry bodies and stakeholders work closely with regulators and certification entities to establish both a clear set of guidelines over the short to medium term and a formal set of regulations over the long term. This will give comfort not only to stakeholders right across the CAV value chain, who will benefit from greater certainty in terms of each party’s security obligations when manufacturing or commercialising in-vehicle software, but also to consumers who will be able to take confidence from the seriousness with which those stakeholders are taking security concerns.

How are CAVs impacting the insurance industry?

CAVs pose challenges in relation to liability for accidents and rights of redress for injured parties. Unlike some jurisdictions (such as the USA), motor insurance in the UK is based on compulsory motor insurance of the driver (under Part VI of the Road Traffic Act 1988) rather than of the vehicle. This approach has worked well for conventional vehicles; however it begins to break down as vehicles become increasingly autonomous and advance up the SAE Levels. Under the current framework, if an accident were to occur whilst a vehicle is driving autonomously and the driver is “out of the loop”, injured parties would face difficulties in recovering from insurers as there would be no clear route to recovery and, unless reforms are made, injured parties could face a disproportionately long and costly route through the courts to obtain compensation.

The UK government has acknowledged that there is a potential gap in the UK motor insurance framework and, in anticipation of increasingly connected, and eventually autonomous, vehicles coming onto the market, has recently conducted a consultation on how to close these gaps. Following the conclusion of that consultation, the UK government introduced the Vehicle Technology and Aviation Bill to Parliament on 22 February 2017. The Bill extends compulsory motor vehicle insurance to cover the use of an “automated vehicle” (described in the Bill’s explanatory note as a vehicle capable of driving itself without human oversight or intervention for some, or all, of the journey) in automated mode, so that parties (including the driver of the automated vehicle) who suffer injury as a result of an accident caused by a fault in the automated vehicle itself will be covered by compulsory insurance in place on the vehicle.

In addition, the Bill gives injured parties the right to hold insurers liable for a wide range of damages, including death, personal injury and property damage. The insurer would initially be liable to pay compensation to the injured parties; however the insurer will then have the right to recover from the liable party under existing common and product law. This may include the manufacturer if there is a fault in the automated vehicle itself or any hacker who causes an accident by breaching the automated vehicle’s security. The insurer will also have the right to exclude or limit liability for damages under its policies in certain areas, including where damages arise out of a failure to install software updates to an automated vehicle.

Although the publication of the Bill is just the first step in a potentially lengthy Parliamentary process, in our view the Bill shows the UK government’s commitment to fostering a welcoming and encouraging environment in the UK for CAV technologies. We are eagerly awaiting further updates and look forward to keeping you in the loop as this exciting development progresses.

What next for CAV technologies?

Data protection, cyber security and insurance are areas of particular complexity for those involved in the development, monetisation and use of CAVs. Although regulators and governments are taking initial steps to address these issues and provide legal certainty to CAV stakeholders and consumers alike, they will need to work quickly to keep pace with technological advancement. If CAVs are to reach their full potential in the near future, regulatory reform needs to be complemented by urgent investment in wider transport infrastructure to create a smart, connected mobility network that facilitates efficient, effective and secure communication between devices. Only a combination of proactive regulation and infrastructure investment will ensure that the high expectations for CAV technologies are met.