The International Conference of Data Protection and Privacy Commissioners, a collection of data and privacy regulators from around the world, recently issued non-binding guidance concerning the privacy rights of autonomous and connected vehicle users. The guidance calls on manufacturers and service providers to “fully respect the users’ rights to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services.” The guidance may instruct future international data enforcement actions, meaning entities could be fined for failing to comply. Among its many instructions, the guidance encourages manufacturers and service providers to:
- Inform users what information the car might be collecting and using, who is collecting and using the information, and why.
- Give people “granular” and “easy to use” methods for giving consent.
- Ensure that the self-learning algorithms needed to make the technology work are not only transparent but also reviewed by an independent third party to avoid “discriminatory automated decisions.”
The Federal Trade Commission, the United States’ representative to the International Conference of Data Protection and Privacy Commissioners, abstained from the international guidance. Thus in the U.S. companies may want to refer back instead to the autonomous vehicle guidance issued by the United States Department of Transportation. The two frameworks are largely similar except that the international guidance has more onerous consent provisions and requires third-party audits of the self-learning algorithms.
Putting it into Practice: Companies who are developing autonomous or connected vehicle technologies should keep in mind that both domestic and international regulators will expect them to consider user privacy at all stages of autonomous and connected car technology development.