The advent of autonomous cars represents a unique opportunity to rethink urbanism globally. Indeed, such a technological evolution will undoubtedly foster the development of a range of new offerings, such as car sharing and value-added opportunities, while at the same time ensure added safety on the roads at a time when traffic injuries remain the primary cause of death among people aged 15 to 29[1].

One direction in which this new paradigm could be expressed may be the decline of exclusive car ownership and the shift toward CaaS, or “Car-as-a-Service”. Autonomous cars could be shared among a community of subscribers and used on an as-needed basis, after which they could then park themselves outside of the urban landscape for battery-reloading purposes or when not in use.

Nevertheless, such an idealistic picture can only be achieved once all regulatory barriers have been lifted.

Regulatory Roadworks In March 2016, the 1968 Convention on Road Traffic[2]– the international convention aimed at harmonizing car regulations among its 74 country members – was amended to allow for experimentation with autonomous cars. However, the new provisions do not change the key requirement that a human driver of the vehicle must always remain responsible for and in control of the vehicle. As such, autonomy must be “overridden or switched off by the driver”. As a consequence, and on a global basis, the human component must remain in the driver’s seat and only subsidiary delegations of driving functions may be implemented.

At the same time, autonomous cars have been encouraged at regional and local levels. In September 2015, these efforts were encouraged by the Transport Ministers of the G7 States and the European Commissioner for Transport when they made a common declaration to coordinate their efforts to support the developments of automated and connected driving.

In addition, the European Commission recently presented a communication on connected cars for Europe[3], which completes the EU emergency calls (eCall) system that will effectively become mandatory in 2018 and thus requires vehicles to communicate. On the other side of the Atlantic, the Obama administration also presented its strategy in the wake of the 2016 Detroit Auto Show.

Both initiatives highlighted the regulatory aspects that will need to be tackled and which encompass areas beyond the sole car regulation system.

Sharing of Risk Connected and autonomous cars involve a plurality of players, including the car manufacturers, the car connectivity providers, the connected infrastructure providers, the value-added service providers, insurers and drivers (“Autonomous Car Service Providers”).

Although under the 1968 Convention, the driver is seen as the sole person able to control the vehicle, the other Autonomous Car Service Providers may still share some responsibility for the vehicle’s actions, regardless of the control the driver may exercise.

Notwithstanding the usual terminology of “autonomous car,” any connected car needs to interact with its surrounding, for example, to obtain road traffic updates, weather forecasts, and to calculate a new route. On its own and without any exchange with the world outside the compartment, the vehicle may lack the information needed. While it may not sound as marketable, it would be more appropriate to view connected vehicles as “co-dependent,” leaving an opening to the Autonomous Car Service Providers involved in the transmission of information, subject to part of the associated liabilities.

Therefore, with the adoption of autonomous and connected cars, the driver (primarily) and, as the case may be, the manufacturer will no longer be solely responsible for the damages caused to or by the car and all the Autonomous Car Service Providers interacting with the car might need to assume their share of liability in this respect. As a consequence, all Autonomous Car Service Providers must assess their liability exposure regarding potential damage caused by their connected devices, and minimize regulatory insecurity through the execution of contracts.

Personal Data and Cybersecurity Personal data is fueling today’s data-driven economy and even more so in the connected and autonomous cars industry. Autonomous Car Service Providers have been able to develop the know-how to cover a wide range of high value data from analytics to performance measurement through safety of transportation.

The recently adopted General Data Protection Regulation (“GDPR”)[4] will allow only those in compliance with its provisions to be permitted to expand into the European market. Indeed, the European data protection rules, in particular regarding information or consent requirements, will become applicable to any provider offering its products or services to European citizens.

The GDPR also introduces reinforced rules on security and data breach notification requirements. Since the introduction of connected devices is based on data transfers and exchanges between companies and devices, the security of the data processed will become of paramount importance to avoid any hacking.

Therefore, communications through encrypted means are highly recommended and will need to be implemented at all levels (vehicle, infrastructure, software, etc.).

Cybersecurity is only as strong as all of its Autonomous Car Service Providers are willing to make it by collaborating and taking steps to avoid any wrongful use of the data at any step of the processing chain. Here again, the issue of liability will be the focal point for the ecosystem, as the whole structure may end up being compromised through a weakness located in the solution provided by one of the Autonomous Car Service Providers. In this respect, as the scope of the damages caused by data breaches is unpredictable, all Autonomous Car Service Providers strongly need to consider cyber risk insurance coverage.

Telecommunications Depending on the jurisdiction, where a product incorporates wireless (be it 3G, 4G or the upcoming 5G standard) connectivity functions that are necessary and essential to the product, its provider might qualify as a telecom operator. Such qualification, and all the regulatory hurdles that imposes, may intervene even if constraints and limitations apply to the product’s connectivity and is offered without recurring fees to its users.

Such a regime may hinder any fast adoption at a global scale as proper notifications or authorizations would need to be carried out before the telecom regulatory authorities in these jurisdictions grant product approval.

Intellectual Property and Data Ownership As of today, raw information, as pure fact deprived of any originality, would fall outside the scope of the intellectual property regime currently in place.

Database producer rights, which have notably been implemented as sui generi rights in certain jurisdictions, such as the European Union, may offer some residual protection. However, the current level of legal protection appears ill-equipped to address the data ownership rights of the variety of Autonomous Car Service Providers involved in the chain of value of the connected car ecosystem.

It is therefore difficult to assess and enforce any protection or create any presumption over the owner of the data. At the same time, the data relating to the connected cars and their passengers will represent a treasure-trove, both in terms of analytics and financial value.

Between the owner of the car, the actual driver, the manufacturer or the provider of the connected device, how can applicable law determine the most legitimate owner of the speed reports collected from a connected car?

For now, the ownership on the data obtained and processed will need to be preliminarily determined through contractual provisions, be it in partnership agreements or terms and conditions of use of the service. In addition, the conclusion of non-disclosure agreements imposed by their contractual owner to the other players will help protect the value of such data. Perhaps the party most interested from a privacy sense in owning the data, the driver, is the party least likely to be in a position to contractually negotiate data rights.

However, despite the certain skirmish that will occur around data ownership, it is in the Autonomous Car Service Providers’ interests to collaborate among themselves in order to adopt unique standards to ensure the proper communication between the various offerings, and, in the end, provide for the stability of the ecosystem. Working groups will be created in this respect in order to avoid a situation where disparate proprietary solutions become the norm.

Research & Development and Confidentiality Finally, before considering entering into experimentations and collaborations led by the development of such new technologies and entry of new players, it is worth entering into contracts that protect and anticipate each party’s interests in order to safeguard the viability of the framework.

At this stage, the only certainty is that connected and autonomous cars will go forward and permeate our way of life. The global annual industry revenues for connected cars is expected to increase from approximately US$33 (€30) billion in 2014 to approximately US$187-198 (€170-180) billion in 2020[5]. Many opportunities are therefore opened to the players in a heterogeneous vehicular ecosystem and it is expected that regulators will play a ‘steering’ role. We can only hope that such a role will not force the industry to hit the brakes on innovation.