On September 6, the US House of Representatives passed the Self Drive Act (H.R. 3388), which encourages autonomous vehicle development, defines the domains of federal and state law, and addresses cybersecurity and data privacy concerns associated with self-driving cars. The Act excludes tractor-trailers, buses, and other large commercial vehicles.

The Self Drive Act encourages “the development or field evaluation” of autonomous vehicle technology in a number of ways, primarily by expanding the number and scope of “exemptions” from existing federal motor vehicle safety standards that can be issued by the federal agency primarily responsible for automotive design safety, the National Highway Traffic Safety Administration. Specifically, the Act would allow exemptions for up to 25,000 self-driving cars in the first year of the law, and 100,000 by the third year.

The Act also defines federal and state roles in the development and deployment of self-driving cars. It provides for federal government control over the “design, construction, or performance of highly automated vehicles, automated driving systems, or components of automated driving systems.” States would retain control over the “registration, licensing, driving education and training, insurance, law enforcement, crash investigations,” and other traditional areas of state regulation. The Act also provides that state regulation of design, construction and performance of automated vehicles and systems would be preempted to the extent state requirements differ from standards established at the federal level.

The Act also contains provisions relating to cybersecurity and data privacy. Section 5 of the Act prohibits a manufacturer from using an autonomous vehicle in the country unless that manufacturer has developed a cybersecurity plan that includes:

  • “A written cybersecurity policy” that identifies and assess cyber risks.
  • “The identification of an office or other individual” as responsible for managing cybersecurity.
  • “A process for limiting access to automated driving systems.”
  • “A process for employee training” with respect to cybersecurity and other external threats to autonomous vehicles.

The Act also requires the development of data privacy plans and gives the Federal Trade Commission enforcement authority over these plans. It also calls on the FTC to examine and report on data access and privacy issues.

The Senate is expected to soon release its own version of a self-driving vehicle bill, which unlike the House bill will address commercial motor vehicles. That work is being led by Senators John Thune (R-SD), Bill Nelson (D-FL), and Gary Peters (D-MI).

Federal guidance is critical on the rules of the road that will be applied to automated vehicle technology. The Self Drive Act is an important first step toward obtaining more certainty and guidance in this area. But there is much more to come. The Senate may reach a somewhat different balance of the varying interests and concerns. Also, the current administration is expected to weigh in shortly to provide executive department guidelines for automated vehicles. And even when Congress finalizes legislation on automated vehicles, perhaps this year, there will be years of studies, rulemakings and regulatory proceedings as the federal government establishes a coherent regulatory framework for this new and important technology.