On September 20, 2016, the U.S. Department of Transportation (DOT) issued its long awaited guidance on autonomous vehicles. At the same time, the National Highway Traffic Safety Administration (NHTSA) sent a Final Notice for Safety Defects and Automated Safety Technologies to the Federal Register, making it clear that safety issues that result from the use of automated technology, as well as cybersecurity, fit under its existing enforcement authorities.
All of this is the result of a multi-year focus by the Obama Administration and Congress on safety, cybersecurity and privacy issues around the use and operation of autonomous vehicles (AV). However, it effectively kicks off a much more detailed series of debates on these matters. The four part policy makes clear DOT's role and oversight of autonomous vehicles, as well as expectations on cybersecurity and privacy issues. At the same time, it cites to a Volpe March 2016 Study that noted that "current Federal Motor Vehicle Safety Standards (FMVSS) do not directly address new automated vehicle technologies," indicting that changes to existing authorities may be needed.
DOT is clear about the need for strong cybersecurity and privacy components in the AV policy and cites to the White House Consumer Privacy Bill of Rights from 2015. While it refers to best practices for cybersecurity, it is clear that manufacturers should fully document "all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment." On privacy issues, while it stops short of a specific mandate, it does state that manufacturers "should ensure" seven main pillars: Transparency; Choice; Respect for Context; Minimization, De-Identification and Retention; Data Security; Integrity and Access as well as Accountability.
The new Federal Automated Vehicles Policy (Policy) includes four main components:
- Vehicle Performance Guidelines: The guidance creates a 15 Point Safety Assessment which states it is "to set clear expectations for manufacturers developing and deploying automated vehicle technologies." The Safety Assessment includes operational design domain; event detection and response functionality; validation testing, validation and verification methods; privacy and cybersecurity; Human Machine Interface (HMI), crashworthiness to name a few.
- Model State Policy: DOT articulates the division of Federal vs. State Responsibilities when it comes to regulating Autonomous Vehicles (AV) and the Model State Policy "confirms that States retain their traditional responsibilities for vehicle licensing and registration, traffic laws and enforcement." The Model State Policy includes administrative structures for use of public roads for AV testing as well as law enforcement considerations as well as liability and insurance to name a few.
- Current Regulatory Tools: DOT lists traditional regulatory tools including Letters of Interpretation, Exemptions, Rulemakings and Enforcement Authority.
- Modern Regulatory Tools: Key to the AV community is the DOT description of what is called "modern" regulatory tools and it identifies a number of areas (Authorities and Tools) that may require updates to its existing legal authorities. This ranges from potentially requiring pre-market testing, data and analysis be shared with DOT for safety assurance purposes; potentially pre-market approvals where the government "inspects and affirmatively approves new technologies;" authority; potentially requiring manufacturers to take immediate action to mitigate safety risks that constitute an "imminent hazard;" as well as post-sale regulation of software changes. New tools could range from mandating the 15 Point Safety Assessment to requiring additional reporting on AV testing and deployment.
National Highway Traffic Safety Administration (NHTSA) Final Notice; Safety Defects and Automated Safety Technologies Issued
At the same time, NHTSA submitted to the Federal Register a Final Notice making it clear that it has "broad enforcement authority under existing statutes and regulations to address existing and emerging automated safety technologies." It also makes clear that NHTSA believes that existing Safety Defects authorities cover "vulnerabilities in automated safety technology or equipment [that] pose an unreasonable risk to safety." This is a follow-up to a proposed Enforcement Guidance Bulletin issued by NHTSA on April 1, 2016. While the Final Notice does state that additional guidance will be issued to address software and cybersecurity per se, NHTSA also clearly states that "Manufacturers of motor vehicles and motor vehicle equipment must continue to follow the requirements of the Safety Act, including those related to cybersecurity."
We will continue to follow these developments and provide further updates on the Holland & Knight Cybersecurity and Privacy Blog.