The emergence of connected and autonomous vehicles raises numerous challenging legal questions, particularly in the area of data protection and cybersecurity. These issues were the focus of discussion at the 39th International Conference of Data Protection Commissioners in Hong Kong in September this year. Resolutions adopted at the conference acknowledge that while automated and connected vehicles offer significant benefits in terms of traffic efficiency, vehicle safety and consumer convenience, this new technology must operate within the existing data protection regime. In particular, in the European context it will be important to ensure that any developments take into account the principles enshrined in the General Data Protection Regulation (the “GDPR”), which will become applicable on 25 May 2018.
What “personal data” is involved?
Traditionally, the volume of personal data processed by car manufacturers was minimal. The development and use of connected and autonomous vehicles, however, will involve the collection of a wide range of personal data, including driver details, location, direction of travel, journey history, and average speed and mileage.
The Resolutions note that collection of personal data in this context may lead not only to the accumulation of individuals’ movement profiles, “but could also generate vast amounts of data on the evaluation of driving behaviours”. This data may prove to be valuable information for certain entities, such as motor insurance companies, vehicles manufacturers, advertisers, as well as law and traffic enforcement agencies, “particularly when data will be personalised, e.g. by utilising broadcast vehicle identifiers”.
The Resolutions urge the relevant stakeholders to give data subjects “comprehensive information as to what data is collected and processed in the deployment of connected vehicles, for what purposes and by whom”. Given the volume of data that is potentially collected, this clearly raises the question of how to provide effective notice to users of vehicles. There is also the question of how bulk collection of data, which is at the core of machine learning techniques used to perfect autonomous vehicle behaviours, this will comply with the data minimisation principle. One solution might be the use of anonymisation and pseudonymisation measures, as envisaged by the GDPR, which, if effective, will go someway to addressing both the complexity of notices and the data minimisation obligation.
Collection, Storage and Erasure of Data
The Resolutions reiterate the core principles of data protection compliance in the context of connected and autonomous vehicles, noting that the collection and processing of personal data should be pursuant to a legitimate purpose, in accordance with the law, or with the consent of the data subject. The Resolutions also note that personal data must be kept for no longer than necessary and technical means should be provided to erase personal data when appropriate, such as on the sale of a vehicle.
Although these comments are reflective of data protection principles, their practical implementation may prove difficult. For example, it is not clear that consent could form the basis of the processing of personal data, as the method by which valid consent could be obtained remains unclear, particularly where the vehicle cannot be used without such consent being given, or is used by more than one driver.
Privacy by Design
In line with the GDPR, the Resolutions stress the need to give consideration to the principles of “privacy by default” and “privacy by design” in the development of automated vehicles, “by providing technical and organisational measures to ensure that the data subject’s privacy is respected, both when determining the means of processing and when processing the data”. The Resolutions advocate undertaking data protection impact assessments for “new, innovative or risky” technologies.
In a European context, this is an area that would benefit from the development of a code of conduct, which could help to harmonise the approach to privacy practices in relation to connected and autonomous vehicles throughout EU member states. The GDPR facilitates the use of codes of conduct to provide authoritative guidance on its key requirements and to ensure its “proper application”. Associations and representative bodies may prepare codes of conduct for approval, registration and publication by a supervisory authority. Where processing activities take place across member states, as is likely to be the case with autonomous vehicles, the relevant code of conduct must submitted to the European Data Protection Board (“EDPB”). The EU Commission may declare such codes approved by the EDPB to have general validity within the EU.
The Resolutions recognise that data security, including cyber security, is a critical issue. In the EU, automated vehicles will have to operate in compliance with the Network and Information Security Directive (the “NIS Directive”). The NIS Directive is the first piece of EU wide legislation on cyber security and will require effective measures to be put in place to manage security risks and report security incidents. Ireland has not yet transposed the NIS Directive into national legislation, but is required to do so before 9 May 2018.
Joined Up Thinking
Connected and autonomous vehicles have the potential to be hugely disruptive technologies, reshaping transport systems within the EU and across the world. Implementing appropriate data protection compliance measures in the development of these new forms of transport will be crucial to facilitating their wide spread adoption, and particularly in an EU context of allowing the operation of such technologies on a cross-border basis. In order to achieve this, vehicle manufacturers will need to work closely with supervisory authorities and the EDPB to develop a consistent approach to the various data protection issues that connected and autonomous vehicles raise.