The UK is set to become a world leader in driverless car technologies, with autonomous vehicles expected to be a core feature in Smart City infrastructure. The increased capabilities of driverless technology raise significant privacy issues, especially when considering the sheer amount of data that needs to be collected and translated into practical actions to enable a car to drive itself.
For example, navigation data is collected via autonomous driving using telematics devices incorporated into vehicle dashboards. This is then captured and transferred to systems and solutions for a variety of reasons including motorist safety.
These innovative developments clearly present significant opportunities and benefits, however there are also legal and regulatory requirements for which compliance frameworks will need to be introduced. Driverless technology is a potential regulatory minefield, for example manufacturers will need to be aware that by providing bundled connectivity services, including network access to end-users, they are potentially a telecoms service provider, and with this status comes complex and stringent requirements under telecoms regulations.
Other areas that clearly present a challenge in terms of civil and criminal liability include insurance coverage and legitimate concerns around privacy, security and cyber risks. These are all expected to be hot topics, particularly against the backdrop of the proposed new European General Data Protection Regulation.
A new Code of Practice for a Driverless GB
There have been specific developments in Great Britain, such as the Department for Transport’s Code of Practice for testing Driverless Cars, issued in July 2015. The Code highlights a number of issues which manufacturers of driverless vehicle technologies need to be aware of, including data recording and cyber-attacks on the systems and information platforms through which data is captured. The Code states that automated vehicles, which are subject to testing, should be fitted with a device capable of data capture through sensor and control systems associated with automated features and from movement of the vehicle itself.
The Code contains minimum data recording requirements namely:
- Vehicle speed.
- Steering command and activation.
- Braking command and activation.
- Operation of a vehicle’s lights and indicators.
- Use of a vehicle’s audible warning system (horn).
The recording of sensor data on the presence of other road users, objects in the vicinity of a vehicle, and remote commands potentially affecting a vehicle’s movement may also be required in certain circumstances. Such requirements apply irrespective of whether the vehicle is operating manually or automatically. In addition the Guidance states that testers may wish to consider fitting vehicles under test with a video and audio recording system. These categories are clearly going to be of potential interest to investigating authorities as they help in determining who or what was controlling the vehicle at the time of an accident. Testing organisations will be expected to co-operate with such investigations.
Considerations will arise as to who owns the data generated and stored in connection with driverless cars and who has the rights to use it. Further, the Code of Practice Guidance recognises that testing is likely to involve the processing of personal data. For example, if data is collected and analysed about the behaviour or location of individuals in or about the vehicle, such as test drivers, operators and assistants, and those individuals can be identified, this will amount to the processing of personal data under the Data Protection Act 1998.
This raises a number of further questions such as:
- Who will be the responsible person under this legislation?
- How affected individuals will be notified of the use of their information?
- Will they have a choice as to whether their information can be used?
Practicalities such as how to notify individuals of the use of their information, and offering them choice, will need to be considered, particularly given that it may not just be passengers, but pedestrians and other road users involved. Although these new technologies have the potential to help law enforcement, improve individuals’ driving experience and improve public safety, clearly there is also an opportunity for abuse and ‘function creep’.
Good practice standards for processing personal data, such as data minimisation, privacy by design, and purpose limitation, are to become enshrined as express obligations in the General Data Protection Regulation. A clear focus is therefore needed as to whether the objective is to learn about specific individuals, or whether aggregate information is sufficient. Even where there is no interest in knowing the identity of the individuals in question, knowing whether their identity can still be determined from the data will be important. Incorporating appropriate safeguards to protect the individual’s right to privacy and ensure their rights and freedoms regarding the processing of their personal data are respected will be key to compliance and protecting brand reputation.
Cyber-attacks present genuine risks
Cyber-attacks are potentially a major legal issue for manufacturers in the context of driverless technology. The Code of Practice sets out that a requirement for testing is that a test driver or operator oversees the movements of the vehicle under test and is capable of implementing a manual over-ride at any time. Nevertheless, manufacturers providing vehicles and other organisations supplying parts for testing will need to consider how it can be ensured that all prototype automated controller and other vehicle systems have appropriate levels of built-in security to manage possible unauthorised access. The vehicles themselves could realistically be the target for data breaches not just the remote systems and servers to which data captured through the vehicle is transferred.
It is clear that driver data presents opportunities for manufacturers to develop innovative driverless technology and for suppliers and service providers to better understand car performance and driver behaviour. However, a product innovation vs legal and reputational risk requires careful thought, and compliance needs to be well managed. Incorporating privacy by design and privacy impact assessments into the development, design and manufacture of these technologies will play a key role in minimising the risk of non-compliance with data protection laws.