1 The Discussion Paper
On 27 September the National Transport Commission (NTC) released a discussion paper regarding the regulation of access to cooperative intelligent transport system (C-ITS) and automated vehicle data. The discussion paper:
- considers the new privacy challenges associated with government collection and use of information likely to be generated by C-ITS and automated vehicle technology; and
- summarises the reasons why the NTC does not consider that Australia’s existing information access framework sufficiently addresses these privacy challenges, and outlines a series of options for correcting this.
While the discussion paper and this article will focus on issues associated with the collection of C-ITS and automated vehicle data by government agencies, there are other risks and challenges associated with private individuals and organisations (including operators of automated vehicles and associated services) collecting the same data.
2 What is a C-ITS?
A C-ITS is a network of transport related devices (eg. vehicles, roads and infrastructure) that communicate and share real-time information (eg. traffic, road conditions, vehicle speed and location). Some automated vehicles may implement C-ITS technology to enhance their operation.
Information generated by C-ITS technology can be used to inform and enhance government decision making on law enforcement, traffic management, road safety and infrastructure and network planning. However, this may also raise concerns with respect to how the personal and sensitive information created by the use of those technologies is managed and protected.
3 New data collection capabilities offered by C-ITS technology
C-ITS and automated vehicle technology will enable collection of a far greater breadth and depth of information than conventional vehicles. For example, C-ITS technology may enable further widespread collection of very high-resolution location information, and new in-car technology may enable the collection of types of information on a scale not previously contemplated by existing privacy regulations (eg. video recording internal to the vehicle, vehicle-to-vehicle and vehicle-to-infrastructure communication, biometric, biological or health sensors installed in the vehicle to monitor driver alertness or customise the driving experience etc).
While this type of information may already be regulated to a degree by existing laws – such as the Privacy Act 1988 (Cth) (Privacy Act), which regulates the collection, use and disclosure of personal information, the NTC considers that these laws are not adequate to deal with issues arising from potential government access to information generated by C-ITS technology. In particular, the NTC has concerns that:
- the collection, use and disclosure of C-ITS and automated vehicle data by government organisations may result in increased opportunities for surveillance, and surveillance device laws do not place sufficient practical restrictions on government collection of personal information;
- the Privacy Act does not restrict the direct collection of personal information by government agencies if the information ‘is necessary for one or more of its functions or activities’ and this could leave broad scope for government agencies to collect data through C-ITS technology for a wide range of purposes;
- road transport laws currently facilitate information sharing between road agencies and police; and
- existing requirements to destroy or de-identify personal information in certain conditions are too narrow and in practice may not significantly curtail the ability for government agencies to hold onto information generated through C-ITS for a long period. There may also be practical issues about how government would de-identify this type of information because of the wide range of potential identifiers it may contain.
4 NTC’s draft principles for dealing with these challenges
The NTC’s preliminary view about the preferred way to deal with the above challenges is to agree on broad principles that limit the collection, use and disclosure of C-ITS information (as opposed to directly limiting the organisations that can use it or relying on the existing legislation as-is). The principles proposed by the NTC are as follows:
- C-ITS and automated vehicle information must be clearly defined to ensure any additional privacy protections only capture relevant information;
- government organisations should err on the side of caution and consider treating C-ITS and automated vehicle information as personal information (unless there are legitimate reasons not to do so);
- a regulatory framework that supports lawful collection, use and disclosure of C-ITS and automated vehicle information needs to be developed. Additional privacy protections will likely be needed to appropriately limit the collection, use and disclosure of C-ITS and automated vehicle information to specific purposes, in particular, safety and network efficiency. This must be balanced with ensuring that the benefits of government access to C-ITS and automated vehicle data, including in delivering value to the public, can be realised;
- the additional privacy protections for C-ITS and automated vehicle information should be legislative to ensure they interact appropriately with legislative collection powers and other legislated privacy protections;
- the additional privacy protections should specify:
- a) the C-ITS and automated vehicle information covered. Stronger protections may need to be afforded for more sensitive information; b) the purpose(s) for which the information may be used (these will then be considered in conjunction with any access powers developed as part of further automated vehicle reforms); and c) the parties to whom any specific purpose limitations apply;
- governments should consider:
- a) notifying users of how the C-ITS and automated vehicle information collected by an agency will be used, disclosed and stored; and
- b) destroying C-ITS and automated vehicle information after a set amount of time or as soon as it is no longer necessary for the purpose for which it was collected.
- governments should consider:
- a) aggregating the C-ITS and automated vehicle information they collect
- b) obtaining relevant consents from users when collecting information from them; and
- c) providing users with the option to opt out of government collection of their personal information; and
- privacy protections for C-ITS and automated vehicle data should be regularly reviewed to ensure privacy is adequately protected.
5 What’s next?
Submissions to the NTC are due by 22 November 2018 and the NTC intends to develop recommendations and next steps to implement the recommendations for the Transport and Infrastructure Council meeting in May 2019 (at which those recommendations are expected to be agreed).