Where is your data being driven? Is the law still a back seat passenger when it comes to autonomous vehicles?
The UK government is keen to make research (and investment) into driverless cars a key component of its industrial strategy, aiming to keep the country innovative when it comes to such technologies in the automotive sector. The advantages of self-driving cars are obvious; the potential for easing congestion and accidents – the majority of which that are caused by human error. However, is the legal framework for autonomous vehicles present, particularly in respect of all the data it can collect about is passengers?
Will autonomous vehicles be caught by data protection legislation?
It is no surprise that the more technologically advanced autonomous vehicles become, the greater the volume of data they will collect, store and even transmit regarding the vehicle and those using it. Not all of this will be “personal data” (and therefore data protection legislation is unlikely to apply to such data). However, there is a good reason to assume that some data collected by autonomous vehicles will indeed be personal data, particularly pieces of individual data which can then be combined to identify an individual.
In the EU (and for the moment at least, the UK), GPS data and other locating data collected by smartphones or wearable technology is generally considered to be personal data because individuals can identified through their patterns of movement, either directly or indirectly by using other data. As such, it stands to reason that any location data used by autonomous vehicles (and indeed other, non-autonomous vehicles with connected services) will contain personal data (whether on its own or in combination with information which can assist to identify an individual driver, passenger or user through patterns of movement).
So what about the legislation already in place?
The general law relating to data protection is currently in the process of being replaced. The Data Protection Directive in the EU (which is implemented in the UK by the Data Protection Act 1998) will be replaced by the General Data Protection Regulation (the “GDPR”) with effect from 25 May 2018. The GDPR will have a direct effect across all Member States (this includes the UK, as the government have already stated GDPR will apply despite the UK's decision to leave the EU).
The GDPR is not the only legislation that applies to autonomous vehicles and the handling of personal data. Other legislation is part of the ePrivacy Directive, implemented in the UK by the Privacy and Electronic Communications Regulations. The ePrivacy Directive is also expected to be replaced with a view to its replacement (the ePrivacy Regulation) being adopted on the same day that GDPR comes into force so that a single framework is in place. Even though the UK government has not confirmed that the UK will adopt the ePrivacy Regulation post-Brexit, given its interlinking nature with GDPR across a number of areas of law, it would be unsurprising if the UK adopted the ePrivacy Regulations along with GDPR.
The GDPR, in particular, brings in a number of new concepts which try and foresee new technological developments and the potential data protections that arise.
How can autonomous vehicles comply with data protection legislation?
One of the new concepts introduced by GDPR is the concept of privacy by design or privacy by default. This encourages data privacy considerations to be thought about as early as possible in the design process, rather than retro-fitting data protection compliance into a finished product. Given that autonomous vehicles are just as much about the software as the hardware; it will be unsurprising to see that ‘traditional’ car manufacturers are trying to involve data controllers (such as social networks, mobile carriers and road/driving authorities) at early stages of development. But who has responsibility for the data?
Ultimately, the driver and its passengers will be sharing the data through the car, but if the data is being given to another company (such as a social media company or breakdown company), what happens to the data and who owns (and has legal responsibility) for it? It may be that both parties are effectively data controllers because the vehicle owner may have separate dealings with their car manufacturer (or dealer) and (for example) a breakdown provider.
Both of these could be defined as data controllers “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed").
However, regardless of who are the data controllers and the data processors, the parties will need to ensure they have a robust legal framework in place come the implementation of the GDPR.
Whilst currently, only a data controller is liable in respect of complying with the Data Protection Act, this will change under the GDPR where both the data controller and the data processor are potentially liable. Agreements throughout the supply chain and collaborative technologies that go into autonomous vehicles should define the obligations of either party with respect to the protection and use of personal data (and at what point each party is labile for any data breach). In addition to processors being liable themselves, the threat of increased fines (currently set at £500k), potentially rising to 4% of global turnover should be sufficient motivation to ensure the adequate processes and safeguards regarding data protection are in place.
If the ‘stick’ of breaking the law and potential hefty fines is not enough of an incentive to ensure a robust legal framework is in place across the supply chain and between collaborators, gaining the trust of consumers is ultimately the ‘carrot’ to ensuring that autonomous vehicles are successful. If consumers do not trust car manufacturers and their partners to look after their data, they may opt-out of sharing important data such as routes and traffic information. Without all autonomous vehicle users (or a high proportion of them) buying into data sharing to benefit route and traffic information, it is very unlikely that the advantages of autonomous vehicles as described earlier will ever be fully felt.
As such, car manufacturers, their supply chains and technology partners should consider preparing for the future now by:
- considering data protection in the development stage of technologies (in furtherance of the “privacy by design or default” principles under the GDPR);
- conducting comprehensive data protection impact assessments on existing processes and procedures;
- analysing potential exposure under GDPR and the ePrivacy Regulation; and
- as a result of the above, implementing measures to ensure ongoing compliance.