Innovation across the vehicles sector has resulted in the creation of autonomous vehicles. This new car technology software has clear benefits such as eliminating the threat of human error as well as boosting economic productivity. However, there are drawbacks. The introduction of car technology software leaves users open to security vulnerabilities which must be addressed by data privacy regulations as these cars increasingly become available on the market. The current data protection, privacy and cyber regulations across the West are insufficient to effectively tackle this problem, hence why greater regulation is needed.
The English and Scottish Law Commission are making headway in this respect where they are currently delineating a new legal regulation regarding the testing and the driving of Cars and Autonomous Vehicles (CAVs) on UK public roads. The new regulation will update the current Automated and Electric Vehicles Act of 2018 and will reside alongside the Code of Practice for the Testing of Automated Vehicles, the UK Road Safety Laws, and Data Protection Laws.
The Legal Framework of CAVs
As mentioned above, there are a variety of laws which regulate the use of CAVs on UK public roads. The Automated and Electric Vehicles Act of 2018 is the primary piece of legislation in this sector and yet it scantly deals with many of the issues posed by CAVs. At its outset, the Act tackles insurance issues arising when liability must be accorded between the owner of the vehicle and the insurance company. The government permitted the use of these vehicles without insurance except for public bodies. This means that the Act is limited in scope since it seeks to address insured vehicles. Furthermore, and most notably, the Act obviates provisions for victims of uninsured vehicles from its scope and this creates much difficulty for other aspects of law, for instance criminal law, to ensure the right person or company is being held responsible for the death or injury to a victim.
As this Act stands to be the main regulation dealing with liability in this area, an urgent update from the government is needed if these driverless vehicles are to become the norm on UK public roads. The work conducted by the English and Scottish Law Commission has so far been significant where many consultations have addressed the fears of stakeholders in order to ensure the updated version of the 2018 Act addresses issues outside of insurance liability.
The second most important regulation in this area is the Code of Practice for the Testing of Automated Vehicles which has thankfully been updated in 2022. It therefore stands to be the regulation which encompasses the newer and more important issues which CAVs bring. In this respect, therefore, the Code focuses on the UK government’s recognition that automated vehicle technologies and services across the UK must be tested and trialled. This shift in focus marks a monumental step in progress for the regulation of CAVs as it directly addresses the significant future use of these vehicles. The government has countlessly reaffirmed its belief that in the future such technology could transform the public transport sector. Due to the lessened risk of human error, self-driving shuttles will reduce the threat of road-traffic accidents and congestion which contribute to safer roads. Furthermore, with global warming on the horizon, autonomous vehicles will allow citizens to rely less on their cars and where use of these electric vehicles is increased, the environmental impact is greatly reduced. The developments in the field may be controversial yet there is no indication that they will be stifled, meaning legal regulation must ensure they have been adequately tested and trialled.
The Code is therefore vital in promoting the development of these technologies in the future. This is because it finely balances supporting flexibility and innovation whilst providing greater clarity to organisations who are trialling the use of these vehicles. The legal requirement outlined for testing is that (i) a driver must be present, in or out of the vehicle, who is ready, able, and willing to resume control of the vehicle (ii) the vehicle is roadworthy and (iii) the appropriate insurance must be in place.
The rest of the Code is not legally binding however, certain actions in breach will result in certain legal consequences. The Code outlines that software versions must be fully up to date and that this responsibility falls on the driver if an accident occurs because of a software malfunction fixed by the update which had to have been instated.
Furthermore, the technology used in CAVs involve the processing of personal data. These driverless vehicles rely wholly on software technology to ensure there is a detection of pedestrians, cars, and other automobiles on the road. This means the Data Protection Act 2018 and therefore compliance with the GDPR is paramount. Such data privacy issues will be explored further below.
In terms of cyber security requirements, trialling organisations must ensure that vehicle systems have appropriate security measures in order to maintain data security and the risk of unauthorised data access. The UK government has endorsed the Key Principles of Cyber Security for Connected and Automated Vehicles through stating that these principles must be complied with even if they are not explicitly and legally mandatory.
The Future Data Privacy Issues of CAVs
Certainly, as highlighted above, there are many data privacy concerns which arise as a result of the use of CAVs and already these are ensuing across the globe. The main way in which CAVs impact a user’s data privacy protection is by virtue of the many offerings the technology affords.
First and foremost, the technology offered by CAVs prioritises simplicity for the user. For example, the car is able to ascertain which user is using the vehicle and can adjust the car’s settings to maximise comfort, safety and entertainment. But, in order to be able to do this accurately and effectively, the technology must be able to identify users with high certainty and therefore such features can directly interact with a user’s data privacy protection. Some issues which can arise from this feature is that a user’s personal data such as use of facial recognition to authenticate the individual can potentially be stored with unauthorised third parties. Although this can be confirmed on a case-by-case basis, the type of data being collected by these vehicles is highly sensitive and its use can thus quite easily be seen as a data breach.
Secondly, as with many other vehicles, CAVs collect location data to be used for navigation purposes. The benefits of this service are clear where an individual is able to plan their journey at a time with reasonably low congestion. However, this type of data can be revealing about an individual’s habits for example. This was reaffirmed in the US Supreme Court where in US v Jones it was held that the collection of location data can be essential in generating ‘a precise, comprehensive record of a person’s public movements’. Location tracking has important value for marketing purposes, in particular because it can show how often an individual goes to the supermarket for example and which supermarket this is. Having certain businesses or entertainment preferences being stored within the car’s technology can thus mean a user is open to having this information shared. There is thus a great risk where new car technology can collect and potentially share this type of information which can go against an individual’s reasonable expectation of privacy.
Thirdly, since CAVs are supposed to be driven without the assistance of a human, the sensors around the vehicle are able to collect information regarding its surroundings and environment. This is helpful to ensure the car stops for pedestrians, for example, however there are potential concerns with the invasion of a user’s privacy dependent on what these images can reveal. Additionally, the use of voice recognition sensors can be particularly invasive. Voice recognition forms the central aspect of controlling CAVs and data privacy concerns have been raised regarding the collection and transmission of these private communications. In China, the Chinese government went as far as banning the use of Tesla vehicles in anticipation of its Communist leadership gathering. This is to prevent the threat to national security through accessing of private governmental conversations. Such ethical concerns have spurred on the UK government’s focus on trialling and testing these vehicles where it has considered companies who create CAVs must undertake a privacy impact assessment as this will facilitate compliance with the requirements and standards of the Information Commissioner’s Office.
How Can Data Privacy be Adequately Considered?
Now that the data privacy concerns with CAVs have been outlined, the possible solutions must be discussed. As this insight has clearly pointed out, regulation through legislation can be an important way to force companies to consider these data privacy issues. The threat of legislation can ensure companies are enacting a policy of ‘privacy by design’ where at the outset, such consideration and security is built into the device at the outset as opposed to being an afterthought.
Specifically, in terms of the GDPR, the issue at hand would be delineating what legal basis allows for this provision to third party providers. It would be insufficient for a car company to contend that purchase of the car necessarily entails the selling of this personal data to third party companies in absence of a consensual agreement. Thus, increased regulation and compliance would need to be in place for the use of CAVs now and in the future.
Additionally, as the Code of Practice has highlighted, having certain industry standards and guidance in this area can be used as informative supervision which can guide the products created by a company. Ensuring that each user understands the data privacy risks with the use of this new car software allows a more mutually consensual basis to be created between consumer and product owner. It is hoped that in the future, these mechanisms are adequately considered to embed privacy issues directly into the creation of CAVs.
The data privacy issues relating to CAVs should not be seen as limited as these cars are still in their infancy. Most importantly, the effects of utilising personal data should not be seen as relating only to the car company collecting the data. During trials, the data collected could form important information for use in analytics or in tracking how drinking whilst driving affects your reactionary responses, for example. Furthermore, the entire landscape of car insurance claims could be altered if these companies had access to real-time video footage of the accident whilst it was occurring.
More than ever, the calls for greater data privacy regulation must be answered as the potential for breaches are very likely without adequate legislation in place. Legislatures should be keen to steer clear of the past mistakes made where regulation had not been created quickly enough in parallel with the rise of the internet of things. The English and Scottish Law Commission should therefore take the opportunity to address these upcoming data privacy issues before they become an ungovernable problem.