Driverless cars – Who should have access to vehicle data, and how should privacy be protected?
First published on LinkedIn on 3 December 2018
Last month, I published an article explaining how Australia’s Transport Ministers propose to ensure the safety of self-driving vehicles, by requiring mandatory self-certification of the automated driving system (ADS) by the entity proposing to bring the automated driving system to the Australian market (the ADS entity or ADSE), before the ADS can be sold.
I mentioned that the self-certification process will require the ADSE to demonstrate how it has managed various safety criteria, and how it will have the financial capacity or insurance arrangements needed to meet reasonable potential liabilities arising out of any defects in the vehicle’s automated driving system.
I also mentioned that as part of the self-certification, the ADSE will be required to outline the data it will record, and how it will provide the data to relevant parties. This last point is worthy of further discussion, because it raises important questions about who should have access to such data, and how the privacy of individuals should be protected.
What data will be generated by vehicle technologies?
Future motor vehicles are expected to generate significant amounts of data, including:
data generated by sensors, radars, lidar technology, cameras and electronic control units and the like, that supports the operation of advanced driver assistance and automated functions;
image data generated by video recordings both within and outside the vehicle;
crash and vehicle control data generated by event data recorders;
location and route data generated by navigation systems and vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I) communications;
data from biometric, biological or health sensors to monitor driver alertness and behaviour to assist with determining whether it is safe for the ADS to hand back control to the human driver, or to recognise drivers and occupants (such as through fingerprints) to customise the vehicle experience; and
audio data recorded by microphones within and outside the vehicle.
Privacy protection
Australian privacy laws are designed to protect the privacy of ‘personal information’. Personal information is defined slightly differently across the various privacy laws, but it is generally defined to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Much of the data that vehicles will generate will not contain personal information. However, to the extent that it does – and it is highly likely that some of the data will – our privacy laws will apply. For example, if data from in-vehicle cameras can identify the driver or vehicle occupants, it will be personal information and therefore protected. Likewise for data from biometric, biological or health sensors, if it can be used on its own, or with other data, to identify an individual. Location information about a vehicle will also be personal information if it can be connected with an individual.
Whether the level of protection provided by Australia’s existing privacy laws is adequate is a separate question, to which I will return shortly.
Data to be provided by ADSE
The Transport Ministers have agreed that the self-certification submitted by the ADSE must “outline the ADS data that the ADSE will record and how it will provide the data to relevant parties. Without limiting the data to be recorded and shared, the ADSE must explain how it will ensure:
the vehicle has real-time monitoring of driving performance and incidents, including event data records in the lead-up to any crash that identifies which party was in control of the vehicle at the relevant time
the vehicle can provide road agencies and insurers with crash data
relevant parties (including police) receive information about the level of automation engaged at a point in time if required
individuals receive data to dispute liability (for example, data showing which party was in control to defend road traffic infringements and dispute liability for crashes) when the individual makes a reasonable request
data is provided in a standardised, readable and accessible format when relevant
data is retained to the extent necessary to provide it to relevant parties (the amount of time data is retained for may depend on the purpose(s) the information could be used for – for example, law enforcement, insurance)
data relevant to the enforcement of road traffic laws and the general safe operation of the ADS (including data relevant to crashes) is stored in Australia. This does not require the applicant to store the data exclusively in Australia.”
The decision of the Transport Ministers requires ADSEs to note that privacy legislation may impose some limitations on the data the ADSE can record and share.
Who should have access to the data, and for what purposes?
It is clear from the above decision that the Transport Ministers intend that:
crash data will be recorded and shared with road agencies and insurers;
data on the level of automation engaged at a point in time will be recorded and shared with police; and
data needed to dispute liability for traffic infringements or crashes (i.e. data showing who was in control of the vehicle at the relevant time) will be recorded and shared with individuals.
It is not clear, however, who the other ‘relevant parties’ are that will be entitled to access the data. Nor is it clear how the rights of each relevant party accessing the data will be legally enforced.
Further clarification is also required on the purposes for which relevant parties may use the data. The use of crash data, and data on who is in control of the vehicle at the relevant time, by police for law enforcement, and by relevant individuals for civil liability purposes, is perhaps relatively uncontroversial. More controversial, perhaps, is the proposed use of location and other data by road agencies to inform and enhance government decision making in respect of traffic management and road safety, and infrastructure and network planning.
Fortunately, the Transport Ministers are not proposing that police should have access to in-cabin video, or data from biometric, biological or health sensors, to determine whether a ’fallback-ready’ human driver is complying with proposed new laws that will require him or her to remain sufficiently vigilant, when the ADS is controlling the vehicle, to respond to requests from the ADS to resume control of the vehicle. While users of automated vehicles would be prepared to allow the vehicle to monitor such data to keep vehicle occupants safe (by determining whether it is safe to hand back control to the human driver, or by issuing alerts to wake up the driver), I doubt they are ready for such data to be monitored by the police for law enforcement purposes.
The risk of mass surveillance of automated and connected vehicle users by government needs to be addressed
Who owns and controls the data?
The decision of the Transport Ministers assumes that the ADSE will own the data, or have the right to collect and share the data. While this assumption is probably correct (given the current contract terms under which vehicles are sold), there are serious questions as to whether this is how it should be.
Under Australia’s property laws, the owner of the vehicle will own any data that the vehicle generates, unless the vehicle owner agrees otherwise. But purchasers of new vehicles are now routinely asked to agree otherwise. Contracts for the sale of new vehicles typically provide that the data that the vehicle generates will be owned by (or irrevocably licensed to) the manufacturer even though ownership of the vehicle is transferred from the manufacturer to the purchaser. The ability of consumers to negotiate alternative purchase terms is limited, and most have no practical choice but to agree.
But it doesn’t have to be this way. In the US, legislation has been passed that provides that any data in a vehicle’s event data recorder is the property of the owner or lessee of the vehicle. The same law also prohibits a person, other than the owner or lessee of the motor vehicle, from accessing data recorded or transmitted by such a recorder unless the owner or lessee consents (or the data is retrieved pursuant to a court order, or for specific purposes authorised by the legislation, such as an investigation by the transport safety regulator, an emergency medical response to a crash, or for traffic safety research).
Returning control of crash data to the owner or lessee of the vehicle would also enable the owner or lessee to comply with any obligation it might have under any insurance contract to provide such data to the insurer.
Are Australia’s existing privacy laws adequate?
As mentioned above, the data from automated vehicles that contains personal information will receive the protections provided by Australia’s existing privacy laws. Whether these protections are adequate is a separate question.
Australia’s privacy laws prohibit the disclosure of personal information for a purpose that is not the original purpose of collection, unless the individual consents, or another exception exists. Agencies and private sector organisations (including vehicle manufacturers) that collect personal information routinely obtain broad consents from individuals in circumstances where the individual has little practical choice but to give the consent in the terms requested. Also, the statutory exception that permits disclosure for law enforcement purposes is quite broad – the manufacturer does not need to be legally obliged to provide the information to the law enforcement agency, but rather the belief that the disclosure is reasonably necessary for law enforcement purposes will suffice.
The National Transport Commission has formed the view that Australia’s existing privacy laws do not sufficiently address the new privacy challenges of automated vehicles, and is proposing new laws specific to automated vehicles to plug the gaps. But if the problem is the adequacy of the existing privacy protection laws, a better solution may be to revisit the privacy protection laws themselves, rather than supplement them with new ad hoc laws specific to automated vehicles.
Conclusion
There is a significant need for reform to address the access to data and privacy issues associated with automated vehicles. Australia’s Transport Ministers should consider whether Australia needs:
a more holistic review of adequacy of Australia’s existing privacy laws; and
legislation to enable vehicle owners and lessees to access crash data and data needed to dispute liability for traffic infringements.
