Life in the (Regulated) Fast Lane: Companies Must Navigate Global Privacy Rules on Self-Driving Cars

Last month, Google subsidiary Waymo launched its first self-driving fleet of trucks in Atlanta. The autonomous vehicle company's announcement came only days after rival Uber Technologies Inc. said its self-driving trucks had hit the road in Arizona.

Clearly, it's an exciting time to be in the autonomous car industry, and the race is on to develop the best tech first.

But with the General Data Protection Regulation's (GDPR's) May 25 implementation date looming in the European Union, new ethical guidelines in Germany, changing privacy standards in China and new data privacy regulations being debated in the U.S., engineers aren't the only ones at autonomous vehicle companies seeking solutions. An increasingly complex legal landscape means in-house lawyers need to focus on compliance with evolving data privacy regulations.

“Really focus on privacy by design. Look at what [engineers] are doing, and consider what the risks to individuals might be as a result of the activity and to try to design and correct the service in a way that avoids that,” says Nigel Parker, a partner at Allen & Overy. “The worst thing as in-house counsel is for the business to spend lots of hours and money building something that doesn't work or is hard to implement in a lawful way.”

GDPR and the European Union

Parker, who is based in London, has seen a number of autonomous vehicle companies with European operations working to grapple with GDPR's implications for the industry. GDPR requires companies to obtain explicit consent before collecting and storing individuals' personal data. This personal data could include passenger routes and other information collected by self-driving vehicles.

Self-driving cars rely on data from their owners, but could also pick up data from secondary passengers, or even people on the street detected by LiDAR lasers. That's a lot of data on a lot of people. But each of those scenarios could present a different degree of identification ability and anonymity.

“Anonymous doesn't mean having no name, it means impossible to identify,” says Chris Watson, a partner and head of the CMS technology, media and communications group at Cameron McKenna Nabarro Olswang in London. “What we're actually talking about here is removing identifying characteristics.”

Watson and Parker say companies should make data from non-primary users of autonomous vehicles anonymous or, even better, not collect their data at all, because it can be complicated to get explicit consent from every secondary rider who enters a vehicle.

“If you're collecting data about individuals you don't have a direct relationship with, so, participants in the ecosystem, that's an issue [companies] need to try to avoid,” explains Parker.

The lawyers say companies should only collect non-primary users' data if it is absolutely necessary. If they choose to collect, they'll need to get explicit consent from those whose data will be used and provide transparency in their reasoning for gathering and saving such data. The same is true for primary users, but it's easier to get consent from someone who has a direct relationship with the vehicle and company, Parker says.

Collecting consent from autonomous vehicle users isn't just complicated by the number of passengers or people nearby. The cars themselves contain parts from a number of different manufacturers, and it can be complicated to determine which companies should be responsible for obtaining users' consent.

“It's important that all those parties have [a] clear allocation of responsibility, so it's clear both to them and the individual who is accountable,” Parker says.

In the EU and beyond, countries are laying out how self-driving cars should collect data ethically. While GDPR is already law, countries such as Germany and China have outlined guidelines for the autonomous vehicle industry that aren't mandatory — at least not yet.

In August 2017, Germany became the first country to release ethical guidelines for driver-less cars which stated users should have to opt in to share their data, and that factory settings should be privacy heavy. The guidelines also state companies should obtain consent from all parties surrounding the vehicle whose information could be picked up by LiDAR lasers. LiDAR collects information about objects around the vehicle by bouncing lasers off of them, then using technology to interpret what and where the objects are with accuracy.

It's not yet clear how companies could obtain consent from nearby cars or people on the street, with no other relation to the vehicle or its owner, says Xiaoyan Zhang, a counsel in Reed Smith's San Francisco-based IP, Tech & Data Group.

“The ethical rules are still high level. We're waiting to see the implementation plan from the German government,” Zhang says.

China and the U.S.

Zhang notes that China also has a framework for what ethical collection of data would look like in autonomous vehicles. The country's Information Security Technology — Personal Information Security Specification, which outlines best practices to comply with the country's cybersecurity law, was released in late January. While it doesn't name autonomous vehicles specifically and is a standard rather than a law, it outlines how companies in China can ethically collect data.

“Similar to other jurisdictions, there's nothing concrete yet, but the cybersecurity law could factor in the autonomous vehicle manufacturers and suppliers as network operators or critical information infrastructures, and as such they will need to, in general, give notice and collect consent before they capture personal information,” Zhang says.

In the U.S., several states, including California, have passed regulations on autonomous vehicles, but there's no federal legislation yet. Right now, the Alliance of Automobile Manufacturers, which includes Ford Motor Co. and General Motors, has a self-regulating set of principles on data minimization and privacy.

But federal regulations in the U.S. could be coming soon. In September 2017, the Senate passed the Self Drive Act, which says that autonomous vehicle manufacturers must have “developed a cybersecurity plan,” including a process to mitigate or prevent cybersecurity attacks.

If the Act passes Congress, manufacturers will also have to provide a written privacy plan outlining what information is collected by car owners or passengers and how it is used. They'll also have to show their plans to minimize and de-identify data and to provide vehicle owners or occupants notice about the privacy policy, unless the data is anonymized.

The Federal Trade Commission would be responsible for regulating companies that stray from their stated privacy or cybersecurity plans, which would be treated as “an unfair or deceptive act or practice.” While the change is still pending, Zhang says the Self Drive Act could be welcomed by those seeking regulatory clarity for autonomous vehicles.

“In general I think people want to see more on the federal level,” she says. “Then there's a more consistent regulation.”

*****

Caroline Spiezio covers the intersection of tech and law for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy, and is based in San Francisco. Follow her on Twitter @CarolineSpiezio.