Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Life in the (Regulated) Fast Lane: Companies Must Navigate Global Privacy Rules on Self-Driving Cars
Last month, Google subsidiary Waymo launched its first self-driving fleet of trucks in Atlanta. The autonomous vehicle company's announcement came only days after rival Uber Technologies Inc. said its self-driving trucks had hit the road in Arizona.
Clearly, it's an exciting time to be in the autonomous car industry, and the race is on to develop the best tech first.
But with the General Data Protection Regulation's (GDPR's) May 25 implementation date looming in the European Union, new ethical guidelines in Germany, changing privacy standards in China and new data privacy regulations being debated in the U.S., engineers aren't the only ones at autonomous vehicle companies seeking solutions. An increasingly complex legal landscape means in-house lawyers need to focus on compliance with evolving data privacy regulations.
“Really focus on privacy by design. Look at what [engineers] are doing, and consider what the risks to individuals might be as a result of the activity and to try to design and correct the service in a way that avoids that,” says Nigel Parker, a partner at Allen & Overy. “The worst thing as in-house counsel is for the business to spend lots of hours and money building something that doesn't work or is hard to implement in a lawful way.”
|GDPR and the European Union
Parker, who is based in London, has seen a number of autonomous vehicle companies with European operations working to grapple with GDPR's implications for the industry. GDPR requires companies to obtain explicit consent before collecting and storing individuals' personal data. This personal data could include passenger routes and other information collected by self-driving vehicles.
Self-driving cars rely on data from their owners, but could also pick up data from secondary passengers, or even people on the street detected by LiDAR lasers. That's a lot of data on a lot of people. But each of those scenarios could present a different degree of identification ability and anonymity.
“Anonymous doesn't mean having no name, it means impossible to identify,” says Chris Watson, a partner and head of the CMS technology, media and communications group at Cameron McKenna Nabarro Olswang in London. “What we're actually talking about here is removing identifying characteristics.”
Watson and Parker say companies should make data from non-primary users of autonomous vehicles anonymous or, even better, not collect their data at all, because it can be complicated to get explicit consent from every secondary rider who enters a vehicle.
“If you're collecting data about individuals you don't have a direct relationship with, so, participants in the ecosystem, that's an issue [companies] need to try to avoid,” explains Parker.
The lawyers say companies should only collect non-primary users' data if it is absolutely necessary. If they choose to collect, they'll need to get explicit consent from those whose data will be used and provide transparency in their reasoning for gathering and saving such data. The same is true for primary users, but it's easier to get consent from someone who has a direct relationship with the vehicle and company, Parker says.
Collecting consent from autonomous vehicle users isn't just complicated by the number of passengers or people nearby. The cars themselves contain parts from a number of different manufacturers, and it can be complicated to determine which companies should be responsible for obtaining users' consent.
“It's important that all those parties have [a] clear allocation of responsibility, so it's clear both to them and the individual who is accountable,” Parker says.
In the EU and beyond, countries are laying out how self-driving cars should collect data ethically. While GDPR is already law, countries such as Germany and China have outlined guidelines for the autonomous vehicle industry that aren't mandatory — at least not yet.
In August 2017, Germany became the first country to release ethical guidelines for driver-less cars which stated users should have to opt in to share their data, and that factory settings should be privacy heavy. The guidelines also state companies should obtain consent from all parties surrounding the vehicle whose information could be picked up by LiDAR lasers. LiDAR collects information about objects around the vehicle by bouncing lasers off of them, then using technology to interpret what and where the objects are with accuracy.
It's not yet clear how companies could obtain consent from nearby cars or people on the street, with no other relation to the vehicle or its owner, says Xiaoyan Zhang, a counsel in Reed Smith's San Francisco-based IP, Tech & Data Group.
“The ethical rules are still high level. We're waiting to see the implementation plan from the German government,” Zhang says.
|China and the U.S.
Zhang notes that China also has a framework for what ethical collection of data would look like in autonomous vehicles. The country's Information Security Technology — Personal Information Security Specification, which outlines best practices to comply with the country's cybersecurity law, was released in late January. While it doesn't name autonomous vehicles specifically and is a standard rather than a law, it outlines how companies in China can ethically collect data.
“Similar to other jurisdictions, there's nothing concrete yet, but the cybersecurity law could factor in the autonomous vehicle manufacturers and suppliers as network operators or critical information infrastructures, and as such they will need to, in general, give notice and collect consent before they capture personal information,” Zhang says.
In the U.S., several states, including California, have passed regulations on autonomous vehicles, but there's no federal legislation yet. Right now, the Alliance of Automobile Manufacturers, which includes Ford Motor Co. and General Motors, has a self-regulating set of principles on data minimization and privacy.
But federal regulations in the U.S. could be coming soon. In September 2017, the Senate passed the Self Drive Act, which says that autonomous vehicle manufacturers must have “developed a cybersecurity plan,” including a process to mitigate or prevent cybersecurity attacks.
If the Act passes Congress, manufacturers will also have to provide a written privacy plan outlining what information is collected by car owners or passengers and how it is used. They'll also have to show their plans to minimize and de-identify data and to provide vehicle owners or occupants notice about the privacy policy, unless the data is anonymized.
The Federal Trade Commission would be responsible for regulating companies that stray from their stated privacy or cybersecurity plans, which would be treated as “an unfair or deceptive act or practice.” While the change is still pending, Zhang says the Self Drive Act could be welcomed by those seeking regulatory clarity for autonomous vehicles.
“In general I think people want to see more on the federal level,” she says. “Then there's a more consistent regulation.”
*****
Caroline Spiezio covers the intersection of tech and law for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy, and is based in San Francisco. Follow her on Twitter @CarolineSpiezio.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
How Secure Is the AI System Your Law Firm Is Using?
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.