Connected autonomous vehicles (CAVs) are increasingly capable of creating, collecting and processing a wealth of data. However, in order for vehicle manufacturers and CAV stakeholders to access and extract the value in such data, they must do so lawfully. This is especially true in relation to personal data which is governed in the EU (and beyond) by the General Data Protection Regulation (GDPR). This post explores at a high level how CAV stakeholders can ensure compliance with the GDPR, particularly in relation to CAVs which process personal data of vehicle drivers, owners and pedestrians.
What data are we talking about?
The prospective data inputs and outputs for CAVs vary depending on CAVs’ capabilities. For example, current driver-assist models tend to be based on semi-autonomous features such as dynamic cruise control and lane keep assist. These driving technologies typically rely on sensors which monitor mechanical, physical, spatial and environmental conditions (e.g. speed, distance, location, weather etc.). Much of this data is not ‘personal’ to individuals, and hence is not governed by the GDPR.
However, as CAVs become “smarter”, the potential for them to recognise and adapt to individual drivers, and to fully and autonomously connect to other vehicles and drivers, renders the CAV data ecosystem much more personal and regulated.
What is ‘personal’ data?
Smart vehicles can collect individual preferences about driving position set up, data from connected devices such as mobile phones, driving behaviours such as speed and braking, viewing preferences for ‘infotainment’ systems and numerous other insights into the lives of vehicle drivers, passengers and owners, especially as CAVs connect to other external data sources.
Personal data is defined under the GDPR as information that relates to an identified or identifiable individual. Special category data, which includes racial or ethnic origin, health or biometric data, and criminal offence data invites greater protection. It is clear that both types of personal data naturally arise in connection with CAVs.
Examples of personal data collected or processed by CAVs range from the obvious (e.g. addresses stored in a satnav system and video footage collected by an embedded dashcam) to the more subtle (e.g. speed limit adherence – breaching the speed limit can be a criminal offence, and it is possible that a manufacturer or owner could link this offence to a known driver of the vehicle, thereby giving the manufacturer criminal offence data). The sheer volume and variety of data collected and processed by CAVs is such that it could accumulate over time or be combined with other information to a level where, even if collected anonymously in the first instance, the data could subsequently become personal data and invite specific protection.
Lawful basis and fair processing information
In the CAV scenario, perhaps the first thing to consider from a GDPR perspective is who would be the “controller”. This is the entity with the greatest regulatory responsibility under the GDPR; the entity that collects the data and decides what will be done with such data. In the CAV value chain there are a number of stakeholders who could be acting as the controller, or potentially all of them could be independent or joint controllers. For example, the manufacturer, the software developer/provider, the employer entity (when dealing with a fleet of vehicles owned by a company and driven by its employees), the owner. It is therefore important that every CAV stakeholder in the value chain considers its regulatory position under the GDPR.
To collect and process personal data, the controller of the data must have a lawful basis for doing so. One such lawful basis can be to inform the individuals affected about the intended uses of their personal data, and to obtain their consent to such processing. However, relying on consent under the GDPR may prove difficult where it is a precondition to using a CAV or smart vehicle. Consent will only be valid under the GDPR if it is freely given and so it cannot be a prerequisite to ownership or use of the vehicle. Consent could also be difficult in the fleet vehicle scenario as employee consent is often not considered to be valid under the GDPR.
An alternative lawful basis for the processing of personal data in a CAV context may be to assert that the processing is necessary to fulfil the ‘legitimate interests’ of the controller. However, such legitimate interests must not override the rights and freedoms of the affected individuals. For example, it may be legitimate to use retinal scanning to unlock a vehicle, but not to display an advert for colour-matching eye makeup on the infotainment screen. In each case, a balanced case-by-case assessment of the facts and circumstances will be required.
For completeness it is also worth noting that a different set of lawful bases will need to be relied upon in the event that any special category data or data relating to (potential) criminal offences is collected.
In any event, controllers of personal data processed by CAVs must clearly inform data subjects prior to collection of how their personal data will be collected and used. Drivers are likely to be frustrated by repeated privacy notices each time they start the vehicle, so this process will need to be managed appropriately. The situation becomes even more complicated when vehicles collect personal data about passengers and third parties. Manufacturers are therefore faced with the challenge of developing a practical and user-friendly system for providing ‘fair processing’ information to ensure the CAVs adequately comply with the GDPR.
Other relevant data protection principles
Privacy by design is a key principle under the GDPR and requires controllers to have an eye to data protection as they develop products, services or otherwise. For manufacturers of CAVs and other stakeholders, this will require maintaining a balance between simplifying the user journey and the obligation to ensure that owners, drivers, passengers and third parties are aware of potential personal data collection and use.
The principle of data minimisation may also prove difficult in a world where significant amounts of personal data are being collected in relation to each and every journey. Controllers have an obligation to collect no more personal data than is necessary, and it is not always clear where the boundary of necessity lies. Controllers will also need to think carefully about limiting data collection to specific purposes, rather than collecting all possible data and then finding a use for it in future. Deletion requirements will also have an impact, given the need to delete personal data once it is no longer necessary and the tension that could arise with individuals exercising their rights to require the erasure of their personal data, especially in relation to vehicles which they do not own or control.
The potential volumes of personal data processing combined with potential profiling activities also raise the question of whether CAV stakeholders will need to appoint a data protection officer (DPO) in respect of their CAV-related activities.
It is clear that careful thought must be given to ensuring that data protection compliance complements and supports the adoption of CAVs, rather than becoming a barrier to them. CAV stakeholders who engage early with these requirements will be on the front foot, and can be confident in building processes which allow them to unlock the value of their potentially vast data source.