Everyone is talking about data and how it is like oil. The above quote has been repeated by the Economist, newspapers, titans of industry and world leaders.
However, data really is not like oil.
Oil is ultimately a finite and diminishing resource. Its value is linked to scarcity. Oil has one basic use. Data has none of these attributes. Data and its uses expand exponentially. Indeed it is forecast that in the next two years, 40 zettabytes of data will be created – this is data equivalent to 4 million years of HD video. [1] Most crucially consumers of oil do not generally take matters personally. Data on the other hand, inflames consumers’ passion-how do I maintain privacy? Who has access to my data? How will the data be used?
Big data is a focus area for many industries and the auto industry is no exception. However, with the advent of self-driving cars the auto industry will not only be a consumer of data but also a major generator of data. A single self-driving car could generate as much as 100GB of data every second. [2]
Given that China has 217 million cars and the number increases by nearly 11% each year [3] this means the potential amount of data produced yearly would be far greater than the data held by Google.[4]
Self-driving cars may not need oil to function (as most will be electric) but they will need data to be on the roads. Self-driving cars will rely on a massive amount of data to flow via various sensors integrated into the vehicles. The vehicle will need to know its precise location, its destination and also be able to keep track of everything while it is on the road.[5] Self-driving cars will also need to learn about their environment and the consumers who use them. The “smarter” self-driving cars can become, the greater the convenience for the users. However, the cars will need increasing amounts of personal data to become smarter and also to incorporate data results into the services.[6]
Unlike oil the data generated by self-driving cars will not be a simple commodity that will be used for one purpose and consumed. The data generated will have great value to carmakers, mobile operators, insurance companies, restaurants, hotels and any other innumerable numbers of service or product providers that hope to interact with a self-driving car or its user. Google has built a $400 billion business on its knowledge of over one billion[7] users’ internet habits using their search engine for 1.2 trillion searches per year. [8] Imagine how valuable similar insights that are generated by observing billions of consumers’ behavior in cars for extending periods of time every day. The potential for monetization will be almost limitless.[9]
Data – great for companies, great for convenience, great for consumer experiences – but not so great for privacy. Privacy concerns on the part of consumer have greatly increased in recent years with the growth of social media, internet and data hacks. Self-driving cars will amplify concerns and consumers and regulators realize how much data and personal information these vehicles will generate, use and record about users and the surrounding environment. Self-driving cars will be a veritable fleet of data factories. Such mobile surveillance will mean that privacy will be compromised … everywhere.
As millions of self-driving cars are expected to be on the road within the next few years the issue of balancing the modern concern of privacy and the pressure to not hinder the next great industrial revolution will be increasingly pressing. A balanced regulatory scheme will need to be established to protect privacy on the one hand while still allowing the technology to develop unheeded by excessive government intervention.
This article will consider:
Massive data collection by self-driving cars
Self-driving cars contain various sensors that collect data about the vehicle’s operation and its surroundings. The sensors normally include cameras, radar, thermal imaging devices, and LIDAR. These sensors collect data about the environment outside the vehicle. This data enables self-driving cars to determine objects they encounter, make predictions about the environment, and take action based on such information and predictions.[10]
In addition to collecting information about the surrounding environment, self-driving cars will also likely collect other types of information within the vehicle relating to users in order to allow for more personalized service and improved road safety.
The creation and dissemination of data will not be limited to the confines of the car itself. Self-driving cars will interact and exchange data with other vehicles in real time. Communication between self-driving cars is often referred to as vehicle to vehicle (“V2V”) communication. V2V is defined as being a crash avoidance technology, which relies on communication of information between nearby vehicles.[11]
In addition, built-in entertainment systems in self-driving cars will not only be used to stream music, content and allow for communication but will also enable users to store personal settings and preferences.[12]
Self-driving cars will also collect and use location data for navigational purposes– e.g. destination information, route information, speed, and time travelled. Location features are also used in existing traditional vehicles to remember locations; provide additional information relevant to the trip, such as real-time traffic data and points-of-interest along the planned route; and set routing preferences, such as avoiding highways or toll roads.[13]
Privacy Legal Issues
1. From Little Data to Big Data.
To date the volume of personal data processed by cars was minimal. However, the development and use of self-driving cars will lead to the collection of a wide range of personal data which will include driver details, location, direction of travel, journey history, and average speed and mileage.[14]
The data that self-driving cars are potentially able to collect and the potential uses that such data can be employed in are of growing concern from a privacy perspective.
One of the most important data points is travel patterns. Self-driving cars will provide both historical and real-time continuous geo-location data. Third parties will be able to utilize this data to determine not only the user’s current location and destination but also every place he/she has visited. Advertisers will be able to identify purchasing patterns of individuals by tracking stores they frequently visit. Insurance companies will be able to determine the individual’s lifestyle by following their daily activities (e.g., frequent visits to the gym -good) or dining habits (e.g. regular trips to fast food restaurants -bad).[15]
Personal location information sourced from self-driving cars will be a powerful tool to predict where they will be in the future. Destination decisions of users of self-driving cars, as well as the time, place, and circumstances of when such travel decisions are made will likely reflect the personality, behavior, and personal preferences of such user. [16]
This constant monitoring of driverless cars will lead to concerns that users’ personal information may be used by targeted marketing and advertising (which they may find annoying) or may even leave them susceptible to harm. As sensors of self-driving cars will continuously scan the surrounding environment and capture images by vehicles, this will lead to future invasion of people’s privacy.
2. Why does it matter?
Users of self-driving cars likely have concerns about their personal information being collected and/or used without knowing how this will happen or to what end or whether there may be consequences for the users themselves.
Self-driving cars by their very nature automatically collect data showing how, where and when a person moves from place to place. Users will have concerns such as what use will be made of such personal data? Why is it being collected? How will it be used? How long will the data be kept? Who will have access?[17] Some commentators believe consumers’ concerns on privacy may have a major impact on the rate of adoption of self-driving cars.
However, it is not only consumers that are likely to have concerns.
Car manufacturers, fleet operators and other vendors (i.e. telecom, mapping etc.) will face practical difficulties in obtaining consent when a car is not only used by its owner but also by third parties. This issue will compound if, as is likely, most self-driving cars will be fleet operated rather than individually owned by consumers.
Car manufacturers and fleet operators should also be alert to the risks posed by third-party suppliers who process data on their behalf. If a car manufacturer or fleet operator collaborates with a tech company for connected services and such partner breaches data protection regulation then this may also lead to liability or reputational damage if data is lost or misused.[18]
Practice in leading jurisdictions
Privacy of citizens has not been historically a high priority for most governments. Accordingly, in most jurisdictions data protection regulations have not been developed to deal with specific implications arising from self-driving cars.[19]
The US and EU have published regulatory and industry initiatives to address privacy concerns arising from self-driving cars.
1. US
Existing US federal privacy legislation does not, to a large extent apply to self-driving cars. Further state laws in the main do not provide much protection. [20]
On 21 March 2017, two Democratic senators introduced new legislation, known as the Security and Privacy in Your Car Study Act of 2017 (“SPY Bill”). The SPY Bill aim is to eliminate cyber-attacks on vehicles and also address privacy concerns.
The SPY Bill provides a concept of “driving data” which includes any electronic information collected about a vehicle’s status, including its location, speed, information about users.
The key requirements under the SPY Bill include the following:
Although not the final word on privacy, the SPY Bill balances the rights of consumers to stop collection or retention of their driving data on the one hand while still allowing data to be collected for legitimate reasons such as safety or providing incident evidence.
In September 2017, the US House of Representative passed HR 3388, the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution, or SELF DRIVE*, Act (“SELF DRIVE Act”) [21] which requires developers of self-driving cars to develop a privacy plan on data.[22] The SELF DRIVE Act prohibits a manufacturer from selling self-driving cars unless a privacy plan is in place. The privacy plan needs to include:
It is important to note the manufacturer does not need to take these data protection steps if information about vehicle owners or occupants is
In contrast with the SPY Bill, the SELF DRIVE Act gives greater leeway for automakers to formulate their own privacy protection standards. It is noteworthy that under both bills the prime responsibility to protect the consumer’s privacy falls upon the carmakers. In this way it may be that the USA legislative bodies consider car manufacturers and not the telecom companies as main party collecting data in driverless cars – which may not be the case.
2. EU
Of the many countries and regions that have passed regulations on personal privacy, the European Union (EU) stands out for its overarching and comprehensive approach.[23]
On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect and replace the Data Protection Directive of 1995. The GDPR aims to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. It is important to note that as this is not a directive and therefore will not require national governments to pass any enabling legislation. It will therefore be directly binding and applicable.[24]
The EU connected cars strategy that was published on 30 November 2016 by the European Commission (“EU Strategy”) set out that the protection of personal data and privacy is a decisive factor for the successful deployment of cooperative, connected and automated vehicles. The EU believes users must be comfortable that their personal data will not be treated as a commodity and consumers retain effectively control over how and for what purposes their data is used for.
The EU Strategy also states that all data broadcast by connected cars will, in principle, qualify as personal data, and that the processing of such data needs to comply with the GDPR from May 2018.
The EU Strategy further set out specific actions to be taken:
In addition, on 13 January 2017 the EU Agency for Network and Information Security (ENISA) released the study “Cybersecurity and Resilience of smart cars” * (“ENISA Guidance”), which identifies good practices and recommendations to ensure security of smart cars against cyber threats.
The ENISA Guidance also provides recommendations for good practice in respect of user data protection:
3. Industry Initiatives
In addition to government laws and policies, there are also industrial efforts afoot in respect of consumer privacy protection for self-driving cars.
In 2014 the Alliance of Automobile Manufacturers and the Association of Global Automakers unveiled a set of privacy principles for vehicle technology and services (“Privacy Principles”).
Nineteen automobile manufacturers participated in the drafting of the Privacy Principles including BMW, Aston Martin, Ford, General Motors and Mercedes–Benz. The participating automobile manufacturers committed to comply with these Privacy Principles, which govern the collection, use, and disclosure of behavioral information collected from self-driving vehicles.[25]
The seven principles under the Privacy Principles are set out below:
Under the Privacy Principles, the collected information is defined as information which is linked or linkable to: the vehicle from which the information is retrieved: the owner of the vehicle; or a registered user of the vehicle’s technologies and services. Further, it includes information vehicles collect, generate, record, or store in an electronic format that is retrieved from vehicles in connection with vehicle technologies and services; or personal subscription information. Types of data include biometric, behavioral, and geolocation information.
The privacy commitments are part of a larger initiative by automakers to protect the privacy and security of the data necessary to support advanced vehicle technologies. [26]
Legal implications on privacy under China law
Unlike many other jurisdictions, China does not have a single comprehensive code of legislation dealing with the protection of privacy and personal data. The laws and regulations relating to privacy and personal data are scattered in various pieces of legislations.
In recent years, especially since 2009 Chinese authorities have introduced multiple laws and regulations in dealing with the deteriorating abuse of personal information in China. It should be noted that on the whole Chinese citizens do seem more comfortable with the authorities having access to personal data … and indeed even large service providers if it leads to better services.
The notable ones are set out below:
The rules set out in the NPC Decision in respect of personal information protection have laid the fundamental principles on personal information protection in China and have been adopted and further expanded in a number of other laws such as PRC Consumers’ Rights and Interests Protection Law. [31]
Another prominent development in privacy protection is the enacting of China’s Cybersecurity Law (CSL) which took effect on June 1, 2017. The notable points under the CSL include:
Under the CSL, CII refers to networks used in public communications, information services, energy, transportation, water conservancy, finance and public services as well as those networks the failure of which may harm the national security, economy or public interest. The CSL requires operators of CII to retain, within China[32], the personal information and important data collected and produced during operations in China. The coverage of CII under CSL is non-exhaustive and so far, official implementation measures and guidelines regarding the specific scope of CII have yet not been issued.
A cause of concern for many international companies with a presence in China was in April 2017, the issued draft Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (“Assessment Measures”). These Assessment Measures extend data localization requirements to all network operators[33] beyond CII operators. The final version of the Assessment Measures is expected to be issued in 2018.
If such expanded data localization requirements are finally adopted, this will have a major impact on international companies in respect of their outbound transfer of personal data. It should, however, be noted that there are already data localization requirements under existing Chinese laws. One example is that servers for mapping data for internet mapping service providers in China must be within China.[34] Also personal information collected by China car-hailing companies should only be stored and used within China.[35]
On the same day of the effectiveness of the CSL, a judicial interpretation on Handling of Criminal Cases of Infringement of Citizen’s Personal Information issued by China Supreme Court and Supreme Procuratorate also took effect (“2017 Interpretation”). The 2017 Interpretation has a broader definition of “personal information” than CSL and expressly includes “location and track information” as personal information. The 2017 Interpretation further specifies the circumstances that constitute serious cases scenario or extremely serious cases scenario. For example, illegally obtaining, selling or providing an individual’s location and track information for more than 50 pieces will constitute serious case and be subject to up to 3-year imprisonment and, if the number of location and track information illegally obtained, sold or provided reaches more than 500 pieces, such violation will constitute extremely serious case and will be subject to up to 7-year imprisonment terms.
In addition, on January 24, 2018, the Standardization Administration of China (SAC), a non-government organization in China, issued the Information Technology – Personal Information Security Specification (GB/T 35273-2017) (“SAC Specification”) which will be effective from May 1, 2018. The SAC Specification is not a binding document but rather a guideline, which refers to regulations and good practice in other jurisdictions. The SAC Specification provides many new concepts such as sensitive personal information, personal information controller and details the process of collecting, storing, using, delegating, sharing, transferring and disclosing personal information with certain examples such as privacy template. While the SAC Specification is not a binding document, it will provide good practice and is an example to companies as to how to better implement personal data protection in China.
Like many other jurisdictions, China’s legal regime has not addressed the specific privacy implications that self-driving cars will raise. However, China has established a preliminary legal framework on privacy protection. Companies operating in China should follow the general requirements on personal data collection, use, storage and processing established by the Chinese laws and judicial interpretation mentioned above and are recommended to refer to the good practice set out in the SAC Specification, for example, obtaining express consent (i.e., adopting an opt-in approach) from users of self-driving cars to collect, use, store and process sensitive personal information to avoid potential compliance risks.
Suggestions
As self-driving cars will be on the market soon, consumers’ concerns on privacy issues will affect their adoption of the new mode of travel. The best practice would be that the privacy issues be systematically addressed in advance – before self-driving cars become everyday consumer products. However, this will need joint efforts from regulatory authority, car manufacturers and other stakeholders.
