Data Privacy Issues of Self-Driving Vehicles

by Associate Christopher Achatz and Summer Associate Ashlee Difuntorum

In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the data privacy issues of self-driving vehicles. We have also published an article discussing the cybersecurity issues of self-driving vehicles, which can be found here.

Seventeen states—Arkansas, California, Colorado, Connecticut, Delaware, Maine, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Oregon, Texas, Utah, Virginia, and Washington—and the District of Columbia have enacted statutes relating to the data privacy issues of data retrieval from event data recorders (“EDRs”).¹ EDRs capture driver behavior information, such as the speed of a vehicle, braking pattern, and collision information. These states require obtaining the consent of the vehicle owner or policyholder before one can download data collected from a motor vehicle’s EDR. Although these seventeen states have addressed issues relating to data privacy by regulating data retrieval from EDRs, only North Dakota has enacted legislation that specifically mentions “data privacy.” That legislation requires the department of transportation to study the data and information stored and gathered by the use of self-driving vehicles.

In addition to these seventeen states, automotive industry representatives have passed their own self-regulatory guidelines to address the data privacy issues of self-driving vehicles. In 2014 the Alliance of Automobile Manufacturers and the Association of Global Automakers enacted a set of “Privacy Principles” for vehicle technology and services.² Participating automobile manufacturers commit to comply with seven Privacy Principles, which govern the collection, use, and disclosure of driver behavior information retrieved from self-driving vehicles. These seven Privacy Principles are listed below.

Along with the states and the automotive industry that have enacted regulations regarding data privacy and self-driving vehicles, the federal government has also addressed these unique privacy issues. In December 2016 the National Highway Traffic Safety Administration released a proposal to mandate privacy measures relating to vehicle-to-vehicle (V2V) communications technology, which is used between self-driving vehicles to communicate the speed and location of each vehicle, the number of passengers in each vehicle, and more.³ Amongst other things, the proposal establishes a system that issues, distributes, and revokes security credentials for V2V devices and reports misbehavior. Additionally, the Federal Trade Commission and the NHTSA held a joint workshop on June 28, 2017 to examine the consumer privacy and security issues posed by self-driving vehicles.⁴ The workshop brought together various stakeholders, including industry representatives, consumer advocates, academics, and government regulators to discuss numerous issues related to self-driving vehicles that collect data.

Privacy Principles enacted by the Alliance of Automobile Manufacturers and the Association of Global Automakers:

1. Transparency - Members should provide owners and registered users with ready access to clear, meaningful notices about the member’s collection, use, and sharing of covered information.
2. Choice - Members should offer owners and registered users with certain choices regarding the collection, use, and sharing of covered information.
3. Respect for Context - Members should use and share covered information in ways that are consistent with the context in which the covered information was collected, taking account of the likely impact on owners and registered users.
4. Data Minimization - Members should collect covered information only as needed for legitimate business purposes and retaining covered information no longer than they determine necessary.
5. Data Security - Members should implement reasonable measures to protect covered information against loss and unauthorized access or use.
6. Integrity and Access - Members should implement reasonable measures to maintain the accuracy of covered information and give owners and registered users reasonable means to review and correct personal subscription information.
7. Accountability - Members should take reasonable steps to ensure that they and other entities that receive covered information adhere to these Privacy Principles.

Questions to consider when addressing data privacy issues of self-driving vehicles:

1. What type of information regarding driver behavior information do self-driving vehicles collect, store, and transmit?
2. Can someone track an individual or a vehicle through access to driver behavior information?
3. How do consumers benefit from the collection and use of their driver behavior information?
4. Who owns driver behavior information and what are their rights to its usage?
5. Will your company be required to grant law enforcement access the driver behavior information?
6. If you have access to driver behavior information, how will you use this information? Will your company use it to serve advertisements?
7. Will the driver behavior information be provided to insurance companies for underwriting purposes or to third parties that develop some kind of a driving score related to where and when individuals travel?
8. How will your company communicate its privacy policies and practices with regard to driver behavior information to consumers?

1. Seventeen States - Arkansas (Ark. Code § 23-112-107); California (Calif. Veh. Code § 9951); Colorado (CRS § 12-6-401—403); Connecticut (CGS § 14-164aa); Delaware (Del. Code § 3918); Maine (Me. Rev. Stat. Ann. Tit. 29-A § 1971—73); Montana (Mont. Code § 61-12-1001—1004); Nevada (Nev. Rev. Stat. § 484D.485); New Hampshire (N.H. Rev. Stat. § 357-G:1); New Jersey (N.J. Stat. § 39:10B-7—9 (2015 A.B. 3579)); New York (NY Veh. & Traffic Code § 416-b); North Dakota (N.D. Cent. Code § 51-07-28, N.D. 2015 H.B. 1065); Oregon (Ore. Rev. Stat. § 105.925—948); Texas (Tex. Trans. Code § 547.615); Utah (Utah Code § 41-1a-1501—1504); Virginia (Va. Code. §§§§ 38.2-2212(C)(s), 38.2-2213.1, 46.2-1088.6, 46.2-1532.2), and Washington (Wash. Code § 46.35.010—050)—and the District of Columbia (DC ST § 50-2351). See also Autonomous Vehicles—Self-Driving Vehicles Enacted Legislation, National Conference of State Legislatures (June 5, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.

2. Auto Alliance Driving Innovation, Privacy Principles for Vehicle Technologies and Services, https://autoalliance.org/connected-vehicles/automotive-privacy-2/principles/.

3. National Highway Traffic Safety Administration, U.S. DOT advances deployment of Connected Vehicle Technology to prevent hundreds of thousands of crashes, https://www.nhtsa.gov/press-releases/us-dot-advances-deployment-connected-vehicle-technology-prevent-hundreds-thousands.

4. Federal Trade Commission, Connected Vehicles: Privacy, Security Issues Related to Connected, Automated Vehicles (June 28, 2017), https://www.ftc.gov/news-events/events-calendar/2017/06/connected-vehicles-privacy-security-issues-related-connected.

5. Institute of Electrical and Electronics Engineers, You Won’t Need a Driver’s License by 2040 (Sep. 15, 2014), http://sites.ieee.org/itss/2014/09/15/you-wont-need-a-drivers-license-by-2040/.

6. National Conference of State Legislatures, Autonomous Vehicles: Self-Driving Vehicles Enacted Legislation (June 26, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.

7. National Conference of State Legislatures, Privacy of Data From Event Data Recorders: State Statutes (Dec. 12, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-of-data-from-event-data-recorders.aspx.

8. KPMG, The Chaotic Middle: The Autonomous Vehicle and Disruption in Automobile Insurance (June 27, 2017), https://home.kpmg.com/us/en/home/insights/2017/05/the-chaotic-middle-autonomous-vehicle-disruption-automobile-insurance.html?sf94340166=1.