by Associate Christopher Achatz and Summer Associate Ashlee Difuntorum
In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the data privacy issues of self-driving vehicles. We have also published an article discussing the cybersecurity issues of self-driving vehicles, which can be found here.
Seventeen states—Arkansas, California, Colorado, Connecticut, Delaware, Maine, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Oregon, Texas, Utah, Virginia, and Washington—and the District of Columbia have enacted statutes relating to the data privacy issues of data retrieval from event data recorders (“EDRs”).1 EDRs capture driver behavior information, such as the speed of a vehicle, braking pattern, and collision information. These states require obtaining the consent of the vehicle owner or policyholder before one can download data collected from a motor vehicle’s EDR. Although these seventeen states have addressed issues relating to data privacy by regulating data retrieval from EDRs, only North Dakota has enacted legislation that specifically mentions “data privacy.” That legislation requires the department of transportation to study the data and information stored and gathered by the use of self-driving vehicles.
In addition to these seventeen states, automotive industry representatives have passed their own self-regulatory guidelines to address the data privacy issues of self-driving vehicles. In 2014 the Alliance of Automobile Manufacturers and the Association of Global Automakers enacted a set of “Privacy Principles” for vehicle technology and services.2 Participating automobile manufacturers commit to comply with seven Privacy Principles, which govern the collection, use, and disclosure of driver behavior information retrieved from self-driving vehicles. These seven Privacy Principles are listed below.
Along with the states and the automotive industry that have enacted regulations regarding data privacy and self-driving vehicles, the federal government has also addressed these unique privacy issues. In December 2016 the National Highway Traffic Safety Administration released a proposal to mandate privacy measures relating to vehicle-to-vehicle (V2V) communications technology, which is used between self-driving vehicles to communicate the speed and location of each vehicle, the number of passengers in each vehicle, and more.3 Amongst other things, the proposal establishes a system that issues, distributes, and revokes security credentials for V2V devices and reports misbehavior. Additionally, the Federal Trade Commission and the NHTSA held a joint workshop on June 28, 2017 to examine the consumer privacy and security issues posed by self-driving vehicles.4 The workshop brought together various stakeholders, including industry representatives, consumer advocates, academics, and government regulators to discuss numerous issues related to self-driving vehicles that collect data.
The estimated percentage of road traffic that will be occupied by self-driving vehicles by 2040.5
The number of states to date that have introduced legislation relating to self-driving vehicles.6
The number of states as of December 2016 that have introduced legislation relating to both self-driving vehicles and data privacy.7
The amount of money by which the autonomous vehicle technology could shrink the auto insurance sector by 2050.8
1. Seventeen States - Arkansas (Ark. Code § 23-112-107); California (Calif. Veh. Code § 9951); Colorado (CRS § 12-6-401—403); Connecticut (CGS § 14-164aa); Delaware (Del. Code § 3918); Maine (Me. Rev. Stat. Ann. Tit. 29-A § 1971—73); Montana (Mont. Code § 61-12-1001—1004); Nevada (Nev. Rev. Stat. § 484D.485); New Hampshire (N.H. Rev. Stat. § 357-G:1); New Jersey (N.J. Stat. § 39:10B-7—9 (2015 A.B. 3579)); New York (NY Veh. & Traffic Code § 416-b); North Dakota (N.D. Cent. Code § 51-07-28, N.D. 2015 H.B. 1065); Oregon (Ore. Rev. Stat. § 105.925—948); Texas (Tex. Trans. Code § 547.615); Utah (Utah Code § 41-1a-1501—1504); Virginia (Va. Code. §§§§ 38.2-2212(C)(s), 38.2-2213.1, 46.2-1088.6, 46.2-1532.2), and Washington (Wash. Code § 46.35.010—050)—and the District of Columbia (DC ST § 50-2351). See also Autonomous Vehicles—Self-Driving Vehicles Enacted Legislation, National Conference of State Legislatures (June 5, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.
2. Auto Alliance Driving Innovation, Privacy Principles for Vehicle Technologies and Services, https://autoalliance.org/connected-vehicles/automotive-privacy-2/principles/.
3. National Highway Traffic Safety Administration, U.S. DOT advances deployment of Connected Vehicle Technology to prevent hundreds of thousands of crashes, https://www.nhtsa.gov/press-releases/us-dot-advances-deployment-connected-vehicle-technology-prevent-hundreds-thousands.
4. Federal Trade Commission, Connected Vehicles: Privacy, Security Issues Related to Connected, Automated Vehicles (June 28, 2017), https://www.ftc.gov/news-events/events-calendar/2017/06/connected-vehicles-privacy-security-issues-related-connected.
5. Institute of Electrical and Electronics Engineers, You Won’t Need a Driver’s License by 2040 (Sep. 15, 2014), http://sites.ieee.org/itss/2014/09/15/you-wont-need-a-drivers-license-by-2040/.
6. National Conference of State Legislatures, Autonomous Vehicles: Self-Driving Vehicles Enacted Legislation (June 26, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.
7. National Conference of State Legislatures, Privacy of Data From Event Data Recorders: State Statutes (Dec. 12, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-of-data-from-event-data-recorders.aspx.
8. KPMG, The Chaotic Middle: The Autonomous Vehicle and Disruption in Automobile Insurance (June 27, 2017), https://home.kpmg.com/us/en/home/insights/2017/05/the-chaotic-middle-autonomous-vehicle-disruption-automobile-insurance.html?sf94340166=1.