Driverless cars - privacy on public roads

7 minute read
01 October 2014

Following testing in the USA of driverless cars and the announcement in the UK that cars will be tested here from the start of next year, the debate around autonomous vehicles has intensified. Questions are being raised such as who should be responsible if a driverless car malfunctions causing an accident? But let’s not forget about all the data being generated.

This question as well as others was raised by the Department for Transport in its recent consultation (which closed on 19th September).  As pointed out by the Department for Transport and others, driverless cars could bring huge benefits to road users. The biggest being that this technology could save lives by making our roads safer. More day to day benefits could include congestion and pollution reduction. Location data may also be useful to target infrastructure improvements or to aid traffic management plans.

More time could be 'freed up' for individuals. I relish the idea of being driven to work whilst catching up on Downton. Although this may just be wishful thinking on my part as 'drivers' of 'driverless' vehicles may still be required to pay 'due care and attention' and be at the ready to take over from the 'autopilot' if needed.

Personal data gathered from driverless cars could also be used for accident investigation purposes, police matters, or by insurers.

On the other side of the coin, dissidents have pointed out a number of potential pitfalls - how will autonomous vehicles cope with the unexpected? How will they cope even with the expected, like snow covering their sensors used to navigate the world around them? What changes are required to traffic laws and the Highway Code? What happens when the driving software stops working - could this pose more of a risk to life than the lives that may be saved by eliminating human error from driving? Less publicised is another aspect of the technology which is now coming under the spotlight - privacy.

Whilst driverless cars will use complicated sensor technology to anticipate conditions and adapt to their surroundings, they will be heavily reliant on in-built software and live, up-to-date and highly accurate map and GPS information. Having a permanent, wireless connection to the internet and GPS will make the vehicle inherently trackable, and this raises a number of concerns.

Each journey will be based on the information a user inputs into the car's console. This might be their home address or place of work, which in many instances is likely to be classed as personal data. Journeys to a place of worship, for example, might give an indication of an individual's religious beliefs, and such driving history could then constitute sensitive personal data which is subject to much more stringent rules and restrictions and should only be processed with consent. In an age of the Internet of Things, this information could be combined with a myriad of other data, building a refined picture of our lives.

Further complexities arise when considering who owns the data input into and processed by the vehicle. Is this the individual (as the owner of the car), the vehicle manufacturer, or the software platform provider? If the driverless car is used as part of providing a service - a driverless taxi company or a hire vehicle for example - then that company may also have an interest in the data, and each is likely to have a different agenda in terms of how they intend to use or share that information.

That is not to say, however, that from a privacy perspective, we will be wholly unprepared by the time driverless cars are an everyday sight on our roads.

Under current data protection laws, individuals already have significant levels of protection. A driverless car user will need to be given extensive information on how their data is going to be used, for what purpose and who by. As with any other processing of personal data which is of a more intrusive nature, data controllers (whether manufacturers, software providers or other entities which may be processing personal data gathered from driverless cars, potentially combined with other data) will need to 'privacy impact assess' their collection and use of personal data.

If the use of data is 'fair and lawful' as well as 'necessary' for the purpose of the Data Protection Act 1998, the controller will then need to put in place policies, notices, security and other data protection measures to ensure compliance. In some cases, for example where sensitive personal data is gathered, it may also be necessary to obtain explicit consent to the use of data from individuals.

The key issue to date has not been lack of laws to protect personal data but lack of compliance with them. In many cases the value of personal data can far outstrip the potential risks of non-compliance. Although there have been some notable cases where significant fines have been levied, these fines can be a drop in the ocean to many corporate entities.

The proposed Data Protection Regulation will (if implemented in the form proposed by the European Parliament) give individuals more protection and control over their own personal data than ever before. Uses of personal data will need to be for limited and specified purposes other than in exceptional circumstances. Organisations will need to be more transparent than ever about uses of people's data.

In the case of 'big data' use involving any form of profiling or analytics, in all probability users of the data will only be able to do so with explicit and fully informed consent (see my recent Big Data: The Big Elephant in the Room article). Individuals will have the right to ask organisations to erase their data from systems (a right which arguably has already exists according to the recent Google Spain case). Data processors (i.e. entities processing personal data on behalf of data controllers), will be directly caught by the new data protection laws, and so too will systems providers, who may never actually come into contact with any personal data!

The proposed Data Protection Regulation will require developers of systems that will process personal data, to create them in such a way that will enable data controllers using the systems to be data protection compliant. This means that driverless cars will need to be developed with systems that build in a privacy compliance capability from the ground up. However, the true driving force behind compliance with this legislation will be proposed fines of up to an eye-watering 5% of global annual turnover.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.