The world of autonomous and connected vehicles is still very much evolving, but it is vital to understand the regulatory framework as it now stands in order to anticipate the most likely outcomes of this revolution.
US NHTSA GUIDANCE
In September 2017, the National Highway Traffic Safety Administration (NHTSA) issued A Vision for Safety 2.0, which updated its voluntary guidance for automated and self-driving vehicles from September 2016. The Vision for Safety 2.0 offers suggestions on 12 priority safety elements to support the industry in developing best practices in the design, development, testing, and deployment of automated vehicles: System safety; Operational design domain; Object and event detection and response; Fallback (minimal risk condition); Validation methods; Human machine interface; Vehicle cybersecurity; Crashworthiness; Post-crash automated driving system behavior; Data recording; Consumer education and training; and Federal, state, and local laws.
US SELF DRIVE AND AV START ACTS
The House of Representatives passed the Self Drive Act in September 2017, and the Senate passed the AV (Autonomous Vehicles) Start Act in October 2017.
The Self Drive Act prohibits a manufacturer from selling an automated vehicle unless the seller has developed a privacy plan and a cybersecurity plan that includes written policies and procedures to identify, mitigate, and prevent privacy and cybersecurity vulnerabilities.
The AV Start Act requires manufacturers to have a detailed plan for identifying and reducing cybersecurity risks that includes a process for identifying safety-critical control systems, response to and recovery from cyber incidents, information sharing and support of industry standard setting, employee training, and use of segmentation and isolation techniques in the design of vehicles and systems.
OTHER SIGNIFICANT US FEDERAL REGULATION
Acting Federal Trade Commission (FTC) Chairman Maureen Ohlhausen said during the FTC Connected Cars Workshop, on 28 June 2017 that she expects the FTC's enforcement role in protecting privacy and security to extend to autonomous vehicles and, unsurprisingly, that the FTC would take action against manufacturers and service providers if their activities violate Section 5 of the FTC Act. Until specific federal legislation or state laws are enacted with respect to autonomous vehicles, the FTC's broad mandate under Section 5 may be one of the main sources of enforcement.
US STATE REGULATION
Over half the states have passed legislation or issued executive orders that allow for, or regulate, autonomous vehicles. These state regulations generally aim to encourage the use, or testing, of autonomous vehicles in the state, but do not regulate privacy or cybersecurity issues directly.
Nevertheless, most states have existing general laws that require reasonable security, data storage, and data retention with respect to certain types of data, including personal data of the sort that will be generated in huge volumes by autonomous vehicles. For instance, California has an illustrative law requiring businesses to implement reasonable security procedures to protect personal information from unauthorised access, use, modification or disclosure.
EUROPEAN UNION
The EU General Data Protection Regulation (GDPR), effective 25 May 2018 (see p.3 ), will regulate the processing of any personal data from autonomous vehicles. The GDPR recognises a range of rights for EU data subjects and places a range of obligations on "controllers" and "processors" of personal data.
The GDPR's implications are likely to be significant for manufacturers, suppliers, and any other party that takes part in the autonomous vehicle supply chain.
For example, it will require considerable effort to collect only data that is essential to autonomous driving while balancing and respecting the privacy rights of the data subjects. This might mean that the collectors of images of individuals taken by the systems of autonomous vehicles may need to anonymise such images to prevent identification of individuals.
It may also mean that autonomous vehicle companies will need to incorporate "privacy by design" principles so data subjects or other third parties may access and modify data in accordance with the GDPR. The Article 29 Working Party issued an Opinion on personal data processing in the context of Cooperative Intelligent Transport Systems, which might be helpful for businesses to understand how data protection authorities will interpret data protection principles in the context of autonomous vehicles.
Also, the EU Agency for Network and Information Security (ENISA) released guidance that lists sensitivities present in smart cars, as well as corresponding threats, risk, and mitigation factors. The ENISA guidance notes that the protection of smart cars depends on the protection of related systems, such as cloud services, applications, car components, maintenance tools, diagnostic tools, etc.
GERMANY
In May 2017, the German Parliament approved legislation allowing autonomous vehicles to be road-tested as long as a driver sits behind the wheel. The legislation requires the use of a vehicle black box to record each drive and log whether the human or the vehicle is in control of the ride and for which parts.
Tracking The Emerging Global Regulation Of Cybersecurity And Privacy In Autonomous Vehicles
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
