Cybersecurity and Data Privacy: The legislative challenges for Automated Driving
Automated Driving (AD) is expected to revolutionize transportation systems, leading to new mobility scenarios which will benefit the environment, the job market and road safety. But how to adapt legislation to this new form of transportation and how to protect sensitive data?
AD technologies are expected to lead to significant improvements in road safety and mobility for young, elderly, and disabled people as well as create new jobs within the automotive, technology, telecommunication and freight transport industry. Although the net environmental impact is difficult to predict, reduction in fuel consumption is expected to lead to environmental benefits as long as demand for individual transportation is mitigated by improvements in automated public transportation and infrastructure.
Yet, more importantly, AD is also a societal need from the road safety perspective. The statistics of 2015 show stagnation in the reduction of road fatalities. In Europe, 26,000 persons lost their lives as a consequence of accidents which is equivalent to 51.5 road deaths per 1 million inhabitants. Furthermore it is estimated that 135,000 people were injured on EU roads.
A national strategy for automated and connected driving
In September 2015, the German Federal Ministry of Transport and Digital Environment published its Strategy for Automated and Connected Driving, setting out national strategy objectives and specific action areas and measures. These include legislative amendments to the Vienna Convention and relevant UN and national regulations in terms of
- driver liability and training
- full broadband coverage of infrastructure by 2018
- provision of open-source traffic and infrastructure data through a data cloud
- a greater use of anonymisation and pseudonymisation in data collection and processing
- while providing comprehensive information to drivers about what data is collected and by whom.
Audi, BMW, and Daimler have recently acquired Here, the digital mapping and location-service division of Nokia, and BMW has partnered with the Chinese search engine Baidu. The Technical University of Brunswick and the University of Ulm have both been active in developing and testing AD vehicles.
Cybersecurity and Data Privacy
One important ethical consideration and possible issue with regards to AD is cybersecurity and data privacy. Data collected by AD equipped vehicles is primarily technical in nature while some data collected does relate to the driver's identity. The collected information includes data related to the vehicle itself and its surroundings, such as safety and security, vehicle functionality status, driving, vehicle location, and surroundings, as well as data introduced by the driver, such as infotainment settings, convenience settings, navigation destinations, and an address book. As such, data protection will be implemented proportionally based upon the proximity of the data to the driver's personal identity, with higher protections afforded to information that permits the identification of a natural person.
The connection between the AD vehicle's internal system and the manufacturer's central server must be secure in order to protect data transfers from manipulation and unauthorized disclosure. To secure vehicles from third-party data access and hacking, the European Automobile Manufacturers Association (ACEA) has agreed on five principles of data protection:
- customer choice
- emphasis on data protection in all stages of product development
- maintenance of data security and
- proportionate processing of personal data
Related to that, at EU level, the General Data Protection Regulation (GDPR) has recently been approved by the co-legislators. The legislative process for regulations like the GDPR takes time to flow through the EU procedures. First of all, the European Commission drafted a proposal. Then, the European Parliament discussed and adopted the proposal in a first reading position on March 12, 2014. Afterwards, the Council debated the draft and reached a general approach on June 15, 2015.
Some days later, the trilogue negotiations began between the Parliament, Council and Commission. In this case informal agreement on the GDPR was reached in December 2015. The Parliament adopted an early second reading position on April 14. Thus, the regulation was adopted and was published in the Official Journal on May 25, 2016. This new framework should modernise data protection rules and adapt them to our digital society. Hopefully these new rules will also help to counter the privacy issues raised by AD.
However, the GDPR is only one of the regulatory challenges that the EU institutions will have to face related to AD. The emergence of new technologies will require new legislation to ensure that the EU citizens are best served. It is certain that the European Parliament will have to work on further legislative requirements like liability issues for example that are necessary to fully implement AD.