Skip to content

How to design a privacy-compliant autonomous vehicle

Autonomous cars are on the horizon. Fortune magazine has estimated that initial versions of these cars should be on the road by 2020. By 2040, an estimated 95 per cent of new vehicles sold will be fully autonomous. That’s encouraging news for safety advocates, as research undertaken by the National Highway Traffic Safety Administration in the United States has shown that 94 per cent of fatal car crashes can be attributed to human error.

However, as autonomous car technology advances, privacy concerns relating to these vehicles are also growing given that these cars will be capable of recording a tremendous amount of data about (and from) their users and the environment around them. For example, autonomous vehicle sensors will likely include: a wheel encoder sensor for monitoring the movements of the car; GPS for navigation; cameras near the rear-view mirror for colour and other identification; radar on the front and rear bumpers for identifying traffic; lane departure, rear collision and pedestrian alerts; and a spinning light detection and ranging sensor on the roof that will be used for generating a 3D map of the environment. Event data recorders will capture driver behaviour information, such as the speed of a vehicle, braking patterns and collision information, while the cars themselves can/will record where a driver is going and possibly who is in the car and even what the individuals in the cars are saying. It will be tempting for suppliers to monetize this data in some capacity by selling it to third parties in addition to being pressured to disclose it to law enforcement agencies if pressed to do so.

If an autonomous vehicle manufacturer wished to develop a privacy-compliant car, what considerations would have to be addressed and what should “best practices” be? In late September, the 39th International Conference of Data Protection and Privacy Commissioners, which is composed of 119 privacy and data protection authorities from across the globe, sought to give some guidance on this very point when it adopted the Resolution of Data Protection in Automated and Connected Vehicles. The resolution describes 16 critical data privacy and security principles that are intended to guide standardization bodies, public authorities, vehicle and equipment manufacturers, personal transportation services and car rental providers and providers of data-driven services (i.e., speech recognition, navigation, remote maintenance or motor insurance telematics services) in the development of connected-car technologies to protect individual user data at all stages of the development process. In providing this privacy “road map” (pun intended), the ICDPPC called for the parties above (I’ll call them providers for ease of review) to hard-wire these principles into their autonomous vehicle designs and production.

In my view, nothing contained in the ICDPPC guidelines is particularly surprising for anyone with even a passing interest in privacy. Individuals should receive “comprehensive information” as to what data is collected and processed in the deployment of connected vehicles, for what purposes and by whom. Providers should use anonymization measures to minimize the amount of personal data collected. Providers should not retain personal information for any longer than necessary in relation to the legitimate purpose for which it was collected and processed in the first place (unless the data is required for further compatible purposes or in accordance with law or with consent) and then the personal information should be deleted. Personal data should be erasable when a vehicle is sold or returned to its owner. All autonomous vehicles should contain “granular and easy to use” privacy controls for vehicle users enabling them to, where appropriate, grant or withhold access to different data categories in the vehicles as well as allow vehicle users to restrict the collection of data. Any personal data collected should be kept in secure data storage devices that puts the vehicle users in full control regarding access to any data collected by their cars.

The ICDPPC also reiterated its concerns regarding the unauthorized collection of personal data.  For example, autonomous cars should contain secure online-communication capability that protects against cyberattacks and prevents unauthorized access to and interception of personal data. Providers must develop and implement technologies for “co-operative intelligent transportation systems” in ways that: 1. prevent unauthorized access to and interception of personal data collected by vehicles (v2v), transportation infrastructure (v2i) or other third party’s entities (v2x); 2. enable vehicle users to inhibit/control the sharing of positional and kinematic data while still receiving road hazard warnings; 3. provide safeguards against unlawful tracking and tracing of drivers; 4. ensure the security of v2v, v2i and v2x communication during authentication processes do not pose additional risks to privacy and personal data; and 5. limit illegitimate vehicle tracking and driver identification.

Providers should also respect the principles of privacy by default and privacy by design, by providing technical and organizational measures and procedures to ensure that individuals’ privacy is respected. Any self-learning algorithms needed for automated and connected cars should be transparent in their functionality and have previously been vetted by an independent body in order to reduce the risk of discriminatory automated decisions. Vehicle users should also be provided with privacy-friendly driving modes in the default settings. Before implementation, providers must also conduct data protection impact assessments for new, innovative or risky development or implementation of these technologies. Providers also have a general obligation to “promote the respect” of the personal data privacy of vehicle users by responsible processing of their personal data, giving due consideration to the potential harm that may be caused to the vehicle users as a result of the processing. Lastly, providers are encouraged to enter into a “dialogue” with the various data protection and privacy commissioners to develop compliance tools to accompany and provide legal certainty to autonomous vehicles’ data processing.

While the ICDPPC resolution is non-binding, it nonetheless provides useful data privacy and security guidance for connected-car providers and is a good reminder of the importance of building privacy into autonomous cars from the ground up. At this critical juncture, this reminder is timely as evidenced by the latest failure of the NHTSA to meaningfully address privacy issues in its recently issued “Autonomous Driving Systems 2.0: A Vision for Safety” voluntary guidelines for the automotive industry. Intended to promote improvements in safety, mobility and efficiency through ADS, this 26-page document lists suggestions and helpful advice on ADS system safety, operational design domain object and event detection and response, validation methods, human machine interface, vehicle cybersecurity, crashworthiness and post-cash ADS behaviour, but it delegates privacy to a footnote. (The note said: “NHTSA acknowledges that Privacy and Ethical Considerations are also important elements for entities to deliberate. See for NHTSA’s approach on each.”) Regrettably, while the U.S. Federal Trade Commission is a member of ICDPPC, it also abstained from endorsing the resolution so U.S. federal government leadership on this issue may be somewhat lagging.

Meanwhile, in Ontario, the provincial government just announced on Nov. 8 that it was launching and heavily investing ($80 million over five years) in the Autonomous Vehicle Innovation Network, a demonstration zone located in Stratford that will allow researchers to hone their technology and test driverless cars in a wide range of realistic traffic and weather conditions. In addition to the proposed demonstration zone, AVIN will also include a research and development partnership fund to foster collaboration among automakers, technology leaders and Ontario-based small and medium-sized enterprises to develop and commercialize connected and autonomous technologies. Collaborations may also involve post-secondary institutions and municipalities, a talent development program, be used to support internships and fellowships for students and recent graduates with Ontario companies advancing C/AV technologies, as well as Central Hub, a new online destination and specialized team to act as a focal point to conduct research, share information and build connections among industry, research institutions and other interested C/AV stakeholders. Let’s hope that as a condition of the government’s funding, privacy considerations relating to the development of C/AV technologies merit more attention than a footnote.