A Long Road Ahead: Data Privacy and the Self-Driving Car
America has had a longstanding love affair with the automobile, as a manifestation of innovation and independence. The next chapter is likely the advent of the (fully or partially) autonomous vehicle.
Industry titans Sergey Brin, Elon Musk and Mark Fields, among others, have predicted that rubber will hit the road sans driver in the next few years, and have caused a stir in the cybersecurity community. The chief concerns are: First, the vehicles’ wireless technology may be vulnerable to hackers and software bugs, implicating passenger safety. And second, self-driving cars will collect and store extensive passenger data and be susceptible to data-mining.
Will the rapid acceleration of technology outpace the legal reforms necessary to protect privacy, and keep passengers safe?
Though research and development is in full gear, lawmakers are exercising caution to avoid stifling innovation by regulating an industry where the issues have yet to ripen. To date, only eight states (California, Florida, Louisiana, Michigan, Nevada, North Dakota, Tennessee and Utah) and Washington D.C. have addressed autonomous vehicles. Further, the states that have enacted legislation merely permit autonomous vehicles to be developed in the state and operated or tested on state roadways. They also require the presence of a licensed human (or in the case of Florida, an available remote operator) to take control or stop the vehicle in the event of a technology failure. At this nascent stage, data privacy and security protocols appear to be secondary concerns to safety.
Even California, the digital privacy law stalwart, currently requires only the following:
“The manufacturer of the autonomous technology installed on a vehicle shall provide a written disclosure to the purchaser of an autonomous vehicle that describes what information is collected by the autonomous technology equipped on the vehicle.” Cal. Veh. Code §38750(h).
Government leaders, though, are not willing to let the industry grow entirely unchecked. At a Congressional hearing on autonomous vehicles, held on March 15, 2016 and entitled “Hands Off: The Future of Self-Driving Cars,” senators engaged with a panel of executives from major automotive leaders and industry insiders. (See video coverage available here, where relevant discussion begins at 1:52:15). While quick to detail their commitment to safety, the panelists were hard-pressed to support mandatory federal standards to protect driver data privacy and security at this stage, such as restricting access to driver information or requiring technology to detect and stop hacking in real-time. Instead, panelists noted various challenges and reservations and did not take a firm position in favor of regulation.
On September 20, 2016, the U.S. Department of Transportation (DOT) and the National Highway Traffic Safety Administration (NHTSA) issued their long-anticipated Federal Automated Vehicles Policy.
This guidance emphasizes the DOT and NHTSA’s commitment to individuals’ right to privacy, and urges manufacturers and other entities to take steps to protect consumer privacy, including policies and practices to ensure transparency through clear and meaningful notices; consumers’ choice regarding sharing, retention and deconstruction of data; respect for context; minimal data collection practices; data security protocols; measures to maintain the integrity of data; and accountability to consumers. The guidelines also detail recommendations for data recording, vehicle cybersecurity and system safety.