UK report on automated cars spotlights major data-protection questions ahead

Carmakers, software developers and insurers poring over data-retention obligations included in proposals for how the UK should regulate automated vehicles will likely be asking how they square with existing privacy laws — and just how much it will cost to comply.

But the proposals — made jointly this week by the UK's two principal legal review bodies — pose yet more urgent questions about the adequacy of existing laws to handle a new technology that will rely on large-scale data processing, automated decision making, sensors, cameras and other inputs that pose a potential privacy risk for users.

Data retention questions

The Law Commission for England and Wales and the Scottish Law Commission argued in their report that "authorized self-driving entities," or ASDEs, should be required to collect and store for 39 months extensive datasets including 5,000 "stamps" a year — covering primarily the performance of automated driving systems — in case they are needed for insurance claims. All details on how data will be "recorded, stored, accessed and protected" would essentially become part of the authorization process.

Critically, the industry argued in the consultation process that location data were particularly "essential" to resolve any cases involving autonomous vehicles and tackle fraudulent claims.

But location data have been previously left out of relevant international laws, such as the United Nations Economic Commission for Europe's regulation on automated lane-keeping systems, due to privacy concerns that they could be used to infer or disclose sensitive information about individuals.

This stance, however, appears to have evolved, with location data included in both the draft of the ongoing rule-making process at the EU level and in the already adopted German law broadly similar to the UK proposal, though with a much shorter, six-month retention period.

Any extensive data requirements included in law would pose questions of compliance with existing privacy laws. For EU countries, that's the General Data Protection Regulation and the e-Privacy Directive, and in the UK it's the domestic version of the GDPR and the Privacy and Electronic Communications Regulations.

These all emphasize minimal data collection, so they may need to be amended to account for the new technology, with existing exceptions on public security proving potentially tricky to use.

UK lawmakers will likely be wary, as with the broader overhaul of privacy laws, that any significant divergence from EU laws could put at risk the country's "adequacy" assessments for data transfers and create additional costs for businesses operating in multiple markets.

Separate regulatory concerns were also raised about data transfers overseas in the context of the ongoing legal uncertainty surrounding EU-US flows.

In addition, the Scottish Faculty of Advocates has cited not only the GDPR but also the European Convention on Human Rights as a concern, saying that "no matter what supposed benefits a [data retention] period designated in years might be thought to bring, [there were] severe doubts whether any such retention period would be judged to be proportionate."

Practical problems

Other, more practical problems emerge from the UK proposals.

The Society of Motor Manufacturers and Traders was particularly alarmed about the costs associated with retaining data for more than three years. It warned that the requirement would result in authorized entities "incurring huge additional costs solely for its automated driving system to operate in the UK, whereas currently there is no other jurisdiction known to have mandated this disproportionate storage requirement."

Separately, local authorities pointed out that the requirement exceeded their obligations regarding CCTV retention.

But there was no consensus on this point. In contrast, the Association of British Insurers urged that the retention period be even longer to account for those suffering long-term injuries or incidents involving "minors and other protected parties." Some extreme proposals mentioned 21 years or even no limit at all.

Broader concerns

Finally, in its submissions to the law commissions' review, the UK's privacy regulator raised broader concerns that "automated vehicles pose particular challenges in relation to personal data, as often they will process the personal data of several individuals" through their motion sensors and camera.

"If the personal data of these users is processed inappropriately, there is a heightened risk of intrusion into individuals' work and private lives," the Information Commissioner's Office warned, joining several entities calling for further clarifications and robust additional safeguards.

KPMG went even further, saying that "it could be argued that self-driving is as novel a concept as when telephone handsets were introduced, if not more," and "existing data ... laws cannot reasonably be expected to cover AV technology," with any remedy requiring "a shift in data privacy and protection mindset."

Similar concerns about shortcomings in existing laws were also raised in other areas, including product safety and liability. Carmakers and legal professionals alike pointed out that it required an urgent and sweeping overhaul — not just limited to AVs — to deal with all sorts of new technologies and the rise of automated decision-making.

As the general public's awareness of privacy rights and risks grows, particularly after what some saw as intrusive interventions during the coronavirus pandemic, fears of data surveillance in relation to automated vehicles may pile on top of broader insecurities and mistrust about AI decision-making in life-and-death situations.