The car of the future; a large group of motorists can't wait for our vehicles to be so smart that they make their way door-to-door completely independently, while others are reluctant to use these modern technologies. From a legal standpoint, there also seems to be no consensus on whether we should welcome this form of transportation or not. Although the "smart" car is the future, it seems adrift due to various legal difficulties. What follows in this article is a consideration of the privacy law aspects of the car of the future, more specifically by considering the ownership and obligation to secure the indispensable (personal) data. Indeed, recently all sorts of information was found in a Tesla wreck, including telephone information.
Broadening horizons
What should one legally do with the increasingly smart car? This is a topic on which I expressed my thoughts a few years back. At that time, however, the focus was still on the extent to which liability may or may not shift from the driver to the product. With the increasing attention for privacy, however, it is necessary to also make the link between privacy issues and the technology belonging to the car of the future. After all, for such cars, data is as important as the engine and wheels are. The collection of all that data has major implications for the privacy of people in the car.
Although in the Netherlands we are not yet driving cars equipped with "autopilot", our cars are a lot smarter than those of, say, 10 years ago. There are cars that park themselves, cars that automatically call the emergency services after a collision, and even something as seemingly simple as a navigation system has become an integral part of the modern car. But how do we prevent all this data from falling into the wrong hands? And who bears responsibility for ensuring adequate security?
Current privacy laws barely address this issue. Indeed, based on the General Data Protection Regulation (AVG), one may not process personal data unless one has a legitimate purpose and basis, but it would be very naive to think that this will stop any unlawful processing. Moreover, not all data collected will qualify as personal data and thus not all data will fall under the scope of the AVG.
Car owner = data owner?
In order to make further legislation possible, it is necessary to zoom in on the legal basis. The key questions here must be who owns all data generated by the vehicle, who may then dispose of this data and who bears the heavy burden of proper security. Simply pointing the finger at the owner of the vehicle will not provide an immediate solution. The average private car owner does not have the knowledge (and interest?) to properly protect their data.
Of course, a connection could be made with the current system of compulsory (minimum) third-party insurance. Every car owner could then be obliged to purchase a data protection package including periodic updates, although at the moment I cannot get a good idea of what this package should consist of and which organization should offer it. If the provider of this package will be that same (third-party) insurer, may they apply the processed information directly to the insurance purchased? There will be proponents of comprehensive driving behavior insurance in which real-time processing of the collected information can be applied, but this system will equally have opponents. After all, with driving behavior insurance, the insurer is looking over your shoulder at any time and can adjust the premium accordingly.
Moreover, what if the owner of a car is an employer. Is it then legitimate to consider that this employer can (continuously) request location data, for the purpose of determining where the vehicle is? After all, this would also allow the employer to track its employee indefinitely, which strikes me as contrary to the AVG. Location data are, after all, sensitive personal data. It is therefore undesirable that an employer (read also: leasing company or car rental company) can have access to this without a proper basis.
Regular driver = data owner?
Is it then perhaps a solution to designate the regular driver as the owner of the data? No, in my opinion this is not an option. After all, the ideal is that in the future we will be sharing cars on a larger scale, as is already happening for example through Greenwheels or Snappcar. Designating one regular driver thus becomes impossible and highly undesirable. Earlier I heard voices calling for vehicle manufacturers to own the data so they can use it directly for product improvement. This I cannot quite follow. After all, the manufacturer has no basis for knowing what locations the vehicle has been in after ownership was transferred. And what to do if this manufacturer fails? Does the car then become inoperable immediately?
In conclusion
Can we conclude that the car of the future is steeringless? I do not think so, because in fact we are already driving this type of vehicle. However, questions of ownership, the ability to dispose of data and the obligation for security, need to be answered to allow for appropriate legislation. Legislation that I believe is desperately needed, to ensure everyone's privacy.
This article is among others in the files Information Security and Internet of Things
