Modern vehicles, generally termed as Connected and Autonomous Vehicles (“CAV”), are more analogous to a computer on wheels as they are becoming more connected to a variety of technologies and increasing their ability to recognize and adapt to an individual driver. This ability to recognize and adapt involves the collection of huge data that can either be collected from the driver/passenger present in the vehicle or from the sensors (e.g. camera, accelerometer, satellite navigation system, etc.) connected with these vehicles. Such collection of data can assist in manifolds when shared with third parties like the traffic infrastructure to ensure road and traffic safety and can even become a part of the Cooperative Intelligent Transport Systems allowing road users and traffic managers to share information and coordinate their actions but such collection of data has rendered the data ecosystem of these CAVs as more personal and has triggered the application of the data privacy laws.
Since these smart CAVs can have access to personal information such as data from connected devices like the phone, the viewer preferences for the infotainment system, and even the photos of the passers-by from the exterior sensors, principles of processing personal data as mentioned under Article 5 of the General Data Protection Regulation (“GDPR”) should be applied eminently. But these principles fail to provide fitting solutions when dealing with such automated and connected technologies, mainly due to the involvement of numerous data subjects (e.g. driver, passengers, the passers-by, the owner of the vehicle, etc.) and stakeholders (e.g. insurance, vehicle manufacturer, software developer, etc.) in an CAVs.
One of the main issues that should be addressed is the lack of transparency. This is because, due to the presence of various stakeholders, the CAVs involves the processing of personal data for numerous purposes. It should be disclosed in a concise and easily accessible manner which personal information is being processed, for what purpose, and by whom. Providing such disclosure might be a challenging task and hence, proper identification of the data controller, the data processor, and the recipient should be made for each purpose the data is processed for.
Secondly, the principle of data minimization (collecting only necessary amounts of data) and purpose limitation (data processed only for a specified and legitimate purpose) is not observed. These CAVs involves a machine learning mechanism that always collects excessive data and creates big data sets that helps in predicting human behavior and interaction, hence disregarding the principle of data minimization. The purpose limitation also fails to create a barrier for big data sets re-purposing, which is usually the case when it comes to big data processing.
Further, when data is shared with third parties, who generally retain such data shared with them, it creates an indefinite data storage which increases the chance of unauthorized data disclosure and re-use. Therefore, a proper data retention policy is needed such that unnecessary re-use and disclosure is reduced. There is also a lack of control by the data subjects on their personal data. The principle of consent is important with regards to control. Therefore, proper controls enabling update and deletion of personal information should be implemented. Further, when consent forms the legal basis on which personal information is collected then originally the personal data processing services should be inactive, hence giving the authority to activate these services when intended by the data subject.
Although there are many data privacy issues, the regulators should ensure GDPR compliance complements the adoption of CAVs. On this note, it should be highlighted that under the principle of purpose limitation, GDPR allows further processing of personal data but such processing should be compatible with the purposes specified. Generally, the purpose of collecting big data is finding patterns and improving predictability which will not be compatible with a ‘specified purpose’ but collecting big data for the purpose of improving road safety is a specified purpose and should be entertained for the development of CAVs. Similarly, data minimization can never be pre-determined and blind application of this principle can harm development in the sector of artificial intelligence. Therefore, a proper plan for reducing data redundancy should be made. Further, protection from security risks and data breaches should also be kept in mind, and accordingly, updated software systems should be used to secure against vulnerabilities. Hence, to benefit and utilize CAVs to its fullest extent supportive data protection policies and strengthening cybersecurity is the way forward.
The article is authored by Rishika Raghuwanshi, Co-Head, BlockSuits
Comments