OEM’s, component suppliers and many third parties are looking to use data to offer a wide range of personalised services to the users of connected and driverless vehicles. Vast amounts of predictive data analytics and artificial intelligence enable these vehicles to communicate with other vehicles and the environment through which they are travelling.
Companies investing time and money to create systems that collect and process data cannot, however, do as they like with the data. Whilst the company may “own” the data it has collected in the strict sense, it cannot process data which is “personal data” without ensuring that such processing complies with the requirements of data protection legislation.
The legal requirements around the processing of personal data when designing vehicles and the services offered to users of driverless vehicles need to be considered. Regulators also need to take a sensible approach to interpreting and enforcing those laws if they are not to stifle the development and roll out of driverless vehicles.
Personal data can only be processed if at least one of a defined list of permitted “conditions for processing” has been satisfied (and further conditions must be satisfied if the personal data is “sensitive”). The key condition is that the processing is necessary in relation to a contract which the individual has entered into or to enable the individual to enter into a contract.
It is also important to note that data protection law is changing across the European Union (including in the UK) with the adaptation to the so called “General Data Protection Regulation” (“GDPR”). This will come into force before the UK leaves the EU and is set to introduce a much tougher regulatory environment in relation to the protection of personal data including new requirements in relation to processing, ensuring privacy by design and making the whole process of obtaining consent much tougher.
All of this means that OEM’s and dealers will need to pay careful attention to data protection laws as driverless vehicles are developed and made available to the public.
The Queen has officially opened the National Cyber Security Centre, a government nerve centre that aims to protect the economy, state institutions and critical infrastructure from the growing threat of cyber attacks. Private businesses are also vulnerable. With so much of the City’s business conducted through digital networks, the threat from malicious actors is real. And yet, while any government help to protect the business community is welcome, the onus of protecting personal data, and providing greater transparency over how it is used, does not fall on the state’s shoulders. The EU’s General Data Protection Regulation (GDPR) will be enacted in less than 16 months. Survey after survey demonstrates that those who have even heard of GDPR are in the minority, with alarmingly few firms having made plans for the imminent restructure it demands.