Existing federal privacy laws may not cover data collected from autonomous vehicles.
Equipped with an arsenal of cameras and sensors, autonomous vehicles record the world around them everywhere they go. They keep records of their own operational data, such as GPS location, speed, steering maneuvers, and braking actions. They watch the occupants of the vehicle, tracking which seats are filled, and sometimes they even record video images of the person in the driver’s seat.
All of this recording creates more than five terabytes of data per hour of autonomous driving time. It also raises concerns about who has access to this data. Federal agencies and privacy advocates agree that it is important for companies developing autonomous vehicles to ensure that sensitive information is secure and to communicate clearly about which private parties have access to this information.
Existing federal legislation, however, is not likely to apply to data stored by autonomous vehicles. One statute that could apply is the 1986 Electronic Communications Privacy Act (ECPA), which describes rules for law enforcement to follow when obtaining contents of wired communications. The ECPA requires a warrant for the interception of communication in transit over the internet, or for unopened messages stored on personal computers. The ECPA only applies, however, to information obtained from “electronic communications services” or “remote computing services.” As defined by the ECPA, those terms would not cover autonomous vehicles.
A separate law called the Federal Communications Act (FCA) faces a similar issue. Title II of the FCA subjects all “common carriers of telecommunications services” to regulation by the Federal Communications Commission and requires common carriers to protect sensitive information for their customers. In 2015, internet service providers were considered common carriers under the Act, so the FCA might have applied to autonomous vehicles that offered wi-fi connections. Under current Federal Communications Commission policy, however, internet service providers do not qualify as common carriers, so Title II of the FCA does not apply.
The Fourth Amendment to the U.S. Constitution also governs privacy protection when it comes to law enforcement’s use of data stored on autonomous vehicles or held by automobile manufacturers. The Fourth Amendment protects civilians against excessive intrusions into their privacy by prohibiting the government from performing unreasonable searches and seizures of personal property. Although no court has yet heard a case involving autonomous vehicle data privacy, the U.S. Supreme Court has defined Fourth Amendment privacy rights for several types of personal data that autonomous vehicles will likely carry.
The U.S. Supreme Court has ruled in a series of cases that law enforcement must obtain a warrant before obtaining Global Positioning System (GPS) or cell tower triangulation information that enables accurate location monitoring. These rulings may indicate that any autonomous vehicle data that would enable law enforcement agencies to determine the accurate location of a person would also require a warrant.
The Supreme Court of Georgia has held that a warrant is required before speed history information logged in a vehicle’s event data recorder (EDR) can be examined by police after a car crash. This ruling may indicate that the kind of information an autonomous vehicle records as it plans its movements would also require a warrant before it could be examined by law enforcement officials.
The most significant new type of data generated by an autonomous vehicle is the record of the environment that the vehicle “sees” using its 360-degree visible light camera footage, forward-facing LiDAR, and infrared sensors. This situation is analogous to dash cams and CCTV security cameras attached to homes and businesses.
Although warrants or subpoenas are required to force private citizens to turn over camera recordings to law enforcement, many private security companies willingly share information with law enforcement. Plus, private companies that manage surveillance cameras have established partnerships with police departments to help them find cameras and facilitate waiver of Fourth Amendment rights from consumers who own the cameras. Given this trend, it seems likely that a company that operates a fleet of autonomous vehicles would also partner with law enforcement.
Strict privacy laws in states where many autonomous vehicle development companies are located may help to raise the standard for the whole industry. For instance, more than 50 companies are developing and testing autonomous vehicles in California, which has a state privacy law. The California Consumer Privacy Act (CCPA) requires companies to notify consumers about sensitive personal information collection and use, data monetization, and sale to third parties.
The CCPA also requires companies to allow consumers to delete and opt out of the sale of sensitive personal information. GPS data and personal identification information that is recorded by an autonomous vehicle is protected under the CCPA, but data logged by a vehicle that are not sensitive and personal may still not be covered by the act.
Although the Fourth Amendment and California law may provide a patchwork of protection for some types of autonomous vehicle data, there are no federal laws or regulations to impose basic protections of general data security and privacy. Because autonomous vehicles are products sold to consumers, the Federal Trade Commission could bring enforcement actions against automakers for deceptive practices, but this strategy would require waiting for deceptive practices to occur.
The National Highway Traffic Safety Administration includes data security and privacy as part of its goals for eventual autonomous vehicle regulation, but the agency has not yet proposed a rule materializing that goal. Such regulation could require autonomous vehicle manufacturers to incorporate industry guidance standards for privacy and data security, anonymize stored or aggregated data, or incorporate notice and consent for the use or sale of data.
State legislatures could pass laws that clarify ownership of autonomous vehicle data similar to proposed federal legislation known as the Driver Privacy Act. If Congress passed the Driver Privacy Act, information collected by EDRs would belong to the owner or renter of a vehicle. If state and federal governments were to clarify privacy requirements for autonomous vehicles, consumers would be better protected, and autonomous vehicle developers would face less regulatory uncertainty as they create new products.