The issue of data protection in the Internet of Things with particular regard to self-driving cars

 By Maria Cristina Gaeta – Ph.D. candidate in People, Business and Market Law at University of Naples Federico II, member of the Research Centre of European Private Law (ReCEPL) and the Interdepartmental Research Centre New Science, UTOPIA Lab, at Suor Orsola Benincasa University of Naples.

 

Autonomous vehicles are already on the market. As well as driving us, they will store and process large amounts of personal information. Users will be unaware of this, and the risks it generates. This information is personal data, and so is regulated by Reg. 679/2016/EU, commonly known as General Data Protection Regulation (GDPR). But is this European legislation sufficient to offer the necessary protection to users of self-driving cars? In particular, an important question is whether consent to the processing of personal data is really functional to achieve the objectives set out in the GDPR or whether further protection is required.

Summary: 1. An introduction on Internet of things and self-driving cars – 2. Data protection to self-driving cars – 2.1. The exchange of personal data between connected vehicles – 2.2 The possible integration between profiling and pseudonymisation processes – 3. The need for a framework of rules for the protection of personal data exchanged by connected vehicles – 4. Consent and self-driving cars – 4.1. The (ir)relevance of consent to the processing of personal data – 4.2. Data protection by design as a special tool for strengthening ex ante protection

1.  An introduction on Internet of things and self-driving cars

 Nowadays the pervasiveness of the Internet is undeniable. It affects the private and working life of every human being, who is constantly monitored

through the growing number of identification and tracking technologies. At the same time, though, people cannot do without these technologies because they improve the services offered, which are extremely useful (perhaps essential) for most of the daily activities.

Internet development has been greatly enhanced by the extension of this network to the world of objects, a phenomenon known as the Internet of Things (IoT). In particular, it is an evolution of the Internet network, thanks to which the objects interact with each other, through sensors and without human intervention, exchanging data and accessing information stored in databases¹.

This information architecture has been defined as a network which connects physical or virtual objects that become recognizable and acquire intelligence through the ability to communicate data about oneself and on the environment around them².² For this reason, such objects are defined as intelligent objects.

They are tagged with a Radio Frequency Identification tag with a single ID called Electronic Product Code (EPC)³. Currently included in this category are incredibly disparate kinds of objects – traffic lights, cars, thermostats, refrigerators, alarm clocks, watches, surveillance cameras and many others.

There are so many smart things that the concept has moved from “Internet of Things” to “Internet of everything”. In addition, connectivity is growing steadily and it is expected that by 2020, more than twenty million objects will be connected to each other⁴.

In this area, one of the most advanced business is undoubtedly the car industry. Indeed, by the end of the first twenty years of our century, there will be about 250 million vehicles connected online⁵ and the automotive market will grow exponentially, up to quadruple⁶. Moreover, around 2025, there will be such a level of automation that the driver will not have to constantly monitor the vehicle, even if he has to be able to resume control at all times.

To communicate with each other, the new vehicles must be connected online, and as a result of this connection the automotive industry too is included in the Internet of Things network. Autonomous vehicles are often defined as connected vehicles to emphasize their ability to connect to the network .

There are essentially three types of vehicle connections. The first and most common type of communication is between automated vehicles and different categories of devices (e.g. smartphones, smart watches, tablets and personal computers) known as the Vehicle to Device Communications (V2D). Secondly, there is Vehicle to Infrastructure Communications (V2I), a more specific type of communication between vehicles and infrastructures (such as road traffic lights or speed camera).

Finally, the most sophisticated type of communication is Vehicle to Vehicle Communications (V2V), as it presupposes   fully   autonomous   driving,   or   at   least   a   high   level   of automation⁷.

The level of the vehicle communication is directly proportional to the level of automation of the vehicles⁸, even though connectivity is just one of the requisites needed to achieve complete automation of vehicles. Thanks to the development of autonomous and connected driving, mobility is evolving more and more rapidly.

A significant number of possible societal benefits has been identified, including improvement of road traffic conditions, reduction of environmental pollution, development of the sharing economy, increased transport safety and the extension of mobility to people who are usually excluded (e.g. children, elderly and disabled) by transforming mobility into a genuine service (so-called mobility as a service)⁹.

The IoT is undoubtedly the most important innovation in the field of Information Technology (IT). However, in addition to the many advantages, there are a number of issues still to be resolved and the automotive sector is one that most urgently requires regulation¹⁰.

Among the key issues are how to allocate liability in case of road accidents caused by driverless cars malfunctioning, a topic has already been explored in depth elsewhere¹¹.

Instead, in the light of the European reform of the protection of personal data¹², this paper will focus on the issue concerning the protection of personal data processed by autonomous vehicles and the related profiling process of the user, who daily uses such technologies often unaware of the risks.

In the field of data protection, the consent to the processing of personal data in self-driving cars involves several issues, which lead to wonder if consent is still an appropriate regulatory tool for the protection of personal data. Indeed, the consent model just does not work without causing risk to driver or passengers on board, and asking for it is too impractical.

For example, if a driver is driving with 100km/h on the motorway, the last thing he wants is a popup of a consent form – that would be very dangerous. Down the current level of automation (level 3)¹³, the driver has to be able to resume the control of the vehicle in case of emergency. In a case like this having to give consent all the time is a safety problem.

Furthermore, in particular in the V2I and V2V communication, some of the data have to be exchanged in split seconds and the user could not have time to give his or her consent to the processing of personal data.

Making some examples, when a driver drives into an area with congestion charge, the city infrastructure has to determine if he paid the charge and let him in, otherwise on the motorway a self-driving car tells incoming autonomous vehicle the characteristics of the self-driving cars and how the driver is driving, to allow another vehicle to anticipate its behaviour. In these situations, even if the driver could find the time to think about this it would be too late once a decision is made.

Finally, the driver is not the only person whose data is collected. Data is also collected about passengers, and also potentially third parties outside the vehicle, captured while driving by self- driving car communication. It is obvious that the consent model does not work here and that some processing of personal data is necessary.

For this reason, as will be attempted to demonstrate below, we need sector specific laws for robotics, and in particular sector specific regulation for self- driving cars. The differences between robotics applications are too significant to allow for a single “Law of robotics”.

 

Read more [PDF]