By Mark Schaub and Atticus Zhao King & Wood Mallesons’ Corporate group
Everyone is talking about data and how it is like oil. The above quote has been repeated by the Economist, newspapers, titans of industry and world leaders.
However, data really is not like oil.
Oil is ultimately a finite and diminishing resource. Its value is linked to scarcity. Oil has one basic use. Data has none of these attributes. Data and its uses expand exponentially. Indeed it is forecast that in the next two years, 40 zettabytes of data will be created – this is data equivalent to 4 million years of HD video.  Most crucially consumers of oil do not generally take matters personally. Data on the other hand, inflames consumers’ passion-how do I maintain privacy? Who has access to my data? How will the data be used?
Big data is a focus area for many industries and the auto industry is no exception. However, with the advent of self-driving cars the auto industry will not only be a consumer of data but also a major generator of data. A single self-driving car could generate as much as 100GB of data every second. 
Given that China has 217 million cars and the number increases by nearly 11% each year  this means the potential amount of data produced yearly would be far greater than the data held by Google.
Self-driving cars may not need oil to function (as most will be electric) but they will need data to be on the roads. Self-driving cars will rely on a massive amount of data to flow via various sensors integrated into the vehicles. The vehicle will need to know its precise location, its destination and also be able to keep track of everything while it is on the road. Self-driving cars will also need to learn about their environment and the consumers who use them. The “smarter” self-driving cars can become, the greater the convenience for the users. However, the cars will need increasing amounts of personal data to become smarter and also to incorporate data results into the services.
Unlike oil the data generated by self-driving cars will not be a simple commodity that will be used for one purpose and consumed. The data generated will have great value to carmakers, mobile operators, insurance companies, restaurants, hotels and any other innumerable numbers of service or product providers that hope to interact with a self-driving car or its user. Google has built a $400 billion business on its knowledge of over one billion users’ internet habits using their search engine for 1.2 trillion searches per year.  Imagine how valuable similar insights that are generated by observing billions of consumers’ behavior in cars for extending periods of time every day. The potential for monetization will be almost limitless.
Data – great for companies, great for convenience, great for consumer experiences – but not so great for privacy. Privacy concerns on the part of consumer have greatly increased in recent years with the growth of social media, internet and data hacks. Self-driving cars will amplify concerns and consumers and regulators realize how much data and personal information these vehicles will generate, use and record about users and the surrounding environment. Self-driving cars will be a veritable fleet of data factories. Such mobile surveillance will mean that privacy will be compromised … everywhere.
As millions of self-driving cars are expected to be on the road within the next few years the issue of balancing the modern concern of privacy and the pressure to not hinder the next great industrial revolution will be increasingly pressing. A balanced regulatory scheme will need to be established to protect privacy on the one hand while still allowing the technology to develop unheeded by excessive government intervention.
This article will consider:
- why massive amounts of data will be generated by self-driving cars;
- legal challenges that privacy poses for self-driving cars;
- current practice in leading jurisdictions; and
- legal implications on privacy under Chinese legal regime.
Massive data collection by self-driving cars
Self-driving cars contain various sensors that collect data about the vehicle’s operation and its surroundings. The sensors normally include cameras, radar, thermal imaging devices, and LIDAR. These sensors collect data about the environment outside the vehicle. This data enables self-driving cars to determine objects they encounter, make predictions about the environment, and take action based on such information and predictions.
In addition to collecting information about the surrounding environment, self-driving cars will also likely collect other types of information within the vehicle relating to users in order to allow for more personalized service and improved road safety.
The creation and dissemination of data will not be limited to the confines of the car itself. Self-driving cars will interact and exchange data with other vehicles in real time. Communication between self-driving cars is often referred to as vehicle to vehicle (“V2V”) communication. V2V is defined as being a crash avoidance technology, which relies on communication of information between nearby vehicles.
In addition, built-in entertainment systems in self-driving cars will not only be used to stream music, content and allow for communication but will also enable users to store personal settings and preferences.
Self-driving cars will also collect and use location data for navigational purposes– e.g. destination information, route information, speed, and time travelled. Location features are also used in existing traditional vehicles to remember locations; provide additional information relevant to the trip, such as real-time traffic data and points-of-interest along the planned route; and set routing preferences, such as avoiding highways or toll roads.
Privacy Legal Issues
1. From Little Data to Big Data.
To date the volume of personal data processed by cars was minimal. However, the development and use of self-driving cars will lead to the collection of a wide range of personal data which will include driver details, location, direction of travel, journey history, and average speed and mileage.
The data that self-driving cars are potentially able to collect and the potential uses that such data can be employed in are of growing concern from a privacy perspective.
One of the most important data points is travel patterns. Self-driving cars will provide both historical and real-time continuous geo-location data. Third parties will be able to utilize this data to determine not only the user’s current location and destination but also every place he/she has visited. Advertisers will be able to identify purchasing patterns of individuals by tracking stores they frequently visit. Insurance companies will be able to determine the individual’s lifestyle by following their daily activities (e.g., frequent visits to the gym -good) or dining habits (e.g. regular trips to fast food restaurants -bad).
Personal location information sourced from self-driving cars will be a powerful tool to predict where they will be in the future. Destination decisions of users of self-driving cars, as well as the time, place, and circumstances of when such travel decisions are made will likely reflect the personality, behavior, and personal preferences of such user. 
This constant monitoring of driverless cars will lead to concerns that users’ personal information may be used by targeted marketing and advertising (which they may find annoying) or may even leave them susceptible to harm. As sensors of self-driving cars will continuously scan the surrounding environment and capture images by vehicles, this will lead to future invasion of people’s privacy.
2. Why does it matter?
Users of self-driving cars likely have concerns about their personal information being collected and/or used without knowing how this will happen or to what end or whether there may be consequences for the users themselves.
Self-driving cars by their very nature automatically collect data showing how, where and when a person moves from place to place. Users will have concerns such as what use will be made of such personal data? Why is it being collected? How will it be used? How long will the data be kept? Who will have access? Some commentators believe consumers’ concerns on privacy may have a major impact on the rate of adoption of self-driving cars.
However, it is not only consumers that are likely to have concerns.
Car manufacturers, fleet operators and other vendors (i.e. telecom, mapping etc.) will face practical difficulties in obtaining consent when a car is not only used by its owner but also by third parties. This issue will compound if, as is likely, most self-driving cars will be fleet operated rather than individually owned by consumers.
Car manufacturers and fleet operators should also be alert to the risks posed by third-party suppliers who process data on their behalf. If a car manufacturer or fleet operator collaborates with a tech company for connected services and such partner breaches data protection regulation then this may also lead to liability or reputational damage if data is lost or misused.
Practice in leading jurisdictions
Privacy of citizens has not been historically a high priority for most governments. Accordingly, in most jurisdictions data protection regulations have not been developed to deal with specific implications arising from self-driving cars.
The US and EU have published regulatory and industry initiatives to address privacy concerns arising from self-driving cars.
Existing US federal privacy legislation does not, to a large extent apply to self-driving cars. Further state laws in the main do not provide much protection. 
On 21 March 2017, two Democratic senators introduced new legislation, known as the Security and Privacy in Your Car Study Act of 2017 (“SPY Bill”). The SPY Bill aim is to eliminate cyber-attacks on vehicles and also address privacy concerns.
The SPY Bill provides a concept of “driving data” which includes any electronic information collected about a vehicle’s status, including its location, speed, information about users.
The key requirements under the SPY Bill include the following:
- Transparency – Each vehicle shall provide clear and conspicuous notice, in clear and plain language as to the collection, transmission, retention, and use of driving data collected.
- Consumer Control – Users of vehicles should be given the option whether or not to terminate the collection and also whether driving data should be retained. Even if a user decides to stop the collection and retention of driving data then this should not impact the user’s access to navigation tolls or other features insofar this is technically possible. The only exception is in respect of driving data stored as part of the electronic data recorder or other safety systems onboard the vehicle are required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance programs.
- Limitation on Use of Personal Driving Information – A manufacturer/operator (including an OEM) are prohibited from using information collected by a vehicle for advertising or marketing purposes unless expressly consented to by the user. The consent needs to be clear, conspicuous, in plain language, and cannot be a condition for the use of any non-marketing feature, capability, or functionality of the vehicle.
Although not the final word on privacy, the SPY Bill balances the rights of consumers to stop collection or retention of their driving data on the one hand while still allowing data to be collected for legitimate reasons such as safety or providing incident evidence.
In September 2017, the US House of Representative passed HR 3388, the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution, or SELF DRIVE*, Act (“SELF DRIVE Act”)  which requires developers of self-driving cars to develop a privacy plan on data. The SELF DRIVE Act prohibits a manufacturer from selling self-driving cars unless a privacy plan is in place. The privacy plan needs to include:
- Written privacy plan for collection, use, sharing, and storage of information about vehicle owners and occupants collected by a self-driving car. Policy will need to address (i) the way information is collected, used, shared, or stored; (ii) choices offered to vehicle owners or occupants regarding collection, use, sharing, and storage of such information; (iii) data minimization, de-identification, and retention of information about vehicle owners or occupants; and (iv) how privacy requirements are extended to entities that share the data; and
It is important to note the manufacturer does not need to take these data protection steps if information about vehicle owners or occupants is
- anonymized or encrypted; or
- amended or combined so the information in a manner that it can no longer be linked to relevant individuals.
In contrast with the SPY Bill, the SELF DRIVE Act gives greater leeway for automakers to formulate their own privacy protection standards. It is noteworthy that under both bills the prime responsibility to protect the consumer’s privacy falls upon the carmakers. In this way it may be that the USA legislative bodies consider car manufacturers and not the telecom companies as main party collecting data in driverless cars – which may not be the case.
Of the many countries and regions that have passed regulations on personal privacy, the European Union (EU) stands out for its overarching and comprehensive approach.
On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect and replace the Data Protection Directive of 1995. The GDPR aims to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. It is important to note that as this is not a directive and therefore will not require national governments to pass any enabling legislation. It will therefore be directly binding and applicable.
The EU connected cars strategy that was published on 30 November 2016 by the European Commission (“EU Strategy”) set out that the protection of personal data and privacy is a decisive factor for the successful deployment of cooperative, connected and automated vehicles. The EU believes users must be comfortable that their personal data will not be treated as a commodity and consumers retain effectively control over how and for what purposes their data is used for.
The EU Strategy also states that all data broadcast by connected cars will, in principle, qualify as personal data, and that the processing of such data needs to comply with the GDPR from May 2018.
The EU Strategy further set out specific actions to be taken:
- Cooperative Intelligent Transport Systems (C-ITS) service providers must offer transparent terms and conditions to end-users, using clear and plain language in an intelligible way and in easily accessible form, so as to enable users to give informed consent for the processing of their personal data.
- The European Commission will publish its first guidance regarding data protection by design and by default, specifically related to C-ITS, in 2018.
- The C-ITS deployment initiatives will work on information campaigns to create necessary trust amongst end-users and thereby achieve public acceptance; demonstrate how use of personal data can improve safety and efficiency of the transport system but still allows for compliance with data protection and privacy rules; consult with EU Data Protection Authorities to develop a sector based data protection impact assessment template to be used when introducing new C-ITS services.
In addition, on 13 January 2017 the EU Agency for Network and Information Security (ENISA) released the study “Cybersecurity and Resilience of smart cars” * (“ENISA Guidance”), which identifies good practices and recommendations to ensure security of smart cars against cyber threats.
The ENISA Guidance also provides recommendations for good practice in respect of user data protection:
- Identify personal data. What is personal data? The definition includes data relating to an identified or identifiable person. In the case of smart cars, however, it can be assumed that most data related to user activity will to some level be personal, this is especially so for location-based data.
- Implement transparency measures. The interactions with the users enable to cover the legal transparency requirements such as service provider’s communications with users on service provider’s name and address, what data is collected, the purpose of data processing and the recipients of the data.
- Design product/service with legitimate purpose and proportionality in mind. The stakeholders must ensure themselves and their subcontractors or suppliers do not process more user data than is needed and do not use it for illegitimate purposes. As a general rule, third party components integrated in the device or third party cloud services should not be able to access unencrypted user data without explicit user consent.
- Establish measures to enforce the protection of private data. Measures such as access control, pseudonymity and unlinkability (such as ensuring that data is not correlated), and anonymity should be established and in place. Obviously, GDPR will play a key role in addressing personal data protection issue in self-driving cars in EU but how the legal requirements under GDPR will specifically apply to self-driving cars is currently unclear.
3. Industry Initiatives
In addition to government laws and policies, there are also industrial efforts afoot in respect of consumer privacy protection for self-driving cars.
In 2014 the Alliance of Automobile Manufacturers and the Association of Global Automakers unveiled a set of privacy principles for vehicle technology and services (“Privacy Principles”).
Nineteen automobile manufacturers participated in the drafting of the Privacy Principles including BMW, Aston Martin, Ford, General Motors and Mercedes–Benz. The participating automobile manufacturers committed to comply with these Privacy Principles, which govern the collection, use, and disclosure of behavioral information collected from self-driving vehicles.
The seven principles under the Privacy Principles are set out below:
- Transparency – Members should provide owners and registered users with ready access to clear, meaningful notices about the member’s collection, use, and sharing of collected information.
- Choice – Members should offer owners and registered users with choices regarding the collection, use, and sharing of collected information.
- Respect for Context – Members should use and share collected information in ways that are consistent with the context in which the collected information was collected and also take account of the likely impact on owners and registered users.
- Data Minimization, De-identification & Retention – Members should collect collected information only as needed for legitimate business purposes and not retain collected information for any longer than necessary.
- Data Security – Members should implement reasonable measures to protect collected information against loss or unauthorized access or use.
- Integrity and Access – Members should implement reasonable measures to maintain the accuracy of collected information and allow owners and registered users to have reasonable means to review and correct personal subscription information which they provide during the subscription or registration process for vehicle technologies or services.
- Accountability – Members should take reasonable steps to ensure they and related entities receiving collected information will adhere to the Privacy Principles.
Under the Privacy Principles, the collected information is defined as information which is linked or linkable to: the vehicle from which the information is retrieved: the owner of the vehicle; or a registered user of the vehicle’s technologies and services. Further, it includes information vehicles collect, generate, record, or store in an electronic format that is retrieved from vehicles in connection with vehicle technologies and services; or personal subscription information. Types of data include biometric, behavioral, and geolocation information.
The privacy commitments are part of a larger initiative by automakers to protect the privacy and security of the data necessary to support advanced vehicle technologies. 
Legal implications on privacy under China law
Unlike many other jurisdictions, China does not have a single comprehensive code of legislation dealing with the protection of privacy and personal data. The laws and regulations relating to privacy and personal data are scattered in various pieces of legislations.
In recent years, especially since 2009 Chinese authorities have introduced multiple laws and regulations in dealing with the deteriorating abuse of personal information in China. It should be noted that on the whole Chinese citizens do seem more comfortable with the authorities having access to personal data … and indeed even large service providers if it leads to better services.
The notable ones are set out below:
- In 2009, the Standing Committee of National People’s Congress (SCNPC) adopted an amendment to PRC Criminal Law to criminalize illegal sale or disclosure of personal information by employees of government organizations and certain entities or by such organizations or entities themselves. In 2015, another amendment to the PRC Criminal Law was adopted to replace the amendment in 2009, which applies to all individuals, government organizations and entities and subjecting offenders to up to 7- year imprisonment terms. 
- In 2012, the SCNPC issued a Decision on Strengthening Information Protection on Networks (“NPC Decision”). The NPC Decision provides that no organization or individuals shall obtain electronic personal information of citizens by theft or any other illegal means and shall not sell or illegally provide electronic personal information of citizens to other parties. The NPC Decision further provides that no organization or individual may, without consent, send commercial electronic information to landline or mobile phones or personal email addresses.
The rules set out in the NPC Decision in respect of personal information protection have laid the fundamental principles on personal information protection in China and have been adopted and further expanded in a number of other laws such as PRC Consumers’ Rights and Interests Protection Law. 
Another prominent development in privacy protection is the enacting of China’s Cybersecurity Law (CSL) which took effect on June 1, 2017. The notable points under the CSL include:
- defining “personal information” for the first time in a formal law,
- re-stressing the key principles and requirements in collecting, using and transferring personal information;
- increasing the monetary penalties for violation of privacy, and
- data localization requirements for operators of critical information infrastructure(CII).
Under the CSL, CII refers to networks used in public communications, information services, energy, transportation, water conservancy, finance and public services as well as those networks the failure of which may harm the national security, economy or public interest. The CSL requires operators of CII to retain, within China, the personal information and important data collected and produced during operations in China. The coverage of CII under CSL is non-exhaustive and so far, official implementation measures and guidelines regarding the specific scope of CII have yet not been issued.
A cause of concern for many international companies with a presence in China was in April 2017, the issued draft Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (“Assessment Measures”). These Assessment Measures extend data localization requirements to all network operators beyond CII operators. The final version of the Assessment Measures is expected to be issued in 2018.
If such expanded data localization requirements are finally adopted, this will have a major impact on international companies in respect of their outbound transfer of personal data. It should, however, be noted that there are already data localization requirements under existing Chinese laws. One example is that servers for mapping data for internet mapping service providers in China must be within China. Also personal information collected by China car-hailing companies should only be stored and used within China.
On the same day of the effectiveness of the CSL, a judicial interpretation on Handling of Criminal Cases of Infringement of Citizen’s Personal Information issued by China Supreme Court and Supreme Procuratorate also took effect (“2017 Interpretation”). The 2017 Interpretation has a broader definition of “personal information” than CSL and expressly includes “location and track information” as personal information. The 2017 Interpretation further specifies the circumstances that constitute serious cases scenario or extremely serious cases scenario. For example, illegally obtaining, selling or providing an individual’s location and track information for more than 50 pieces will constitute serious case and be subject to up to 3-year imprisonment and, if the number of location and track information illegally obtained, sold or provided reaches more than 500 pieces, such violation will constitute extremely serious case and will be subject to up to 7-year imprisonment terms.
In addition, on January 24, 2018, the Standardization Administration of China (SAC), a non-government organization in China, issued the Information Technology – Personal Information Security Specification (GB/T 35273-2017) (“SAC Specification”) which will be effective from May 1, 2018. The SAC Specification is not a binding document but rather a guideline, which refers to regulations and good practice in other jurisdictions. The SAC Specification provides many new concepts such as sensitive personal information, personal information controller and details the process of collecting, storing, using, delegating, sharing, transferring and disclosing personal information with certain examples such as privacy template. While the SAC Specification is not a binding document, it will provide good practice and is an example to companies as to how to better implement personal data protection in China.
Like many other jurisdictions, China’s legal regime has not addressed the specific privacy implications that self-driving cars will raise. However, China has established a preliminary legal framework on privacy protection. Companies operating in China should follow the general requirements on personal data collection, use, storage and processing established by the Chinese laws and judicial interpretation mentioned above and are recommended to refer to the good practice set out in the SAC Specification, for example, obtaining express consent (i.e., adopting an opt-in approach) from users of self-driving cars to collect, use, store and process sensitive personal information to avoid potential compliance risks.
As self-driving cars will be on the market soon, consumers’ concerns on privacy issues will affect their adoption of the new mode of travel. The best practice would be that the privacy issues be systematically addressed in advance – before self-driving cars become everyday consumer products. However, this will need joint efforts from regulatory authority, car manufacturers and other stakeholders.
There is a need for:
- Legislation and guidance – Obviously, legislation and regulatory guidance will help to address issues brought by new technology and in some times legislation will play the key role to foster or hinder adoption of new technology. China is establishing its legal regime to boost the development of self-driving cars in China. For privacy protection, while it may be less likely that Chinese authority will issue separate laws addressing privacy issues in connection with self-driving cars in the near future, Chinese authorities may issue regulatory guidelines to provide guidance to carmakers and other stakeholders on how to best meet the privacy compliance requirements based on existing laws.
- Car manufactures and relevant operators/suppliers/service providers – Respecting consumer privacy will be a key concern for consumers. The most efficient and effective strategy would likely be through to build privacy protection into self-driving cars from the outset. That is to say, car manufacturers and other relevant parties may need to consider the concept of privacy by design, which would, to the extent possible, have self-driving cars minimize the amount personal information generated, collected or retained. A further safeguard would be technical measures that encrypt and anonymize information as well as controls to prevent misuse or unauthorized third-party access. 
- Industry guidance – If car manufacturers and other relevant parties involved in the development of self-driving cars follow the guidance on privacy protection issued by organizations such as Alliance of Automobile Manufacturers and the Association of Global Automakers then this likely to further quell consumer concerns. For many car manufacturers and other relevant parties in China, the SAC Specification will be a helpful tool to formulate data privacy policies for self-driving cars in China.
* Is it just us or do you also think US legislators likely spend far too much time comping up with names that are also an acronym?
* Seems the EU authorities do not spend much time on fancy acronyms!
 Article 7 of the Amendment VII to the Criminal Law
 Article 17 of the Amendment IX to the Criminal Law
 Article 1 of the NPC Decision
 Article 7 of the NPC Decision
 Article 29 of the China Consumers’ Rights and interests Protection Law
 Not including Hong Kong, Macau and Taiwan
 Network operator is a quite broad concept that covers all owner, manager and service providers of networks, including internet and local area network
 Article 34 of the Administrative Regulations on Maps issued by the State Council and effective on January 1, 2016
 Article 27 of the Provisional Measures for Administration of E-Hailing Services issued by 7 China ministerial departments and effective on November 1, 2016