How should government manage data from C-ITS and autonomous vehicles?

8 mins  08.10.2018 Paul Kallenbach, David Pearce, Susan Walsh, Amy Dunphy

On 27 September 2018, the National Transport Commission released its discussion paper 'Regulating Government Access to C-ITS and Automated Vehicle Data'. The following article looks at its implications.

On 27 September 2018 the National Transport Commission (NTC) released its discussion paper 'Regulating Government Access to C-ITS and Automated Vehicle Data' (Discussion Paper), inviting submissions in response by 22 November 2018.

Government decision-making is likely to be informed and enhanced by the data generated by automated vehicles and cooperative intelligence transport systems (C-ITS). This data would have particular value for law enforcement, traffic management, road safety and infrastructure planning.

However, this benefit needs to be balanced against privacy concerns. The NTC acknowledges that the data broadcast by C-ITS and connected and autonomous vehicles (CAVs) will, in most cases, constitute personal information – and therefore, by default, should be treated as such. The NTC also acknowledges that the wide range of data generated by automated vehicles, when held or utilised by Government road or law enforcement agencies, could lead to increased identifiability of personal or sensitive information, given other datasets available to those agencies. The NTC's concern here is that privacy fears could lead to delayed or impaired uptake of CAVs, ultimately delaying the expected road safety benefits of widespread adoption of the technology.

The Discussion Paper proposes a number of regulatory options that seek to balance improved Government decision making (and associated public value) through the use of this data against ensuring appropriate privacy protection for C-ITS and automated vehicle users.

Why is data privacy an issue for C-ITS and CAVs (and their users)?

C-ITS and CAV technology will collect and maintain information about the use of a vehicle and its passengers, some of which will constitute 'personal information' or 'sensitive information' and therefore fall within Australian privacy and data protection laws.

Under the Commonwealth Privacy Act 1988, personal information is any information or an opinion, in whatever form, about an identified individual or from which an individual is reasonably identifiable. Sensitive information is a category of personal information that includes information about, relevantly, racial or ethnic origins, health information, political opinions, religious beliefs and criminal records.

While mobile phones and GPS devices currently installed in vehicles already track speed, location and other related data, C-ITS and CAVs present new challenges, due the types of technology used and the nature and volume of the data collected.

The NTC identifies three key challenges:

1. New data and information captured using new C-ITS and CAV technology, including:

a) in-cabin cameras that monitor driver alertness and occupant behaviour (which could extend to 'whole of cabin' monitoring and recording);

b) 'vehicle to vehicle' and 'vehicle to everything' communication that enables the transport network to communicate and share real time information, including data on vehicle movements, traffic signs and road conditions; and

c) biometric, biological or health sensors used to monitor driver alertness and behaviour, and recognise drivers and occupants (e.g. through the use of fingerprints) for a customised driving experience;

2. More widespread collection of location data: while the data relating to the speed, location and direction of vehicles captured by C-ITS and automated vehicle technology may be broadly similar to that currently captured by vehicle technology, the NTC is concerned by the potential increase in the volume of collection of location data, as well as government storage and handling of such data once is the technology has been deployed; and

3. Greater breadth and depth of data: C-ITS and automated vehicle systems will be increasingly reliant on data from cameras, monitors and other detection devices to operate. This means that they will collect, store and communicate greater amounts of data relating to vehicle occupants and road environments. Additional opportunities will exist for data linking by government agencies, which could lead to the increased identifiability of individuals.

Why might government collection and use of C-ITS and CAV data be an issue?

Privacy regulation exists at both the Federal and State levels in Australia. The Commonwealth Australian Privacy Principles (APPs) regulate how private sector organisations and Federal Government agencies collect, use and disclose 'personal information' and 'sensitive information'. The APPs do not apply to State departments and agencies; however State and Territory privacy legislation and principles, where they exist, govern the collection, use and disclosure of personal information by such bodies. In either case, the relevant privacy regimes typically give government bodies broad rights to directly collect personal information if doing so is reasonably necessary for one or more of their functions or activities. For example, a State road agency could arguably collect personal information from an individual for the purposes of sending signals from government owned infrastructure or roadside devices for traffic management purposes without the need to seek consent (although notification to the individual may be required) unless the information is or includes sensitive information (in which case consent would be required in most cases). One further complication here is that location information may become sensitive information if it discloses a health condition – for example, a pattern of visits to a particular doctor's office.

Challenges also exist in circumstances where government agencies would obtain information from private sector entities (such as from an automated driving system entity), rather than directly collect the information itself. A major risk identified by the NTC is that private sector entities can disclose personal information to law enforcement agencies if believed reasonably necessary for law enforcement related activities. This may mean that an individual is under surveillance (or investigation) when using a CAV or engaging with a C-ITS without being made aware of this fact.

Regulatory options

The NTC has proposed several options to address new privacy challenges created by the use of C-ITS and CAV technology, as summarised below:

Option Description Reform required Option for both AV technology Option for C-ITS technology
1 Rely on existing privacy framework No Yes Yes
2 Agree broad principles on limiting government collection, use and disclosure of information Yes Yes Yes
3 Limit government collection, use and disclosure of information from in-cabin cameras and biometric, biological or health sensor to specific purposes  Yes Yes No
4  Limit government collection, use and disclosure of information to specific purposes  Yes Yes Yes

The NTC has identified option 2 as its preliminary preferred option, on the basis that it addresses the concerns held regarding government use of information from future technology, but allows flexibility to adapt as the technology develops.

How will C-ITS and CAV data be regulated in other jurisdictions?

In the European Union the collection, use and disclosure of C-ITS and CAV data constituting personal data by government agencies will, in the first instance, be covered by the General Data Protection Regulation (GDPR), which came into effect in May of this year. While there are many similarities between the Australian privacy regimes and the GDPR, there are a number of notable differences, including:

  • obligations for data controllers to comply with privacy by design/privacy by default principles (Articles 25(1) and 25(2));
  • data minimisation and avoidance obligations (limiting collection of data to only as necessary) (Article 5(1)(c));
  • the right to be forgotten (Article 17);
  • a more stringent consent/opt-in and notification regime; and
  • significantly higher penalties and sanctions for violation.

The GDPR does allow for exemptions in respect of processing of personal data by law enforcement agencies for criminal purposes, in which case such activities are covered by the Law Enforcement Directive (which was to be implemented by Member States by 5 May 2018). There was also an ePrivacy Regulation proposed in 2017 that will, if enacted, govern machine to machine communications.

By contrast, in the US, the state and sectoral approach to data protection means that current laws offer limited protection against government use of C-ITS and CAV data.

What is not covered by the Discussion Paper

Regulation of the collection and use of personal information in connection with C-ITS and CAV systems by private sector entities is outside the scope of the Discussion Paper. However, the Discussion Paper recognises that private sector entities governed by the Commonwealth Privacy Act (which include all private sector entities with a turnover of more than $3 million, as well as smaller entities that disclose or collect personal information for a benefit, service or advantage) must comply with the Privacy Act 1998 (Cth), and are, for example, required by the APPs to take reasonable steps to notify individuals (or make individuals aware) of the purposes for which personal information is collected, held, used and disclosed. Further, consent may need to be sought from CAV users for a wide range of collection, use or disclosures of personal information or sensitive information if it is for a secondary purpose, unless an exemption applies.

The NTC's mandate is focused on privacy issues as they relate to barriers to using technologies that can significantly improve road safety. Austroads is separately undertaking an overall consideration of privacy regulation for C-ITS technology.

The Discussion Paper also does not consider:

  1. access to automated vehicle data by motor injury insurers;
  2. obligations for an Automated Driving System Entity to record and share data generated by automated vehicles, and new powers for government agencies to access this data;
  3. Australia's information access framework as it applies to the private sector; and
  4. access to automated vehicle data by consumers disputing liability.

The NTC is separately considering these issues as part of its broader national reform program.

Where to next

Submissions in response to the Discussion Paper are due on 22 November 2018.

If you require any assistance with submissions, please contact our team of specialists.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJmMDJkZDY4Yy1iM2I1LTQ1MDQtOTBkNS0wOWYxMjExZjM3MDkiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMzU2ODk2OSwiZXhwIjoxNzMzNTcwMTY5LCJpYXQiOjE3MzM1Njg5NjksImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2hvdy1zaG91bGQtZ292ZXJubWVudC1tYW5hZ2UtZGF0YS1mcm9tLWMtaXRzLWFuZC1hdXRvbm9tb3VzLXZlaGljbGVzIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvaG93LXNob3VsZC1nb3Zlcm5tZW50LW1hbmFnZS1kYXRhLWZyb20tYy1pdHMtYW5kLWF1dG9ub21vdXMtdmVoaWNsZXMifQ.bixp51NUVmhOYbDKt0etk4-nEUeHzGFYUgvy9FSinTE
https://www.minterellison.com/articles/how-should-government-manage-data-from-c-its-and-autonomous-vehicles

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.