Autonomous Driving Act: a step in the right direction, but legal risks remain

Stefan Hessel

On 3 May 2021, the Transportation Committee of Germany's Federal Parliament held a public hearing on the question of autonomous vehicles. The subject of the hearing was the federal government's bill for an Autonomous Driving Act (19/27439) (PDF only in German), which includes changes to the Road Traffic Act and the Compulsory Insurance Act. Among the experts at the hearing was attorney Stefan Hessel.

Assessment of the bill by the experts

All of the experts who participated in the hearing gave a positive assessment of the bill, on the whole. However, this bill is only the first step towards the more comprehensive legislation which will be required in this area. The bill allows the testing of autonomous vehicles so as to provide a better scientific basis for the evaluation of this technology, but is largely inadequate for the operation of autonomous vehicles in traffic. 

Cybersecurity and data protection in autonomous vehicles

Autonomous vehicles will face particular challenges in the future with regard to potential cyberattacks, and this threat needs to be countered early on, particularly from the viewpoint of traffic safety. Cybersecurity is one of the greatest challenges for autonomous driving. It was for this reason, in part, that the regulations developed by the World Forum for Harmonization of Vehicle Regulations (WP.29), as a working party of the United Nations Economic Commission for Europe (UNECE), were implemented at the European level, taking binding effect in March 2021 . In light of these regulations, the German bill for an Autonomous Driving Act must be regarded as a rather superficial solution.

Successful introduction and implementation of autonomous driving also requires clear rules governing the use and processing of data, since autonomous vehicles process large quantities of data. Aside from objective data, autonomous vehicles may also collect personal data regarding the vehicle's passengers, as well as the personal data of individuals in the surrounding area. Regulations are needed in order to balance the interest of data subjects in the protection of their data against the need for manufacturers, operators and owners of autonomous vehicles to use this data, and the present bill does not go far enough in this regard. It should also be kept in mind that the General Data Protection Regulation (GDPR) may create enormous challenges for autonomous driving, e.g. in the form of notification requirements, which appear undesirable even considering the interests of data subjects.

Challenges for operators and conclusion

The questions which the bill leaves unresolved should be addressed not by a national solution, but rather by comprehensive regulation at the European level. The existing regulations at the European level, which are the first of their kind and which have only recently taken effect, are already creating challenges for the automotive industry: a clear legal framework is indispensable for the integration of automotive vehicles into public road traffic. It will be necessary to create legal certainty for operators, manufacturers and for the competent authorities. At the same time, controllers need to make sure that they are complying with the various legal requirements with regard to cybersecurity and data protection, which the autonomous vehicles bill does not consolidate. We would be glad to help them do so.

Mr. Hessel's full opinion can be found here (PDF only in German).

[May 2021]