Autonomous driving is made possible by processing large amounts of personal data. But in accordance with the General Data Protection Regulation (GDPR), data processing is only lawful if there is a legal basis for the processing. The question as to which legal basis could apply in the case of autonomous driving was discussed in connection with the legislative procedure for the Autonomous Driving Act. The Federal Ministry of Transport and Digital Infrastructure has now issued an Ordinance regulating the operation of motor vehicles with automated and autonomous driving functions and amending provisions of road traffic law (the “Ordinance”) (PDF only in German), in which it specifies certain key aspects of data protection law. This is of importance for both manufacturers and suppliers, who play a key role in the implementation of data protection requirements.
Data processing by the vehicle owner
In accordance with the GDPR, data processing is lawful e.g. if the processing takes place in order to comply with a legal obligation. Such an obligation can be found in § 1g(1) and (2) (only in German) of the Road Traffic Act and has now been specified by the Ordinance. Under this statute, owners of autonomous vehicles are required to store certain personal data, such as e.g. positional data and speeds, relating to certain incidents, and to transmit this data e.g. to the Federal Motor Transport Authority upon request. Such incidents include e.g. accidents, unintended lane changes and evasive maneuvers. The owner is required to store this data from the time that the event occurs (e.g. an accident) until the time that the vehicle is returned to a condition of minimal risk.
Duties for manufacturers and suppliers
In accordance with § 1g(3) of the Road Traffic Act (only in German), manufacturers of autonomous vehicles are required to create the technical conditions necessary for storage of data by the owner. In particular, they are required to adhere to the principles of privacy-friendly technical design, as well as taking appropriate technical and organizational measures for the protection of personal data. In addition, the safety concept provided in § 12 of the Ordinance includes performance of a data protection impact assessment. The new requirements do not apply to suppliers directly, but they will have a strong indirect impact, since manufacturers will be required to ensure that supplied components meet the requirements of data protection law over their entire supply chain. As a general rule, manufacturers will pass on the requirements applying to them in their contracts with suppliers, since the technical equipment for these vehicles is provided at least in part by module and system suppliers. These companies, typically Tier 1 suppliers, have the necessary technical expertise due to their proximity to the product and may therefore be contractually required to comply with these duties.
The Ordinance specifies the data protection requirements for autonomous vehicles and creates more legal certainty for manufacturers and suppliers. This should generally be regarded as a welcome development. But at the same time, it creates many new data protection requirements for manufacturers and, indirectly, for suppliers as well. As is so often the case, balanced formulation of contracts and sophisticated compliance management are indispensable in order to implement these new requirements in a strategic and sustainable manner.back