Auto­no­mous vehic­les: more legal cer­tain­ty with regard to data protection

Auto­no­mous dri­ving is made pos­si­ble by pro­ces­sing lar­ge amounts of per­so­nal data. But in accordance with the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), data pro­ces­sing is only lawful if the­re is a legal basis for the pro­ces­sing. The ques­ti­on as to which legal basis could app­ly in the case of auto­no­mous dri­ving was dis­cus­sed in con­nec­tion with the legis­la­ti­ve pro­ce­du­re for the Auto­no­mous Dri­ving Act. The Fede­ral Minis­try of Trans­port and Digi­tal Infra­struc­tu­re has now issued an Ordi­nan­ce regu­la­ting the ope­ra­ti­on of motor vehic­les with auto­ma­ted and auto­no­mous dri­ving func­tions and amen­ding pro­vi­si­ons of road traf­fic law (the “Ordi­nan­ce”) (PDF only in Ger­man), in which it spe­ci­fies cer­tain key aspects of data pro­tec­tion law. This is of importance for both manu­fac­tu­r­ers and sup­pli­ers, who play a key role in the imple­men­ta­ti­on of data pro­tec­tion requirements.

Data pro­ces­sing by the vehic­le owner

In accordance with the GDPR, data pro­ces­sing is lawful e.g. if the pro­ces­sing takes place in order to com­ply with a legal obli­ga­ti­on. Such an obli­ga­ti­on can be found in § 1g(1) and (2) (only in Ger­man) of the Road Traf­fic Act and has now been spe­ci­fied by the Ordi­nan­ce. Under this sta­tu­te, owners of auto­no­mous vehic­les are requi­red to store cer­tain per­so­nal data, such as e.g. posi­tio­nal data and speeds, rela­ting to cer­tain inci­dents, and to trans­mit this data e.g. to the Fede­ral Motor Trans­port Aut­ho­ri­ty upon request. Such inci­dents include e.g. acci­dents, unin­ten­ded lane chan­ges and eva­si­ve maneu­vers. The owner is requi­red to store this data from the time that the event occurs (e.g. an acci­dent) until the time that the vehic­le is retur­ned to a con­di­ti­on of mini­mal risk.

Duties for manu­fac­tu­r­ers and suppliers

In accordance with § 1g(3) of the Road Traf­fic Act (only in Ger­man), manu­fac­tu­r­ers of auto­no­mous vehic­les are requi­red to crea­te the tech­ni­cal con­di­ti­ons neces­sa­ry for sto­rage of data by the owner. In par­ti­cu­lar, they are requi­red to adhe­re to the prin­ci­ples of privacy-friendly tech­ni­cal design, as well as taking appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res for the pro­tec­tion of per­so­nal data. In addi­ti­on, the safe­ty con­cept pro­vi­ded in § 12 of the Ordi­nan­ce includes per­for­mance of a data pro­tec­tion impact assess­ment. The new requi­re­ments do not app­ly to sup­pli­ers direct­ly, but they will have a strong indi­rect impact, sin­ce manu­fac­tu­r­ers will be requi­red to ensu­re that sup­pli­ed com­pon­ents meet the requi­re­ments of data pro­tec­tion law over their enti­re sup­p­ly chain. As a gene­ral rule, manu­fac­tu­r­ers will pass on the requi­re­ments app­ly­ing to them in their con­tracts with sup­pli­ers, sin­ce the tech­ni­cal equip­ment for the­se vehic­les is pro­vi­ded at least in part by modu­le and sys­tem sup­pli­ers. The­se com­pa­nies, typi­cal­ly Tier 1 sup­pli­ers, have the neces­sa­ry tech­ni­cal exper­ti­se due to their pro­xi­mi­ty to the pro­duct and may the­r­e­fo­re be con­trac­tual­ly requi­red to com­ply with the­se duties.

Sum­ma­ry

The Ordi­nan­ce spe­ci­fies the data pro­tec­tion requi­re­ments for auto­no­mous vehic­les and crea­tes more legal cer­tain­ty for manu­fac­tu­r­ers and sup­pli­ers. This should gene­ral­ly be regard­ed as a wel­co­me deve­lo­p­ment. But at the same time, it crea­tes many new data pro­tec­tion requi­re­ments for manu­fac­tu­r­ers and, indi­rect­ly, for sup­pli­ers as well. As is so often the case, balan­ced for­mu­la­ti­on of con­tracts and sophisti­ca­ted com­pli­ance manage­ment are indis­pensable in order to imple­ment the­se new requi­re­ments in a stra­te­gic and sus­tainable manner.