According to a study led by Deloitte in 2019, French consumers are more confident than other Europeans about AVs: only 36% of French people say they are skeptical about them in 2019 (vs. 65% in 2017) compared to an average of 50% for other Europeans, who believe that such vehicles are not yet sufficiently safe.1
Identically, French consumers are less worried about the collection and the sharing of their biometric data by connected vehicles than elsewhere in Europe. Finally, 34% of them trust original equipment manufacturers in the role of data manager when it comes to their personal data, rather than others (government, car dealerships, insurance companies, cloud service providers, etc.). These perceptions are reflected in the French regulations governing biometrics as well as the associated laws relating to this type of data.
A. Legal and regulatory framework
In France, the experimentation of AVs is subject to the issuance of a prior administrative authorization pursuant to the Energy Transition Act in 20152 and the government order relating to the testing of “vehicles with delegated driving authority” in 2016.3 The authorization is valid for two years (renewable once). A decree adopted in 20184provides that such authorization can only be granted for one of the three following purposes: tests to develop key technologies for AV (software, sensors, mapping, etc.) or connected road infrastructure, evaluation of performance in real-life situations for future uses, and public demonstration in order to raise public and companies’ awareness. The decree lays down a number of security and information obligations to be complied with. Regarding data, the data collected must be regularly erased (except in the event of an accident, where the data collected five minutes before the accident must be kept for one year).
From the end of 2014 to the beginning of April 2018, 54 authorizations were issued. Alongside the big car manufacturers (such as Renault, PSA), small companies have emerged in the sector: Navya has launched its “Autonom shuttle” in 2015, currently tested in closed circuits (notably in hospitals, airports and in the ski resort Val Thorens), and an “Autonom cab” tested in Lyon. Created in 2014, Easymile introduced last year TractEasy, a “luggage tractor” currently tested in a PSA factory. Public transport operators such as RATP, Keolis and Transdev have also launched trials, aiming at facilitating transportation in public spaces.
The French legal and regulatory framework on AVs is still evolving, and two pieces of legislation are expected in 2019. Firstly, the Action Plan for business growth and transformation (“PACTE” law) will supplement the 2015 Act by making any type of trial possible, including those without a person in the vehicle. Secondly, the Law on Mobility (“Loi des mobilités”) should establish a framework for the definitive system of AV traffic.
(i) Autonomous vehicles and personal data
The collection and processing of personal data through AVs is subject, like any other processing of personal data, to the European General Data Protection Regulation 2016/689 (“GDPR”)5 and its supplementing national laws, such as in France, the French Data Protection Act as amended.6
The French data protection authority (the CNIL) published a compliance package on “connected vehicles and personal data” in 20177, which already took into account to some extent GDPR requirements. While this package does not addresses all of the specific privacy issues which will be faced with AVs, it still constitutes a first step towards the definition of standards for all stakeholders of the connected car industry. At the international level, the International Working Group on Data Protection in Telecommunications (IWGDPT), adopted on April 9 and 10, 2018, a Working Paper on Connected Vehicles.8
All are encouraging the car industry to favor connected vehicles involving local personal data processing with no data transmission to service providers or car manufacturers (scenario IN-IN9). This scenario has the advantages of both providing car users with safeguards of their privacy and simplifying the obligations for data controllers, as it implies that the data must necessarily be processed and stored inside the vehicle.
According to the CNIL, processing falling under that IN-IN scenario (i.e. no personal data transmitted to the service provider and users retaining full control over their data) can benefit from the “household exemption” provided by Article 2.2.c of the GDPR, i.e. they are considered as processing carried out by a natural person in the course of a purely personal or household activity and therefore not subject to data protection laws.
However, with AVs, the exchange of data will hardly be limited to the confines of the car itself. AVs will need to interact and communicate data with other vehicles, traffic systems, etc., in real time, and the legal implications and compliance with privacy laws of these data usages and flows will have to be reassessed in that particular context.
Please refer to Norton Rose Fulbright’s third annual Autonomous Vehicle White Paper for further information on the use of personal data in autonomous/connected vehicles in France.
B. Processing biometrics in autonomous/connected vehicles
(i) French legal and regulatory framework for processing biometrics
Biometric data qualify as “special categories of personal data” within the meaning of GDPR and the French Data Protection Act. Unlike other personal data, they are inherent in the human body, can be communicated unconsciously and, in most cases, cannot be modified. These characteristics are why, as a sensitive data, their processing is prohibited, except in a limited number of circumstances laid down in the GDPR, among which are the data subject’s express consent or the protection of the data subject’s vital interests.
In France, an additional derogation has been introduced in the French Data Protection Act. Article 8.II.9° authorizes the use of biometrics by employers for purposes of access control by biometric authentication to the premises, computer devices and applications in the workplace, if such processing is compliant with the Model Regulation recently adopted by the CNIL.10
The CNIL has also released several guidelines on the processing of individuals’ or customers’ biometrics, notably in relation to smartphones11 or daily life activities.12 The CNIL insists on limiting the risks associated with biometric processing while guaranteeing that people using them control their personal data and its recommendations incorporate data protection principles from the design stage and by default.
(ii) Biometrics in the automotive industry
No guidance relating to the processing of biometrics applied to AVs specifically has been released yet. However, the CNIL addressed the issue in relation with connected vehicles, in its compliance package mentioned above. Note that this package applies to the private use of connected cars and excludes as such the employer/employee context.
The following requirements or best practices expected by the CNIL can be inferred from the analysis of this compliance package (being specified that these same requirements can be found in all other guidance released by the CNIL in relation to the processing of biometric data).
Local processing and local storage. The processing shall ideally be carried out at the initiative and under the control of the data subject and for private use, provided that the biometric data is stored inside the device, in a locked environment and in an encrypted way, and during the access control, only one chip or piece of data indicating the success or failure of the biometric recognition is transmitted. It means that no biometrics data shall be transmitted to the service provider or the car manufacturer. However, they remain the controller of the data processing implemented, and specifically of the security (e.g. by limiting the possible number of authentication trials). It also means that the driver or car user shall be able to deactivate the biometric authentication device at any time, and easily access or delete the history of biometric data (via, for example, a button inside the vehicle and/or via his computer or on-board computer).
Consent and alternative. In order to unlock, start and activate certain vehicle controls through the biometric data of the driver or car user, the CNIL considers that consent shall be the legal ground. Consent is the legal ground when an individual wishes to unlock or start a vehicle thanks to a fingerprint, activate some of the vehicle controls through recognition voice or be alerted in case of drowsiness through recognition of pressure points exerted by the back of the driver or car user in the front seat. Such processing implies full control by the user over his biometric data and can only be based on consent. The requirement for full control includes that an alternative shall always be offered to the user of the biometric device.
Security measures. Biometrics data are highly sensitive data, and the CNIL requires the implementation of strict security measures, in addition to the “classic” security measures that shall be implemented in connected vehicles, in order to ensure that the authentication device is safe and reliable enough. It is therefore recommended to ensure that:
- the setting of the biometric solution used (for example, false positive and false negative rates) is adapted to the expected level of security for access control;
- the biometric solution used is based on a sensor resistant to the attacks that are deemed trivial in the state of the art (such as, currently, the use of a flat-printed print for fingerprint recognition);
- the number of authentication attempts is limited;
- only the biometric template is stored in the device, in an encrypted form using a cryptographic algorithm and key management that comply with the state of the art;
- the raw data used to create the biometric template and for user authentication are processed in real time without being stored locally (for example, audio recordings in the case of a voice-recognition system).
If the processing meets such requirements regarding local storage and processing, consent and alternative and specific security measures, it falls under the “household exemption” and is therefore not subject to the laws and regulations relating to the protection of personal data.
Any other processing is subject to the GDPR and the French laws and regulations on personal data, and specifically on biometrics. In this event, the car manufacturer or the service provider accessing the biometric data shall document how they comply with the applicable laws and regulations (e.g. if consent is not obtained, they shall justify why the use of biometrics is strictly necessary). A data protection impact assessment may be necessary.
Employee/employer context. Note that if the biometric device were to be used in an employee’s vehicle, it will have to be assessed whether the device at hand would fall within the scope of the CNIL’s Model Regulation on the use of biometrics by employers for access purposes to tools or applications made available at work, and as such, would have to strictly comply with all the requirements of that Model Regulation. In particular, the employer would have to justify the strict necessity of the use of biometrics in that particular context.