Introduction
We address the worldwide regulatory landscape facing the autonomous vehicle market.
We use cookies and other similar technology to collect data about you to allow us to deliver our online services, measure our website audience and improve your browsing experience. Full details on the cookies we use are set out in our Cookies policy. Please click OK to signify your consent to our use of cookies.
You can withdraw your consent by clicking “manage cookies” and following the instructions shown.
Part of the autonomous vehicles white paper
Global | Publication | January 2020
In France, the experimentation of AVs is subject to the issuance of a prior administrative authorization pursuant to the Energy Transition Act in 20152 and the government order relating to the testing of “vehicles with delegated driving authority” in 2016.3 The authorization is valid for two years (renewable once). A decree adopted in 20184provides that such authorization can only be granted for one of the three following purposes: tests to develop key technologies for AV (software, sensors, mapping, etc.) or connected road infrastructure, evaluation of performance in real-life situations for future uses, and public demonstration in order to raise public and companies’ awareness. The decree lays down a number of security and information obligations to be complied with. Regarding data, the data collected must be regularly erased (except in the event of an accident, where the data collected five minutes before the accident must be kept for one year).
From the end of 2014 to the beginning of April 2018, 54 authorizations were issued. Alongside the big car manufacturers (such as Renault, PSA), small companies have emerged in the sector: Navya has launched its “Autonom shuttle” in 2015, currently tested in closed circuits (notably in hospitals, airports and in the ski resort Val Thorens), and an “Autonom cab” tested in Lyon. Created in 2014, Easymile introduced last year TractEasy, a “luggage tractor” currently tested in a PSA factory. Public transport operators such as RATP, Keolis and Transdev have also launched trials, aiming at facilitating transportation in public spaces.
The French legal and regulatory framework on AVs is still evolving, and two pieces of legislation are expected in 2019. Firstly, the Action Plan for business growth and transformation (“PACTE” law) will supplement the 2015 Act by making any type of trial possible, including those without a person in the vehicle. Secondly, the Law on Mobility (“Loi des mobilités”) should establish a framework for the definitive system of AV traffic.
The collection and processing of personal data through AVs is subject, like any other processing of personal data, to the European General Data Protection Regulation 2016/689 (“GDPR”)5 and its supplementing national laws, such as in France, the French Data Protection Act as amended.6
The French data protection authority (the CNIL) published a compliance package on “connected vehicles and personal data” in 20177, which already took into account to some extent GDPR requirements. While this package does not addresses all of the specific privacy issues which will be faced with AVs, it still constitutes a first step towards the definition of standards for all stakeholders of the connected car industry. At the international level, the International Working Group on Data Protection in Telecommunications (IWGDPT), adopted on April 9 and 10, 2018, a Working Paper on Connected Vehicles.8
All are encouraging the car industry to favor connected vehicles involving local personal data processing with no data transmission to service providers or car manufacturers (scenario IN-IN9). This scenario has the advantages of both providing car users with safeguards of their privacy and simplifying the obligations for data controllers, as it implies that the data must necessarily be processed and stored inside the vehicle.
According to the CNIL, processing falling under that IN-IN scenario (i.e. no personal data transmitted to the service provider and users retaining full control over their data) can benefit from the “household exemption” provided by Article 2.2.c of the GDPR, i.e. they are considered as processing carried out by a natural person in the course of a purely personal or household activity and therefore not subject to data protection laws.
However, with AVs, the exchange of data will hardly be limited to the confines of the car itself. AVs will need to interact and communicate data with other vehicles, traffic systems, etc., in real time, and the legal implications and compliance with privacy laws of these data usages and flows will have to be reassessed in that particular context.
Please refer to Norton Rose Fulbright’s third annual Autonomous Vehicle White Paper for further information on the use of personal data in autonomous/connected vehicles in France.
Biometric data qualify as “special categories of personal data” within the meaning of GDPR and the French Data Protection Act. Unlike other personal data, they are inherent in the human body, can be communicated unconsciously and, in most cases, cannot be modified. These characteristics are why, as a sensitive data, their processing is prohibited, except in a limited number of circumstances laid down in the GDPR, among which are the data subject’s express consent or the protection of the data subject’s vital interests.
In France, an additional derogation has been introduced in the French Data Protection Act. Article 8.II.9° authorizes the use of biometrics by employers for purposes of access control by biometric authentication to the premises, computer devices and applications in the workplace, if such processing is compliant with the Model Regulation recently adopted by the CNIL.10
The CNIL has also released several guidelines on the processing of individuals’ or customers’ biometrics, notably in relation to smartphones11 or daily life activities.12 The CNIL insists on limiting the risks associated with biometric processing while guaranteeing that people using them control their personal data and its recommendations incorporate data protection principles from the design stage and by default.
No guidance relating to the processing of biometrics applied to AVs specifically has been released yet. However, the CNIL addressed the issue in relation with connected vehicles, in its compliance package mentioned above. Note that this package applies to the private use of connected cars and excludes as such the employer/employee context.
The following requirements or best practices expected by the CNIL can be inferred from the analysis of this compliance package (being specified that these same requirements can be found in all other guidance released by the CNIL in relation to the processing of biometric data).
Local processing and local storage. The processing shall ideally be carried out at the initiative and under the control of the data subject and for private use, provided that the biometric data is stored inside the device, in a locked environment and in an encrypted way, and during the access control, only one chip or piece of data indicating the success or failure of the biometric recognition is transmitted. It means that no biometrics data shall be transmitted to the service provider or the car manufacturer. However, they remain the controller of the data processing implemented, and specifically of the security (e.g. by limiting the possible number of authentication trials). It also means that the driver or car user shall be able to deactivate the biometric authentication device at any time, and easily access or delete the history of biometric data (via, for example, a button inside the vehicle and/or via his computer or on-board computer).
Consent and alternative. In order to unlock, start and activate certain vehicle controls through the biometric data of the driver or car user, the CNIL considers that consent shall be the legal ground. Consent is the legal ground when an individual wishes to unlock or start a vehicle thanks to a fingerprint, activate some of the vehicle controls through recognition voice or be alerted in case of drowsiness through recognition of pressure points exerted by the back of the driver or car user in the front seat. Such processing implies full control by the user over his biometric data and can only be based on consent. The requirement for full control includes that an alternative shall always be offered to the user of the biometric device.
The data subject must be provided with clear information on the biometric device and its alternative and can choose the alternative without any additional constraints or incentives. Moreover, the data subject’s agreement shall be specific to the biometric authentication, and not diluted in larger terms and conditions (or a larger privacy policy).
Security measures. Biometrics data are highly sensitive data, and the CNIL requires the implementation of strict security measures, in addition to the “classic” security measures that shall be implemented in connected vehicles, in order to ensure that the authentication device is safe and reliable enough. It is therefore recommended to ensure that:
If the processing meets such requirements regarding local storage and processing, consent and alternative and specific security measures, it falls under the “household exemption” and is therefore not subject to the laws and regulations relating to the protection of personal data.
Any other processing is subject to the GDPR and the French laws and regulations on personal data, and specifically on biometrics. In this event, the car manufacturer or the service provider accessing the biometric data shall document how they comply with the applicable laws and regulations (e.g. if consent is not obtained, they shall justify why the use of biometrics is strictly necessary). A data protection impact assessment may be necessary.
Employee/employer context. Note that if the biometric device were to be used in an employee’s vehicle, it will have to be assessed whether the device at hand would fall within the scope of the CNIL’s Model Regulation on the use of biometrics by employers for access purposes to tools or applications made available at work, and as such, would have to strictly comply with all the requirements of that Model Regulation. In particular, the employer would have to justify the strict necessity of the use of biometrics in that particular context.
Deloitte, European global automotive consumer study 2019.
Act No. 2015-992 of August 17, 2015 on the energy transition for green growth.
Ordinance No. 2016-1057 of August 3, 2016 on the testing of delegated driving vehicles on public roads.
Decree No. 2018-211 of March 28, 2018 on the testing of vehicles with delegated driving authority on public roads.
Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Law n° 78-17 of January 6, 1978 relating to IT, files and liberties.
CNIL, “Compliance pack: Connected vehicles and personal data”, October 17, 2017.
Deliberation No. 2019-001 of January 10, 2019 on the Model Regulation relating to the implementation of devices aimed at access control by biometric authentication to the premises, computer devices and applications in the workplace.
CNIL, “Biometrics in personal smartphones: application of the data protection framework,” July 24, 2018.
CNIL, “Biometrics made available to individuals: what are the principles to be observed?” April 10, 2018.
“What” information can be used, and “how” can that information be captured?
Biometrics in technology has been increasingly incorporated into our daily lives; however, there has not been a proliferation of laws on how to regulate this data.
Automated vehicle technology is likely to produce and retain data about vehicle behavior and vehicle occupants. Some of that data will sit only in-vehicle.
Under the Made in China 2025 plan, China saw the issuance of a number of key policies and regulations on intelligent vehicles in 2017.
French consumers are less worried about the collection and the sharing of their biometric data by connected vehicles than elsewhere in Europe.
The German government and the European Commission have declared biometric technologies to be key enablers for a digital economy.
As in the case with the operation of AVs, there is no specific regulatory framework for the uses of biometrics in Indonesia.