Dedicated Short Range Communication (DSRC) is a system in which information is shared between vehicles (V2V) and between vehicles and infrastructure (V2I). In general, this technology is intended to aid the flow of anonymised information on driving conditions. It seems however that DSRC might also entail collection and processing of personal data.
Work on DSRC-related legislation, regulations and safety requirements in the context of protection of privacy is only just beginning, for instance in the US (Department of Transportation, Federal Communications Commission, Federal Trade Commission, National Highway Traffic Safety Administration (NHTSA)). Meanwhile, the automotive industry is continually making advances and is now beginning to install DSRC technology in vehicles (see B. Segalis Cybersecurity in Norton Rose Fulbright – Autonomous vehicles. The legal landscape of DSRC in the US, UK and Germany. p. 15. July 2017).
For the moment, vehicles fitted with these systems are being used on roads in Japan and the US for test purposes, but automotive companies are now in a race to be the first to announce when DSRC will be fitted in vehicles from the production line. Toyota has said that it will be marketing American cars fitted with DSCR by 2021. DSCR technology is currently used in the congestion toll collection system.
DSRC is intended to improve road safety. Vehicle-to-vehicle communication is expected to minimise the number of traffic accidents and improve traffic flow. When an obstacle causes ABS to activate in a particular vehicle, this information is sent to the vehicles within range of the system, enabling them to brake, take an alternative route, and so on. At the moment, a vehicle which has skidded or broken down poses a serious hazard to other motorists. DSRC is expected to eliminate dangers of this kind. This sounds wonderful but like most things it comes at a cost.
For DSCR to function properly, information has to be communicated almost continually, requiring transfer of thousands of units of data – and this could include personal data of drivers, vehicle owners, passengers, etc. In addition to road safety, data security guaranteed by law needs to be ensured as well. It has been pointed out that the transmitted data are anonymised, but this will not be certain until the system is fitted in vehicles. Manufacturers of vehicles and providers of cloud computing that might be used in DSRC need to consider right now how the technology can be designed to comply with data protection laws.
The GDPR will come into force a few days from now, which means that anyone using personal data has to comply with strict data processing rules in a broad range of areas, at least under the European legal system. If automotive companies keep their promises and vehicles do communicate with each other in a few years from now, the entire DSRC system will have to be designed so that personal data are truly excluded from the information passing between vehicles, or are completely anonymised. If this does not happen, firms will have to ensure that personal data collected when information is drawn from the surroundings and from other vehicles are processed securely. Failure to comply could lead to severe penalties for breaking personal data protection rules.
Data protection liability issues will not arise if DSRC (perhaps using AI) can separate data of this kind from other data needed to achieve the objective, i.e. information about the road surface, accidents, or a hazardous object. This may be hard to achieve because the access that can be gained to personal data using for example smartphones means that data can be collected even unintentionally.
One idea is Toyota’s Intelligent Transportation System (ITS). This system makes a pedestrian carrying a smartphone who is in a driver’s blind spot visible to a vehicle because the ITS communicates with the telephone and notifies the driver. This is especially important for the safety of children and of adults who have their eyes glued to their phones. In communication of this kind, however, data on a telephone can be captured. There have been cases of vehicle software being hacked – cybersecurity specialists took over remote control of a Jeep. One can only imagine the problems that arise with jurisdiction, determining the perpetrators of activities of this kind, and other issues.
If separation of this kind is not possible, manufacturers of innovative vehicles will be forced to address a range of data processing liability issues, as even the mere collecting of data constitutes processing. Under the GDPR, data must be processed as stipulated by law and in a manner which ensures that personal data are processed securely.
Legal compliance is assured in the situations described in Art. 6(1) of the GDPR. If personal data are processed as a result of vehicle-to-vehicle and vehicle-to-infrastructure communication, compliance with any of the requirements will present a major challenge to manufacturers. Art. 6(1)(a) is an example – processing shall be lawful if the data subject has given consent. The consent procedure has to enable the processor to demonstrate that consent has been given in practice and in an informed manner. Special requirements for consent are provided for with respect to children (up to 16 years of age) – consent is given by the holder of parental responsibility.
At this point the question arises of the procedure for obtaining consent. Leaving aside the onerous nature of that procedure, consent can be obtained from the owner, driver, or passengers. For example, the system could request consent from the driver and passengers at the beginning of a journey, but what about data of people a vehicle passes on the street, on a pedestrian crossing, or in a car park (for example information about the number of spaces available for other vehicles). What about compliance with the requirement to obtain consent with respect to children playing in the street when this information is communicated to other vehicles for safety reasons?
For giving consent or for processing under Art. 6(1)(b) (necessary for performance of a contract) the existence and declaration of intent of the data subject is required. Vehicle traffic proceeds so rapidly that in most cases processing will take place without those concerned, i.e. passers-by, expressing that intention.
It might be possible to process data in DSRC on the grounds of the vital interests of the data subject (Art. 6(1)(d) of the GDPR). In recital 46 of the GDPR, EU lawmakers state that processing should be based on the vital interest of another natural person where processing cannot be based on any other legal grounds. These are interests which are important for the life of the data subject or another natural person. The objective of data processing in DSCR would qualify in this respect, while this would not apply to processing of special categories of personal data. It is possible that special categories of data would also be captured by DSRC.
Automotive companies will have to comply with a range of GDPR requirements such as the obligation to disclose that the data are processed (art. 13-15 of the GDPR), the obligation to implement appropriate security measures (art. 32 et seq. of the GDPR) or for instance the obligation for the controller to demonstrate compliance with GDPR personal data protection rules.
The question also rises of who in fact is the data controller. Is this the automotive company that installs the DSRC and uses the data obtained by the system, or the cloud computing provider, if used during this process? In this case is there a processor? It is unlikely that only one entity in this scenario would use personal data. Therefore a lot of additional issues would arise relating to outsourcing, compliance with legal requirements by other entities, etc.
This could have adverse effects on our privacy and automotive companies’ accounts, but even at the moment our data are frequently processed in an uncontrolled manner, and we accept this for the sake of convenience. We need to remain aware however and not place responsibility for our safety solely in the hands of computers and algorithms.