Until now, the concept of a driverless car has
been causing automotive regulators around
the world considerable difficulty. This is
because the very concept of a driverless car
overturns some very basic assumptions
about how vehicles should function, and who
is responsible for their behaviour. Whilst
systems like cruise control, self-parking and
automatic braking are now well established,
they all presuppose that a human driver
remains in control, and retains overall
responsibility for the vehicle. However, this
is now all set to change.
In February of this year, the National
Highway Traffic Safety Administration in the
US (arguably, the world’s most stringent
automotive regulator) legalised the use of
Google’s driverless car and numerous trials
of similar vehicles are taking place around
the world, including here in the UK. Whilst
there are still regulatory obstacles in many
parts of the globe, the world’s automotive
regulators have now fully woken up to the
fact that the traditional assumption that a
human has to be in control of a vehicle can
no longer be sustained in the face of ever
advancing technology.
With road to the fully legalised use of driverless cars now opening up, the vehicle industry is set to be
transformed by the digital revolution with vehicle manufacturers becoming more like IT companies and
with some IT companies such as Apple and Google experimenting with the idea of developing and
producing their own connected vehicles.
Background
The concept of connected vehicles started many years ago with systems such as anti-lock brakes, air bags,
electronic stability control, electronic distance control, electronic parking and so on. As such a concept of
connected vehicle may incorporate varying levels of automation from vehicles that incorporate some
automated features to vehicles that will be able to drive themselves in all conditions without any input
from the driver apart from setting the ultimate destination. As our vehicles become fully connected, our
vehicles are set to become massive mobile computers.
It is expected that 90% of all cars which are sold by 2020 will incorporate some degree of built in
connectivity. All of these vehicles, regardless of whether or not they are fully driverless will be generating,
processing and sending vast amounts of data over the internet and whilst on the move. Perhaps the crucial
factor in all of these developments is the fact that the connected vehicles of the future will all be connected
to the internet. As such, rather than each vehicle representing a closed computer system, each vehicle will
be connected to each other and all manner of external systems and data sources via the internet. This, in
turn, gives rise to significant new commercial opportunities and, sadly, new risks. In this new world, all
manufacturers of vehicles and automotive components need to be aware of revolutionary impact of
digitisation on their industry as do all companies who will now be able to supply a myriad of new
communications and software based applications and services to the automotive sector along with any
business which sees the connected car as a new market opportunity.
These opportunities and risks are numerous and complex in terms of commercial, technical and legal
issues. In addition, given the fast moving nature of the technical developments, it is also clear that the law
is not keeping up in a number of crucial areas. In the following sections, we discuss some of the
opportunities and risks associated with driverless vehicles.
Commercial
The development and sale of connected vehicles is already opening up a vast array of new commercial
opportunities. For example, vehicle manufacturers will need to enter into new contracts with the providers
of all manner of applications and IT enabled components along with the providers of cellular services,
platforms, cloud, data centre and data evaluation services which will be required to support the required
connectivity between all connected vehicles. In addition, all connected vehicles will need to be interacting
and sharing information with many providers of traffic management services and a myriad of other
information services. Also, virtually all providers of mechanical components which are used in the drive of a
vehicle will need to invest in the development of electronically enabled components which can be
incorporated into the connected vehicles of tomorrow.
In all of this, all manner of new relationships will develop between vehicle manufacturers and technology
suppliers, with potential mergers and alliances between companies in both sectors. Here, the likes of
Google and Ford who are reported to be close to announcing a joint venture to produce connected vehicles.
In addition, with so much new technology being developed for connected applications, manufacturers
should give proper consideration to seeking to patent any inventions. This, in turn, will result in
considerable licencing opportunities whilst, at the same time, there is debate around the subject of
whether or not certain core technology should be made available on an open source basis given critical
importance of reliable communication between different connected vehicles.
The way in which vehicles are sold and used is also set to change radically. Partly as a result of the need to
ensure that all connected vehicles are properly protected against cyber-attack and partly because
connected cars can be used by multiple users, manufacturers may consider making connected vehicles
available to customers on a pay as you go basis. This, in turn, may mean that tomorrow’s vehicle user
simply has the opportunity to have access to a connected vehicle of a particular type rather than owning
their own vehicle for their own personal use. Looking at this from another angle, the concept of a
connected taxi is also being trialled in the Far East. Perhaps more worryingly for vehicle manufacturers is
the risk that more people will be willing to share a connected vehicle with other users. Here,
“Transportation as a Service” is a distinct possibility but this, in turn, may well mean that vehicle sales will
reduce as sharing increases.
It will also be possible for all manner of companies to send messages to the users of connected vehicles
promoting this or that service or attraction to the occupants of a connected vehicle in the hope that those
individuals may be tempted to go to a particular shop or venue. In addition, there be numerous
opportunities to provide on-line connectivity and entertainment to the users of connected vehicles whilst
they are being driven. The possibilities, subject to data protection consents, for all manner of services are
endless as are the commercial opportunities for the manufacturers of connected vehicles to earn significant
revenue from all manner of commercial arrangements with both advertisers and the providers of
communication and entertainment service. In tomorrow’s world, the features of a vehicle which drive its
market price and profitability may have more to do with the technology that is available for use whilst
being “driven” than in the outright performance of the vehicle. This, in turn, will have a fundamental
impact on the way in which manufacturers seek to differentiate their vehicles. Whilst this is a sad thought
for those who love driving, in a world of huge development costs and slim margins, these new revenue
source will be hugely welcomed by many vehicle manufacturers.
Data
Clearly, given the importance of data to connected vehicles, the data protection ramifications are
potentially critical. However, as things currently stand, the extent to which personal data needs to be
shared between connected vehicles, the vehicle manufacturers and all service providers will require some
very careful consideration and, in all likelihood, dialogue with regulators around the world. Whilst the
recent opinion of Article 29 Opinion of EU Data Protection Working Party in relation to the Internet of
Things may be relevant, a few questions to consider will still need to be considered, For example:
a) what sort of data may be generated, stored, processed and used by connected vehicles?
b) of all of the data which a connected vehicle will create and process, which of that data can be used
to identify a living individual? Here, a connected vehicle’s unique identifier will certainly be personal
data along with any information that can be associated with that unique identifier.
c)
how will users of a connected vehicles consent to collection of their personal and, particularly,
sensitive personal data? Do separate consents need to be given by each “driver” of a connected
vehicle before they use that connected vehicle?
d) who is responsible for protecting the data generated by a connected vehicle?
e) who is the data controller and who are the data users of the data which is generated bu a
connected vehicle– the vehicle owner, the manufacturer or a service provider?
f)
what about the data which is collected about other connected vehicles which are interacting with
each other?
g) who needs to have access to this data and for what purpose? – for example, the connected vehicle
and component manufacturers, dealers and communication service providers will need to access
certain personal data in connection with the operation of the connected vehicle but not more
widely;
h) to what extent can data which is created by a connected vehicle be shared with third parties – for
example law enforcement agencies and insurance companies (or the manufacturers themselves if
they are self-insuring) will be keen to understand how and where connected vehicles are actually
being used. In addition how and where connected vehicles are driven will provide endless
opportunities to profile users for marketing purposes;
i)
which data should be anonymised and, if so, how?
j)
what levels of security need to be applied to personal data collected by a connected vehicle?
k) how will cross border issues be used when connected cars are used in multiple countries
particularly if this involves non EU countries?
Communications Services
Moving on from data protection itself, the manufacturers of connected vehicles will need to consider how
they structure their contracts with the providers of all communication services which are required for the
connected vehicles to operate. Here, it will be necessary to consider whether the connected vehicle
manufacturer becomes the provider of a regulated telecommunications service because of the way in which
its contracts with the communication services providers are structured. This is because each connected
vehicle will, like a mobile phone, have its own unique identifier and SIM which will constantly be sending
and receiving messages whilst on the move. As a result, much thought will need to be given to the
contracts between the manufacturers of connected vehicles and the communications providers. In addition,
concerns over network black spots will have to be resolved alongside ensuring that our networks can cope
with all of the new data that will be shared between connected vehicles. In all of this mix, regulatory
notification and compliance issues which will need to be considered depending on the contractual
arrangements between the manufacturer of the connected vehicle and the communications service
provider as will the related risk and compliance sharing obligations between these companies.
Security
The biggest concerns regarding connected vehicles relate to are the vehicles safe to use and how
vulnerable are they to cyber security. Whilst vehicles have incorporated computer system for many years,
these systems have been closed systems. However, the connectivity required to make connected cars work
opens them up to the Internet and, as a result, connected vehicles become the targets of cybercrime.
Sadly, this has already happened. Here, it is one thing for a hacker to steal data from a bank or retailer
but quite another for a hacker to get into the systems of a connected vehicle and then to influence the
drive of the vehicle or to ransom users to pay over money before the criminal unlocks the vehicle for use.
Just imagine the horrors of a connected vehicle manufacturer suffering a cyber-attack which results in all
of its vehicles suddenly accelerating, swerving or braking in an unexpected manner. All of this brings
concerns and questions regarding:
a) how to make connected vehicles secure from cyber-attack with particular focus of potential weak
spots? For example, most connected vehicles will incorporate legacy systems (including
infotainment systems) which will not have been designed with cyber security in mind;
b) the risk to manufacturers of connected vehicles and systems in relation to potential claims for the
death and personal injury of users of their products. Whilst vehicle manufacturers have been
dealing with the deep ramifications of product liability laws and recalls for many years, these risks
increase significantly with connected vehicles. This is because any accidents between connected
vehicles will, in most cases, be a manufacturer issue rather than a driver issue. Here, the providers
of software and communications services which are used in connected vehicles will need to become
accustomed to operating in this environment. In the future, just issuing a patch and hoping that
users down load it will just not suffice.
c)
how to comply with ever increasing cyber security regulations which are likely to vary between
countries?
d) how best to develop and manage systems to mitigate against the risk of data loss, whether as a
result of systems design, disaffected staff of cyber-attack alongside well considered crisis
management plans which will help to minimise the concerns of affected users.
Product Liability
Product liability law places an onus on the producer to ensure that their product is safe. This means that
the absence of technical regulations governing how driverless systems should work is not, as some might
suppose, a barrier to new technology, but in practice means that producers must take on a more onerous
burden in ensuring the safety of the products they place on the market. This, in turn, will mean that
manufacturers must also take great care to warn consumers of what they need to do to ensure that they
remain safe whilst using a driverless vehicle. This, in essence, is no different to any other product.
However, the challenge will, no doubt, be how all of the necessary instructions and warnings are
communicated whilst the connected vehicles will have to build in significant safety features that will detect
any issues with the vehicles communications technology. In addition, users of connected vehicles will still
need to accept that accidents will happen. For example, if a person steps out in front of a connected
vehicle, the chances are that they will still be hit because the connected vehicle will have no time to react.
In other cases, it may be that the connected vehicle needs to evaluate the least bad outcome in
circumstances where an accident of one sort or another cannot be avoided. In all of this, whilst the
rewards may be great, so are the risks and businesses entering this area should do so with their eyes wide
open.
Insurance
Many difficult issues remain to be resolved in relation to insurance and who is responsible for any accidents
and any associated product liability issues. Much will depend on whether the “driver” is in control. This is
clearly the case with a traditional vehicle and will not be the case with a fully connected vehicle. However,
there remains much debate over who is at fault in the event that a highly automated vehicle is involved in
an accident. The questions become even more complicated when trying to unpick issues of liability
between the providers of software and the providers of communications services. There is also
considerable debate in the market as to whether the manufacturers of connected vehicles offer (or may
even be required by law) to put insurance in place to cover the risks associated with technological defects
and cyber-crime.
Conclusion
Clearly, connected vehicles will become a reality. As companies race to develop these vehicles, much
thought will need to be given to how the resulting commercial opportunities are maximised whilst ensuring
that all of the risks are considered and managed. This will, in turn, require both dialogue between industry
and the regulators alongside the development of driverless systems which are safe to use. Nowhere will all
of this be more the case than with the increasing overlap between tomorrow’s automotive, communications
and technology industries.
For more information, contact:
Simon Jones
Partner: Head of Automotive Group
+44 113 200 4049
[email protected]