MoFo Privacy Minute
The development of connected and automated (“self-driving”) cars has been the focus of rising regulatory activity in Germany. The Federal Commissioner for Data Protection in Germany (“Federal Commissioner”) and a high-level commission appointed by the German government have separately issued recommendations on the legal and ethical implications of automated driving technology, respectively. Both documents, published in June 2017, are expected to inform the decisions of lawmakers and regulators, but are not directly binding on lawmakers, regulators, or companies. (The authority of the Federal Commissioner in the private sector is limited to providing information to the public.)
The Federal Commissioner stressed the importance of transparency and data minimization: Users should have easy access to their data to understand what personal information has been collected (for example via a monitor on their dashboard), including where data will be collected with their consent. Users should also be provided with a simple tool to delete data (e.g., by switching the software back to factory settings). The Federal Commissioner urged manufacturers to develop products following the privacy-by-design and privacy-by-default principles, and to collect data only where necessary or anonymize the data. In particular, images of a car’s outer surroundings should be deleted as soon as they are no longer required for the purposes for which they were recorded. The Federal Commissioner also highlighted the importance of data safety and stressed that software must be designed in a way that prevents unauthorized access and guarantees reliable protection against cyber-attacks.
Meanwhile, the commission appointed by the Federal Minister for Transport published a report on the ethical aspects of automated driving. The commission is comprised of a group of renowned experts from industry, science, and the judiciary who have identified 20 rules with a focus on accountability and liability issues arising in accident and manipulation scenarios. Amongst those rules, the commission stressed that IT systems must be designed in a way that prevents manipulation, in particular where such manipulation may undermine trust in road traffic. The report also suggests that drivers’ consent to the processing of their data should only be deemed voluntary if drivers are offered a “practical alternative” to the processing of their data.