Earlier this month, Covington’s Brussels, Frankfurt and London offices hosted a webinar on EU regulatory developments impacting connected and automated vehicles (CAVs). The seminar attracted participants from across the globe, predominantly from tech and automotive industries. This post features an overview of the introduction, and sections on data access and competition, data protection and cybersecurity. Part 2 will focus on other important CAV areas in the EU.

Kevin Coates (Brussels) began with a summary of the basic EU regulatory framework for CAV, including both long-standing and recently updated laws, and more recent developments. He explained the EU’s official recognition of the benefits of CAVs and the different levels and features of driving automation. Kevin concluded with highlights of the new Commission’s CAV aspirations, as reflected in the Mission letter from President Ursula von der Leyen to the then-Transport Commissioner Designate.

Marty Hansen (London) then discussed the EU’s regulatory regime relating to CAV-generated data. He noted that, as vehicles become more connected and automated, they will generate increasing amounts of data, and that consumers may want to share that data for numerous reasons, including for increased safety, better routing information, access to driving-related services, etc. This raises important considerations, including on: (1) data access and competition; (2) data protection; and (3) cybersecurity.

In relation to data access and competition, the EU’s regulatory focus has been on two broad types of data:

  • vehicle data needed to ensure safe driving, such as between vehicles on the road; and
  • vehicle data to which third parties may need access in order to provide relevant services.

On the latter, the key EU regulatory concern is ensuring that third-party service providers can operate on a “level playing field” with vehicle manufacturers. Marty noted that the EU is already exploring legislative proposals to encourage business-to-business (B2B) and business-to-government (B2G) data sharing generally, flowing from the Commission’s broader Digital Single Market strategy. Since the new Commission has not yet been formed, it is difficult to say how these legislative proposals will evolve in relation to CAVs. The new Commission President has put an emphasis on strengthening the EU’s role in setting global regulatory standards and the need to invest in EU-wide common data spaces and standard setting, so we can expect to see further developments in this area.

In terms of sharing vehicle data with third-party providers, most of the focus currently is on three distinct models: (1) the data server platform model, where vehicle manufacturers transfer vehicle data to an off-vehicle server and third parties access the data from that server; (2) the in-vehicle interface model, where third parties obtain data directly from the vehicle through an application programming interface, but their applications run off-vehicle; and (3) the on-board application model, where third-party applications run directly within the vehicle. Siobhan added a few explanations on competition law and data: examining the situations where it may or may not be possible for third parties to demand access to another undertaking’s data set in the CAV context, and the legal framework for the co-operation and the sharing of data between CAV competitors in the interests of innovation and R&D.

Sam Choi (London) then gave an overview of the data protection and cybersecurity issues that could be relevant to CAV-generated data. The EU’s General Data Protection Regulation (GDPR) applies to any processing of personal data, including those from CAVs. The key data protection issues that may be relevant to projects involving CAV-generated data include: privacy by design and default, accountability, legal bases for processing, individuals’ rights, and data sharing. In particular, organisations using CAV-generated data should ensure that privacy-enhancing technologies are embedded into the design of the product or service at the outset. Organisations should also make sure that they have legal bases for collecting, using and storing the data, and for complying with individuals’ rights (which include the right to erasure, right to data portability, and the right to object to automated decision-making).

Data Protection Impact Assessments (DPIAs) provide a useful tool for organisations to identify and mitigate privacy risks for new, innovative products, and could be useful (or in some cases, may be mandatory) for projects involving CAV-generated data. The GDPR introduces high fines for non-compliance, and data protection authorities have announced some large fines since it started to apply in May 2018 ­– demonstrating the importance of keeping personal data secure and processing it lawfully.

Sam also gave an overview of the cybersecurity considerations that could apply to CAV-generated data. To the extent that such data is personal data, the GDPR provisions on data security and personal data breach notification requirements apply. In addition, the Network and Information Systems Directive 2016/1148 (NIS Directive) may also be relevant, as operators of intelligent transport systems are identified as “operators of essential services,” who are subject to certain security incident reporting obligations. Specifically on connected vehicles, the Commission’s C-ITS policy includes a common security and certificate policy for secure communications between vehicles and infrastructure for road safety and traffic management messages.

Finally, the Commission’s new EU Cybersecurity Act, which entered into force on 27 June 2019 created a cybersecurity certification scheme framework, under which the EU may adopt a CAV-specific scheme. In the CAV context, cybersecurity has been identified as being directly relevant to safety, and there has already been a lot of industry attention on this topic. We expect to see further industry engagement with EU policymakers to create robust frameworks in this space.

The webinar wrapped up with a question and answer session, and in closing Kevin introduced Covington’s new Online CAV Toolkit, which is now available on our website to help clients safely harness the forthcoming opportunities in this exciting and evolving space.

This blog is part of Covington’s CAV series, which covers developments across the globe. Part 2 of this post will be available shortly. Other recent CAV posts include:

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.