European Commission Expert Group Issues Connected And Automated Vehicle Privacy Recommendations – Privacy | #computers | #computerprotection


In Short

The Development: The report “Ethics of Connected and Automated
Vehicles”
 (“Report”) presents the
work of an independent European Commission Expert Group established
to advise on specific ethical issues raised by connected and
automated vehicles (“CAVs”). The Report aims to support
stakeholders in the systematic inclusion of ethical considerations
in the development and regulation of CAVs.

The Background: The Report sets forth 20
ethical recommendations (“Recommendations”) concerning
the future development and use of CAVs, grounded in the fundamental
ethical and legal principles laid down in the EU treaties. The
Recommendations cover three important areas in the context of CAVs:
(i) road safety, risk and dilemmas; (ii) data and algorithm ethics;
and (iii) responsibility.

Looking Ahead: Stakeholders will need to
adhere to ethical principles, social needs and values. This may be
achieved by bringing the Recommendations to specific policy or
industry domains, defining the terms and time of a feasible
implementation, and identifying the specific tools needed to
translate them into effective policies and practices. In Europe,
the Cooperative, Connected and Automated Mobility
(“CCAM”) Single Platform
 and in particular
the future European Partnership on CCAM will play an important role
in following up on the Recommendations.

The independent European Commission Expert Group’s Report
makes 20 recommendations on the ethics of CAVs, set forth within
three main chapters: (i) road safety, risk and dilemmas; (ii) data
and algorithm ethics; and (iii) responsibility. The Recommendations
are intended to contribute to the responsible acceleration of
progress toward a safer, cleaner and more efficient European
transport system, provide guidance to policymakers in the
development of regulations and topics, give confidence to
manufacturers and deployers in the development of CAV technology
and provide direction to researchers toward productive areas of
study associated with CAVs.

The Recommendations are made actionable for three stakeholder
groups: (i) manufacturers and deployers (e.g., car manufacturers,
suppliers, software developers and mobility service providers);
(ii) policymakers at national, European and international agencies
and institutions, such as the European Commission and the EU
National Ministries; and (iii) researchers at universities,
research institutes and research and development departments.
Although the Recommendations are not the position of the EU
Commission itself, they should be closely observed and taken into
account. They may well be seen as a basis for further industry
standards, policies and legislative initiatives in the development
and regulation of CAVs.

This Commentary highlights and describes the
most significant Recommendations in the field of privacy and data
protection, including possible outcomes for relevant
stakeholders.

Report’s Recommendation on Privacy and Data Protection

CAV operations require the collection and use of great
volumes and varied combinations of static and dynamic data relating
to the vehicle, its users and the surrounding environments.
According to the Report, data subjects, therefore, need to be both
protected and empowered, while vital data resources need to be
safeguarded and made accessible to specific actors. In order to
strike a balance between protection and empowerment, the Report
determines in its Chapter 2 “data and algorithm
ethics
” the Recommendations on privacy and data
protection.

Establishing a Valid Legal Basis: Requirements of Free,
Informed and Explicit Consent in the Context of CAVs

With regard to establishing a valid legal basis for processing
of personal data of CAV users, the Report emphasizes that CAV users
should be able to effectively assert and exercise control over
their personal data at all times. The Report points out that in the
event that manufacturers and developers would like to collect
personal data for purposes that are not necessary for the proper
functioning of a CAV?such as, for example, (i) advertising; (ii)
provision of mere convenient CAV functionalities; (iii) selling
products to the CAV users; or (iv) sharing data with third
parties?personal data should only be processed on a voluntary
basis. According to the Report, all terms and conditions for
providing data to others should adhere to free, informed and
explicit consent. The Report concludes that otherwise, if no other
legal basis can be established, such processing of personal data
should be prohibited.

  • The Report says that manufacturers and deployers should inform
    CAV users about the consequences if they do not agree to share
    their personal data. The data subject’s objection to collecting
    or sharing of personal data that is not necessary for the proper
    and safe operation of the CAV must not result, however, in a de
    facto refusal of service. Therefore, the Report concludes that
    stakeholders should work together toward formulating more nuanced
    and alternative approaches to consent-based user agreements for CAV
    services.

  • According to the Report, those alternative approaches should go
    beyond “take-it-or-leave-it” concepts of
    consent. They should include active and continuous consent options
    to enable consumer choice. Industry standards also should offer
    robust data protection without relying solely on consent. Because
    Article 7 of the General Data Protection Regulation
    (“GDPR”) prohibits forced consent, manufacturers and
    deployers, especially mobility service providers, should therefore
    offer consent management tools.

  • The Report points out that alternative concepts or options of
    consent procedures need to be further explored and developed. An
    ethical alternative to the “take-it-or-leave it
    concept of consent could be to use data management systems with
    appropriate software tools that allow data subjects to choose
    strategies for handling their data. Those tools would eliminate the
    impractical requirement for data subjects to give separate consent
    on every issue of data use and also ensure greater data control,
    traceability and transparency.

  • Moreover, the Report concludes that manufacturers and deployers
    ought to facilitate data subjects’ control over their personal
    data by providing specific mechanisms and tools to exercise their
    rights. Those rights include data access, rectification, erasure
    and restriction of processing. Depending on the particular legal
    basis of the processing, data subjects may have the right to object
    or right to data portability (e.g., transferring data to another
    service provider).

Providing Sufficient Information: Developing New Transparency
Strategies

As the Report says, mobility-induced conflicts of interests are
largely unavoidable due to the need for CAVs to move through public
spaces. This may lead to intentional but nonconsensual monitoring
of public spaces, collecting of traffic-related data, and use for
potential research and development as well as use for public
matters.

Therefore, the Report recommends the development of new and
creative transparency standards (e.g., via textual, visual, audio
and haptic elements) to communicate and mitigate privacy risks
effectively to data subjects and to inform them about data
protection rights (e.g., opt-out, deletion of personal data, data
access, recourse mechanisms, alternate routes and point
destinations).

In addition, the Report points out that policymakers should work
with manufacturers and deployers to develop meaningful,
standardized transparency strategies to inform road users of data
collection in a CAV operating area that may, directly or
indirectly, cause risks to their privacy. This includes digital and
near “real-time” updates for road users who are
approaching zones where collection of potentially privacy intrusive
data may occur. In-vehicle or wearable smart-device displays,
audio-visual aids on roads (e.g., street signs, flashing icons,
beeping sounds), or other minimally privacy-invasive communication
modes with textual, visual, audio or haptic elements could
communicate that risk. This would allow the communication of
privacy risks and data protection rights to a wide and diverse
audience.

Facing New Privacy Risks: Data Protection at Group Level

The Report also identifies a new, significant privacy risk
arising from the collection, assessment and sharing of nonpersonal
data, third-party personal data and anonymized data.

Machine learning algorithms are able to infer personal private
information about data subjects based on nonpersonal, anonymized
data or personal data from group profiles. However, those data may
not be subject to data protection rights. A particular challenge
lies with the protection of privacy when multiple data subjects are
involved (e.g., driver, pedestrian, passenger or other drivers).
This raises the question of who should be granted rights regarding
data that concern various data subjects at the same time.

Therefore, the Report recommends that policymakers should
develop legal guidelines that protect data subjects’ rights
already at group level (e.g., driver, pedestrian, passenger or
other drivers’ rights). Those guidelines should outline
strategies to resolve possible conflicts between data subjects that
have claims regarding the same data (e.g., location data, computer
vision data), or to resolve disputes between data subjects, data
controllers and other parties (e.g., insurance companies).
Furthermore, the Report states that policymakers should develop new
legal privacy and data protection guidelines to govern the
collection, assessment and sharing of nonpersonal data, third-party
personal data and anonymized data, if these are likely to pose a
privacy risk for individuals.

Other Relevant Guidance on CAV Privacy Issues: Adoption of EDPB
Draft Guidelines 1/2020

On 9 March 2021, the European Data Protection Board
(“EDPB”) adopted a final version of its draft guidelines on processing personal data in
the context of CAVs and mobility-related
applications
 (“Guidelines”). In contrast to
the Report’s more general ethical Recommendations for
stakeholders, the Guidelines focus on the nonprofessional use of
CAVs. The Guidelines provide specific examples of high-risk data
processing activities and related compliance steps, including in
relation to legal basis, retention, security and information
requirements. In addition, the Guidelines cover compliance and
integration of CAVs within the existing legal framework of the GDPR
and the ePrivacy Directive.

Five Key Takeaways:

  1. Although the current Recommendations are not the position of
    the EU Commission itself, the Report emphasizes that they may be
    seen as a basis for further industry standards, policies and
    legislative initiatives in the development and regulation of CAVs.
    Stakeholders should monitor these and future Recommendations to
    anticipate future developments and regulation.

  2. To be able to obtain valid consent, stakeholders have to
    identify which processing of personal data is absolutely necessary
    for the proper and safe operation of CAVs and differentiate such
    essential processing from other optional or
    nice-to-have” processing activities.
    Manufacturers and deployers, especially mobility service providers,
    are encouraged to offer consent management tools.

  3. According to the Report, the data subject’s objection to
    collecting or sharing of personal data that are not necessary for
    the proper and safe operation of the CAV must not result in a de
    facto refusal of service. This issue will need more nuanced
    approaches to obtain valid consent. Those approaches should go
    beyond “take-it-or-leave-it” alternatives.

  4. CAVs have the potential to pose significant privacy risks also
    with regard to nonpersonal data and data at group levels. This
    development could lead to nonpersonal data also coming under the
    spotlight of future developments and regulation of CAVs.

  5. The Report encourages policymakers to work with manufacturers
    and deployers to develop meaningful, standardized transparency
    strategies to adequately inform affected data subjects of data
    collection in a CAV. It advises new creative and active information
    systems that go beyond providing written information and exceed
    current standards.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

54 − = 49