Driverless Car Privacy, Data Security Vital, Feds Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Sept. 21 — Driverless car manufacturers should protect consumer privacy and minimize cybersecurity threats and vulnerabilities, federal highway safety regulators said in new voluntary guidelines.

Self-driving cars raise “more possibilities and more questions than perhaps any other transportation innovation,” Secretary of Transportation Anthony Foxx said in the guidelines released Sept. 20 by the Department of Transportation' National Highway Traffic Safety Administration (NHTSA).

Connected cars, including many driverless cars, are a part of the internet of things—the network of physical objects able to connect to other products to collect and transfer data via the web. The predicted number of connected cars by 2020 ranges from 31.8 million— estimated by Statista—to 1.5 billion— estimated by Ericsson.

Government officials and lawmakers have previously said that connected cars present real opportunities to revolutionize mobility, but there needs to be minimum privacy and security standards to increase consumer trust (15 PVLR 293, 2/8/16). The NHTSA guidelines are a step in that direction.

Monique Lance, marketing director at Tel Aviv-based cybersecurity company Argus Cyber Security, told Bloomberg BNA Sept. 21 that the guidelines “reflect the growing emphasis placed on cybersecurity within the autonomous vehicle industry yet remains broad based enough to facilitate the critical ongoing collaboration between car manufacturers, cybersecurity companies” and other stakeholders.

The Electronic Privacy Information Center said in a Dept. 20 statement that it is important that any driverless vehicle framework include real compliance obligations and an enforcement mechanism. The NHTSA said that the guidelines should provide a start towards driverless car regulations.

Minimize Cybersecurity Threats

The NHTSA guidelines suggested that autonomous vehicle manufacturers follow a “robust product development process” to minimize cybersecurity threats. It specifically recommended addressing cybersecurity issues at all levels of production.

“Manufacturers should insist that their suppliers build into their equipment robust cybersecurity features,” it said. Autonomous vehicle manufacturers shouldn't “wait to address cybersecurity until after they have received equipment from a supplier,” the guidelines said.

To improve the overall cybersecurity of autonomous vehicles, the guidelines said that “as with safety data, industry sharing on cybersecurity is important.” Companies shouldn't have to “experience the same cyber vulnerabilities in order to learn from them,” it said.

Protecting Privacy

Despite the great potential benefits of information sharing, the NHTSA guidelines said that “data shared with third parties should be de-identified.” This type of data is stripped of information that could identify the specific vehicle or user. Manufacturers need to make sure that the data is collected, recorded, shared and stored in accordance with applicable privacy and security agreements and notices, it said.

The NHTSA guidelines also highlighted the need to protect consumer privacy. To do so, the guidelines said that manufacturers' privacy policies and practices should entail the following seven elements:

  •  Transparency: provide consumers with clear, accessible and meaningful privacy and security notices or agreements incorporating the White House Consumer Privacy Bill of Rights;
  •  Choice: give autonomous vehicle owners choices about the collection, use, sharing, retention and deconstruction of data, including biometric, geolocation and behavior data that could reasonably identify the driver;
  •  Respect for Context: use collected data only for purposes for which the data was collected;
  •  Minimization, De-identification and Retention: collect the minimum amount of personal data necessary for legitimate business purposes, keep it only for as long as necessary and take steps to de-identify sensitive data;
  •  Data Security: implement measures to protect data from loss or unauthorized disclosure;
  •  Integrity and Access: maintain the accuracy of personal data and allow consumers to review and correct such information; and
  •  Accountability: take reasonable steps to make sure that data collecting entities comply with applicable privacy and security agreements or notices.

In addition to the guidance, the NHTSA released an autonomous vehicle model state policy to assist state governments considering oversight laws or regulations.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editors responsible for this story: Donald G. Aplin at ; Daniel R. Stoller at

For More Information

The “Federal Automated Vehicles Policy” is available at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security