On Wednesday, September 6, the U.S. House of Representatives unanimously passed H.R. 3388, the SELF DRIVE Act (the “Act”). While the Act’s primary purpose is to preempt state laws that regulate automated vehicles, and instead to have such vehicles regulated exclusively under federal law, it also includes provisions governing cybersecurity and privacy practices for self-driving carmakers and their suppliers.
With respect to cybersecurity, the SELF DRIVE Act would prohibit the sale or import of a highly automated vehicle (“HAV”), a vehicle that performs partial driving automation (“VPDA”), or an automated driving system (each as defined in the Act), unless its manufacturer has adopted a cybersecurity plan. All such plans must address the identification, assessment and mitigation of reasonably foreseeable vulnerabilities, and plans for HAVs and VPDAs must also cover preventative and corrective actions for vulnerabilities. The Act also provides for the Department of Transportation to prepare a regulatory plan for highly automated vehicles and specifically authorizes the plan to address “process and procedure standards for software and cybersecurity as necessary.” Thus, security expectations for the autonomous vehicle industry should come into better focus if the Act is enacted.
The Act would impose similar privacy requirements, requiring sellers or importers of HAVs, VPDAs, and automated driving systems to develop a privacy plan covering collection, use, storage and sharing of information about vehicle owners or occupants. The privacy plan must also address owners’ and occupants’ choices with respect to these practices, to minimization and de-identification practices, and also to forward transfer practices. The requirements do not apply to information that is altered or combined so that the data subject can no longer reasonably be identified, nor would they apply to information about vehicle occupants (but not vehicle owners) that is anonymized or encrypted. The Federal Trade Commission would have authority to enforce these privacy plan requirements.
The Act defines “highly automated vehicle” as “a motor vehicle [other than a commercial motor vehicle] equipped with an automated driving system.” “Automated driving system,” in turn, means “the hardware and software that are collectively capable of performing the entire dynamic driving task [as separately defined] on a sustained basis, regardless of whether such system is limited to a specific operational design domain [as separately defined].” Finally, the term “vehicle that performs partial driving automation” is not separately defined, except to specifically exclude commercial motor vehicles.
Following the House’s vote, the SELF DRIVE Act has now been referred to the Senate Committee on Commerce, Science, and Transportation. To view a copy of the Act, click here.