White & Case Technology Newsflash
The development of autonomous vehicles has attracted significant attention in recent years. The technologies being used in order to enable vehicles to navigate without human assistance include established navigation tools such as GPS, and less well-known innovations in the field of navigation, such as LiDAR, which uses light to measure the distances to nearby objects. One technology that has been making great strides is the use of AI-driven automated object recognition through video data. The development of this technology requires the collection of a vast volume of video data, taken from all manner of driving scenarios, in order to train the AI systems to accurately recognize pedestrians, stationary objects, other vehicles, and so on.
An increasingly common method of collecting such video data is to fit vehicles with dashboard-mounted cameras (dashcams), located at the front or rear of the vehicle, to continuously record the visible objects around the vehicle. Dashcams are commonly mounted on vehicles (not just autonomous vehicles) and are used for other purposes beyond development of autonomous driving technology (notably for recording traffic so that the footage can be provided to law enforcement and/or insurers in the event of an accident).
The collection of such data is essential to the development of autonomous vehicles, but it also results in the collection of a large volume of data that could be used to identify individuals. When combined with other technologies, such as facial recognition algorithms, the video data collected through dashcams provides a significant amount of information about identifiable individuals. In particular, the video data collected via dashcams could provide details on the location and activities of any individuals who are visible to the vehicle at a given point in time. As a result, some commentators and authorities are concerned about the privacy impact of the widespread use of dashcams.
The legal landscape
In the EU, the collection and use of information about identified or identifiable individuals (personal data) is regulated by the General Data Protection Regulation (GDPR). In the context of dashcams, video data in which individuals are recognizable amounts to personal data for GDPR purposes. When a business decides to use personal data for purposes such as developing new technologies, it becomes subject to a number of GDPR compliance obligations. In particular, unless an exemption applies, the GDPR requires that business to have a valid legal basis for each of its data processing activities.
Under Article 2(2)(c) of the GDPR, there is an exemption for the processing of personal data for purely personal or household purposes, and one might imagine that this exemption would apply to the collection of video data recorded from within a private vehicle. However, the Court of Justice of the EU (the CJEU) has previously held that this exemption does not apply to video data that captures events in a public space, even where the camera itself is located on private property.
Under Article 89 (and Recital 159) of the GDPR, there is an exemption that permits the processing of personal data for scientific research purposes. The Bavarian Data Protection Authority has indicated that it considers that the use of dashcams for the purposes of research and development of autonomous vehicles could fall within this exemption. However, it should be noted that there is no pan-EU consensus on this point at this stage. Moreover, the Bavarian Data Protection Authority has advised businesses that dashcam video data used for these purposes should be anonymized promptly after collection (e.g., using algorithms to automatically blur out faces of individuals before the data are used for any analysis or development purposes). In addition, this exemption does not cover every purpose for which a business might wish to use video data—it only applies to research and development purposes.
- Legal bases for processing personal data:
For any activity that falls outside the narrow scope of the research exemption, businesses are likely to need a valid legal basis under Article 6 of the GDPR. The legal basis that is most likely to be available in the context of dashcams is known as "legitimate interests." This legal basis applies where a business has a legitimate business reason for processing the personal data, and that interest is not overridden by the rights, freedoms or interests of the affected individuals. A business that wishes to rely on legitimate interests therefore needs to perform a balancing test, to weigh its interests against those of the affected individuals.
In its Guidelines 3/2019, the European Data Protection Board (EDPB) provides some examples of how this balancing test applies. For instance, video data recorded in heavily populated areas likely pose greater privacy risks than video data recorded in more remote areas. The lower the risks to individuals, the easier it is for businesses to justify their collection of video data via dashcams. However, the Guidelines also adopt some positions that are impractical. For example, when discussing the use of dashcams to record video data for the purposes of providing evidence in the event of an accident, the Guidelines indicate that such recording should not operate on a continuous basis. The Guidelines fail to address the question of how a dashcam user is supposed to know when an accident is going to occur, and start recording. As a result, businesses using dashcams should be careful to obtain clear legal advice rather than blindly following regulatory guidance—noting that such guidance is not legally binding.
- The obligation to provide notice:
Any business that processes personal data has a mandatory obligation to provide certain information to affected individuals. Many businesses provide this information to third parties with whom they interact (e.g., consumers, job applicants, etc.) through an online privacy notice. However, a business using dashcams typically has no direct relationship with the individuals who may pass through the dashcam's field of view, which makes it more challenging to provide those individuals with the required information. The Guidelines suggest the use of a "layered" approach, with the most important information displayed on a highly visible sign (e.g., a sticker on the outside of the vehicle) alerting individuals to the fact that a dashcam is being used, and providing a means of obtaining further information (e.g., using a QR code that individuals can scan with a smartphone, and that links to an online privacy notice setting out the required information). In its Code of Practice, the UK Information Commissioner's Office indicates that such signs would need to be clearly visible and reasonable, and should be more prominent where people would be less likely to expect to be filmed.
What to do next
Any business that wants to use dashcams in the EU needs to first decide on the purposes for which it will use the video data it collects, and then work out whether those purposes fall within an exemption under the GDPR. If any of those purposes fall outside the available exemptions, then the business needs to identify an available legal basis. If that legal basis is legitimate interests (which is likely in most cases) then the business needs to weigh its interests against the rights, freedoms and interests of the affected individuals.
Businesses also need to consider how invasive their video recording activities are, and whether there are any plausible ways to reduce the impact of those activities on the privacy of the affected individuals. This could include using technologies that do not readily identify individuals (e.g., LiDAR) where dashcams are not strictly needed; or using dashcams in ways that minimize the number of individuals affected (e.g., recording urban environments during the quietest periods).
Additional internal compliance measures, such as keeping a record of data processing activities, and implementing internal guidelines regarding data processing, are also necessary for GDPR compliance. Although the GDPR does not specify particular data security standards that must be met, each business is responsible for ensuring that it has implemented appropriate security measures in the context of its own processing activities. This includes ensuring that personal data that are no longer needed are deleted or anonymized. Lastly, the GDPR requires businesses to address data protection issues during the design and implementation phases of all new data processing activities. Each business is responsible for demonstrating that its use of dashcams and other technologies to capture and process personal data is compliant with the GDPR.
In the context of autonomous vehicles, the Baden-Württemberg Data Protection Authority recommends that businesses should conduct data protection impact assessments, due to the complexity of the technologies involved, and the potential consequences for the privacy of individuals. It would therefore be advisable for businesses developing autonomous driving technologies in the EU to consider carrying out such impact assessments, even when such assessments are not legally required.
The legal landscape for businesses operating in the field of autonomous vehicles is promising, as it appears that Data Protection Authorities are keen to support scientific and technological development in this space. However, the lack of a straightforward, harmonized guidance across the EU has left many businesses experiencing a lack of clarity. Businesses would therefore be well advised to carefully analyze their existing compliance structures in light of the available data protection guidance, but to keep this area under constant review, as changes are coming on the road ahead.
Aleksandra Drabek, a Trainee Solicitor at White & Case, assisted in the development of this publication.