limitation4 (which comes at odds with the autonomous processing of personal data through AI in the CAV, which may be based on a (re)interpretation of goals, or, possibly, a shift in focus from the original goal for which personal data was collected). Additionally, the overall need for relatively large datasets to properly train and leverage AI functionalities leads to conflicts with the principle of data minimization.5 When applied to AI systems, the requirement of data protection by design and by default also presents dificulties, as data protection by default is possible only when the necessary personal data is processed for a specific purpose. 6 Moreover, the ePrivacy Directive has been interpreted by European Supervisory - as requiring a company wishing to store or access information stored within a CAV to obtain specific consent from CAV users for these specific activities. Furthermore, an additional legal basis must be determined (possibly necessitating those companies to make a double request for consent) for any subsequent use of the infor-
Emerging technologies and tools based on Artificial Intelligence (AI), such as Connected and automated vehicles (CAVs), present novel regulatory and legal compliance challenges while at the same time raising important questions with respect to ethics and transparency.
On the one hand, CAVs bring to light theoretical and practical
challenges to the implementation of the multi-dimensional
obligations of the current European personal data protection legal
framework, including the General Data Protection Regulation (GDPR),
the ePrivacy Directive,1 and where applicable, the Directive for a
high common level of security and information systems (NIS
Directive or NISD).2 As mere examples, CAV developers currently face
multiple legal hurdles to overcome, including the necessity to fulfil
controller and/or processor obligations in complex data
processing scenarios3 and tensions with the GDPR’s principle of purpose
1Directive 2002/58/EC of the European Parliament and of the Council of 12 July
2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector.
2The NISD, applicable to operators of essential services and digital service providers,
ensures the security of network and information systems vital to economic and societal
activities and to the functioning of the internal EU market. Also see Recital (
On the other hand, while European data protection legislation such as the GDPR, ePrivacy and NISD provide a minimum level of legal safeguards for citizens, they may not sufice to maximize CAV benefits for users while minimizing their potential negative impact on society.11 In order to properly and comprehensively address the risks brought about by CAVs, ethics12 and human rights concerns must therefore take a central role in every stage of the CAV development lifecycle, embedding the notions of fairness, transparency, and security into design processes. Transparency13 is situated between the legal and ethical dimensions and is challenged by the complexity of AI systems, as well as the inherent autonomy and flexibility of automated decision-making, and is key in the development of the framework as a prerequisite for trustworthy, ethical, and fair data processing.
This paper explores the closely linked legal principles and ethical
aspects that should be taken into consideration by stakeholders
in the CAV landscape and provides a roadmap to be used by CAV
researchers, developers, and all those who seek to create and
implement technologies to carry out data processing activities within
such domain in a compliant, fair and trustworthy manner. As a
result of the inherent link between the legal and ethical concerns,
the authors will present a holistic approach to design and
development which is intended to overcome the challenges posed to
European personal data protection legal principles and obligations,
by involving ethics and fairness. This approach, which goes beyond
minimum legal requirements and proposes the application of a
multidisciplinary framework, can be defined as Data Protection as
8See Article 7(
(AI), such as Connected and automated vehicles (CAV or CAVs),
present novel regulatory and legal compliance challenges while at
the same time raising important questions with respect to ethics
and transparency. CAVs bring to light theoretical and practical
challenges to the implementation of the multi-dimensional obligations
of the General Data Protection Regulation (GDPR), the ePrivacy
directive15 (2002/58/EC, revised by 2009/136/EC) and, where
applicable, the Directive for a high common level of security and
information systems (NIS Directive or NISD).16 Though briefly
14The concept of Data Protection as a Corporate Social Responsibility (DPCSR) has
been developed and promoted by Prof. Dr. Paolo Balboni (Maastricht University),
after having launched the idea on his blog in 2017. The Maastricht University DPCSR
project (Maastricht DPCSR or MU DPCSR) of the European Centre on Privacy and
Cybersecurity (ECPC) at Maastricht University is a two-year multi-stakeholder
research project that commenced in January 2020 and involves both Data Protection
and Business Stakeholders. During the first year of the project the researchers have
concretized three rules for each of the Five Principles of Sustainable Data
Protection previously identified by Dr. Paolo Balboni and explored during his inaugural
lecture. The second year of the project will consist of expanding to five rules per
principle, for a total of 25 rules, which will form the basis of the Maastricht DPCSR
Framework. The first manifesto of the project detailing the aforementioned
principles and rules, “Data Protection as a Corporate Social Responsibility: From
Compliance to Sustainability to Generate Both Social and Financial Value”, is available here:
https://www.maastrichtuniversity.nl/ecpc/csr-project/csr-publications. The research
project is being developed according to the highest academic and ethical standards in
full independence. It is intended to benefit of the rights and freedoms of individuals
by way of the establishment of data protection practices that are socially responsible
and feasible, and which shall be agreed upon and adhered to by the Stakeholders. The
Maastricht DPCSR Framework aims to “trigger virtuous data protection competition
between companies by creating an environment that identifies and promotes data
protection as an asset which can be used to help companies to responsibly further
their economic targets.” To learn more about the project, see the University’s dedicated
webpage, available here: https://www.maastrichtuniversity.nl/ecpc/csr-project.
15The ePrivacy Directive “sets a specific standard for all actors that wish to store
or access information stored in the terminal equipment of a subscriber or user in
the European Economic Area (EEA).” The majority of the provisions in the ePrivacy
Directive (e.g. Articles 6 and 9) only apply “to providers of publicly available electronic
communication services and providers of public communication networks, art. 5(
Also note that according to Art. 1(a) of Directive 2008/63/EC, terminal equipment
is defined as “equipment directly or indirectly connected to the interface of a public
telecommunications network to send, process or receive information; in either case
(direct or indirect), the connection may be made by wire, optical fibre or
electromagnetically; a connection is indirect if equipment is placed between the terminal and
the interface of the network; (b) satellite earth station equipment”. See the Directive
here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32008L0063.
Following this logic, the European Data Protection Board has determined that “the
connected vehicle and every device connected to it shall be considered as a ‘terminal
equipment’ (just like a computer, a smartphone or a smart TV) and provisions of
art. 5(
In the context of CAVs, adherence to the rules set forth in the GDPR is fundamental for conformity with the applicable legal framework,17 which establishes compliance requirements for entities that process personal data, or information relating to individuals which can be either identified or identifiable. 18 Consequently, when designing and developing CAVs, it is crucial to have an overview of the dificulties that arise as a result of the implementation of the GDPR, and to have an approach to adequately address them. Furthermore, the ePrivacy Directive is also directly relevant to CAVs in that it specifies standards for the storage of and access to information stored in “terminal equipment of a subscriber or user”19 in the European Economic Area, notably imposing the need to collect specific GDPR-compliant consent 20 from CAV users for these activities. This particular requirement, as seen previously, may generate technical and legal dificulties for certain subsequent uses of information gathered from CAVs. The NIS Directive instead has established further obligations to ensure the security of network and information systems of essential services of a given Member State, classified as “ operators of essential services” (such as telecommunications, healthcare or transportation services). The European Union Agency for Cybersecurity (ENISA) has identified intelligent transport systems (ITS) as Essential Service Operators in the road transport sub-sector,21 and therefore it can be concluded that the NISD is applicable also in the context of CAVs. At the moment ENISA is in the process of addressing the security of smart cars in order to contribute to the existing regulatory framework. It is therefore safe to assume that as the adoption of CAVs reaches a critical mass, that specific ITS operators will be designated as operators of essential services.
As mere examples, CAV manufacturers, including vehicle and
equipment manufacturers, developers, service providers and other
relevant third parties (also collectively referred to as “CAV
stakeholders”) currently face multiple legal hurdles to overcome,
including the necessity to fulfil controller and/or processor obligations in
complex data processing scenarios22 and tensions with the GDPR’s
17European Data Protection Board, Guidelines 1/2020 on processing personal data in the
context of connected vehicles and mobility related applications, Version 1.0, Adopted on
28 January 2020, p. 5.
18Under Art. 4(
At the same time, while European data protection legislation
such as the GDPR provides a minimum level of legal safeguards for
citizens, they may not sufice to maximize CAV benefits for users
while minimizing their potential negative impact on society.29 In
order to properly and comprehensively address the risks brought
about by CAVs, ethics and human rights concerns must therefore
take a central role in every stage of the CAV development lifecycle,
embedding the notions of fairness, transparency, and security into
design processes. Transparency30 is situated between the legal
and ethical dimensions and is challenged by the complexity of
AI systems, as well as the inherent autonomy and flexibility of
automated decision-making, and is key in the development of the
and means of the processing of personal data”; where two or more controllers jointly
determine the purposes and means of a given processing activity, they will be considered
as “joint controllers” under Article 26 GDPR. Article 4 (
This paper explores the closely linked legal principles and ethical aspects that should be taken into consideration by stakeholders in the CAV landscape and provides a roadmap to be used by CAV researchers, developers, and all those who seek to create and implement technologies to process personal data within such domain in a compliant, fair and trustworthy manner. The protection of the rights, freedoms and interests of data subjects is at the heart of this discussion, though the perspective of technology service developers and providers – who carry the burden of implementing measures to ensure compliance with the existing legal framework – are addressed.31 On the basis of the analysis laid out in this paper, we provide suggestions and recommendations in order to assist manufacturers, developers and service providers to design and develop CAVs. In fact, the adoption of a holistic approach to data protection can assist in overcoming both the ethical and legislative and regulatory challenges in this complex environment. This approach, which goes beyond minimum legal requirements and proposes the application of a multidisciplinary framework, can be defined as Data Protection as a Corporate Social Responsibility in accordance to the Maastricht methodology in this domain.32 2
The automotive industry of the 21st century has transformed traditional cars into intelligent objects of transportation.33 The technology of Connected and Automated Vehicles cannot be separated from the persons that use them, whether for their private use or as part of services of a public system of transportation. It cannot be denied that the human-machine relationship, the human to the CAV, itself presents a number of ethical paradoxes and concerns which range from safety and even the loss of human life, liability questions, to economic, environmental, and security, privacy and 31Also see Recital 78 GDPR. 32The concept of Data Protection as a Corporate Social Responsibility (DPCSR) has been developed and promoted by Prof. Dr. Paolo Balboni (Maastricht University), after having launched the idea on his blog in 2017. The Maastricht University DPCSR project (Maastricht DPCSR or MU DPCSR) of the European Centre on Privacy and Cybersecurity (ECPC) at Maastricht University is a two-year multi-stakeholder research project that commenced in January 2020 and involves both Data Protection and Business Stakeholders. During the first year of the project the researchers have concretized three rules for each of the Five Principles of Sustainable Data Protection previously identified by Dr. Paolo Balboni and explored during his inaugural lecture. The second year of the project will consist of expanding to five rules per principle, for a total of 25 rules, which will form the basis of the Maastricht DPCSR Framework. The first manifesto of the project detailing the aforementioned principles and rules, “Data Protection as a Corporate Social Responsibility: From Compliance to Sustainability to Generate Both Social and Financial Value”, is available here: https://www.maastrichtuniversity.nl/ecpc/csr-project/csr-publications. The research project is being developed according to the highest academic and ethical standards in full independence. It is intended to benefit of the rights and freedoms of individuals by way of the establishment of data protection practices that are socially responsible and feasible, and which shall be agreed upon and adhered to by the Stakeholders. The Maastricht DPCSR Framework aims to “trigger virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as an asset which can be used to help companies to responsibly further their economic targets.” To learn more about the project, see the University’s dedicated webpage, available here: https://www.maastrichtuniversity.nl/ecpc/csr-project. 33European Union Agency for Cybersecurity, Good Practices for Security of Smart Cars, November 2019, p. 7. data protection concerns.34 Furthermore, the absence of a specific applicable legislative framework and appropriate consideration of the ethical implications of such new technologies presents a challenge both for manufacturers in the development and steering of their work and to society with respect to the benefits that can be reaped from such technologies, whether they be increased road safety, lessened environmental impact and better mobility, or the potential improvement of European economic strength, growth, and competitiveness.35 As is often the case with new technologies, which make rapid and significant progress in terms of development and adoption, policymaking and the applicable regulatory frameworks are often less less-advanced than the technology itself, a notion which also holds true in the area of CAVs.36 This, together with the fact that such new technologies present both significant opportunities, but also risks, underlines the necessity of adequate regulation.37
CAVs operate in a complex communications ecosystem whose interactions can largely be divided into vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and vehicle-to-everything (V2E or V2X),38 involving actors that range from the driver, passenger, pedestrian, to smart city infrastructure managers, law enforcement, and infotainment service providers.39 Connected vehicles furthermore include numerous additional characteristics and innovative technologies, and entail the constant processing of (personal) data for the improvement of driving, requiring the transmission of data relating to the car, its surroundings and the individuals inside it.40 Connected vehicles largely function by collecting various types of information, depending on their design, through built-in or external sensors (e.g., external devices, such as a smartphone). Autonomous vehicles use such sensors and AI in order to autonomously perform driving functions under varied conditions.41 The inherent nature of CAVs therefore involves the collection of massive amounts of data, for an uncertain number of purposes (which may not be disclosed from the start of the use of the CAV) and the security includes a 34German Federal Ministry of Transport and Digital Infrastructure, Ethics Commission Automated and Connected Driving. June 2017. Available at: https://www.bmvi.de/ SharedDocs/EN/publications/report-ethics-commission.pdf?__blob=publicationFile. Also see European Parliamentary Research Service, Study of the Panel for the Future of Science and Technology, The impact of the General Data Protection Regulation (GDPR) on artificial intelligence. June 2020. Available at: https://www.europarl.europa. eu/RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf; and ICT Legal Consulting’s contribution to nIoVe Deliverable 2.1. https://niove.eu/. 35Government of The Netherlands, Self-driving cars, 2020. https://www.government. nl/topics/mobility-public-transport-and-road-safety/self-driving-vehicles. 36This concept is furthered in the June 2018 report of the Task Force on Ethical Aspects of Connected and Automated Driving (Ethics Task Force) established by the 2nd High Level Structural Dialogue in Frankfurt/M. on 14 and 15 September 2017. Available at: https://www.bmvi.de/SharedDocs/EN/publications/ report-ethics-task-force-automated-driving.pdf?__blob=publicationFile. 37European Commission,
White Paper on Artificial Intelligence – A European approach to excellence and trust, European Commission, February 2020, pp. 3, 17. Available at: https://ec.europa.eu/info/sites/info/files/ commission-white-paper-artificial-intelligence-feb2020_en.pdf. 38WSP Canada Group Limited and Ontario Centres of Excellence, Ontario CAV Ecosystem Analysis, 2019, p. 4. Available at: https://www.oce-ontario.org/docs/default-source/ publications/avin-ecosystem-analysis-final-report-2019.pdf?sfvrsn=2. 39European Data Protection Board, Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications, Version 1.0, 28 January 2020, p. 3. 40European Data Protection Supervisor, Connected Cars, TechDispatch, Issue 3, 2019, p. 1. 41European Union Agency for Cybersecurity, Good Practices for Security of Smart Cars, November 2019, p. 13. considerably large ecosystem of devices (both internal and external to the CAV).42 For such reasons, CAVs have introduced novel regulatory and legal compliance challenges43 which remain to be fully addressed by policymakers.44
Current legislation governing the processing of personal data45
related to individuals, those who drive or ride in CAVs, is the
General Data Protection Regulation (GDPR)46 which applies to “the
processing of personal data wholly or partly by automated means”47
and the ePrivacy Directive, which creates specific consent
requirements applicable to the storage of, and access to, information stored
in CAVs.48 Data subjects are aforded a variety of rights under the
GDPR, which also establishes important principles – this also
applies to CAV manufacturers, service developers/providers and users,
where such services require the use of personal data. As such,
compliance with the principles of the GDPR relating to the processing
of personal data, including the principles of lawfulness, fairness and
42European Data Protection Board, Guidelines 1/2020 on processing personal data in the
context of connected vehicles and mobility related applications, Version 1.0, 28 January
2020, p. 14. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_
guidelines_202001_connectedvehicles.pdf.
43The Article 29 Data Protection Working Party in its Opinion 08/2014 on the Recent
Developments on the Internet of Things (16 September 2014) has linked IoT to the
notions of “pervasive” and “ubiquitous” computing, thereby “clearly [raising] new and
significant personal data protection and privacy challenges ”.
44European Union Agency for Cybersecurity, Towards a framework for policy
development in cybersecurity, security and privacy considerations in autonomous
agents, 14 March 2019, p. 17. Available at: https://www.enisa.europa.eu/publications/
considerations-in-autonomous-agents.
45Article 4(
Manufacturers, and service developers/providers may further be subjected to rules
arising from the European Union’s Directive on Security of Network and Information
Systems (NISD), depending on the types of services they provide. In particular, when
involved in the provision of crucial services for the functioning of a given Member
State, such as telecommunications, healthcare or transportation services, these
developers/providers may be classified as “operators of essential services” (OESs). (See
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and information
systems across the Union. Available at: https://eur-lex.europa.eu/eli/dir/2016/1148/oj,
and Arts. 4(
An initial hurdle in the development of CAVs is the fact that the processing of personal data is often carried out by machines managed by diferent organisations, each of them using computational capacity provided by cloud service developers/providers and that can also involve analytic software programmes supplied by the related vendors.52 This exponentially increases the number of parties involved in data processing activities and the dificulties in clearly allocating data processing roles (controller or processor) to each one. Such grey areas create both compliance and ethical complications53 with respect to accountability where stakeholders feel that the responsibility for data protection compliance lies with another entity, and thus may feel free to process personal data in ways that they deem more convenient or beneficial, perhaps to the detriment of the individuals concerned.
Under the GDPR, when processing personal data, there are two main roles that an organization can take on, that of the data controller and that of the data processor. The data controller is the party that determines the purposes (the why) and the means (the what and how) of the processing.54 For example, service providers that process vehicle data to send the driver messages, insurance companies or vehicle manufacturers, tend to take the role of a data controller, since they collect data on vehicle use and for their own purposes (i.e., service provision and quality improvement).55 In this category, two or more data controllers may also jointly determine the purposes and means of the processing, and they will be considered as joint controllers.56 The data processor is the entity which 49Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, 29 November 2017, as last Revised and Adopted on 11 April 2018. Available at: https: //ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227. 50Article 29 Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013. Available at: https://ec.europa.eu/justice/article-29/documentation/ opinion-recommendation/files/2013/wp203_en.pdf. 51Article 29 Working Party, Opinion 03/2010 on the principle of accountability, 13 July 2010. Available at: https://ec.europa.eu/justice/article-29/documentation/ opinion-recommendation/files/2010/wp173_en.pdf. 52Article 29 Data Protection
Working Party, Opinion 8/2014 on Recent
Developments on the Internet of Things, 16 September 2014, p. 11. Available
at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/
ifles/2014/wp223_en.pdf. See also European Data Protection Supervisor, EDPS response
to the Commission public consultation on the regulatory environment for platforms, online
intermediaries, data and cloud computing and the collaborative economy, 16 December
2015, p. 4. Available at: https://edps.europa.eu/sites/edp/files/publication/15-12-16_
online_platforms_en.pdf.
53According to the “a broader and more proactive ethical approach will also help
to reveal new perspectives on the often-asked question of who is responsible for
the behaviour of CAVs.” See Horizon 2020 Commission Expert Group to advise on
specific ethical issues raised by driverless mobility (E03659). Ethics of Connected and
Automated Vehicles: recommendations on road safety, privacy, fairness, explainability
and responsibility. 2020. Publication Ofice of the European Union: Luxembourg, p. 20.
Available at: https://ec.europa.eu/info/sites/info/files/research_and_innovation/ethics_
of_connected_and_automated_vehicles_report.pdf.
54Article 4(
The European Commission has clarified that the principle of
accountability lies with the actor(s) best placed to address risks.59
Therefore, the criteria60 of who is in the best position to address
risks can help CAV manufacturers, service providers, and
developers take the appropriate data processing role in the diferent stages
of the lifecycle (i.e., developers, users and third parties will
therefore be responsible at diferent stages of the lifecycle). According
to Art. 28(
More conventional agreements to regulate data processing
relationships, such as Data Processing Agreements61 and joint
controllership agreements62 may prove impractical to deal with these
intricate relationships, as they may not sufice to cover all diferent
roles which each of the parties involved in CAV data processing
plays. In order to address the grey area and the need to sign
several Data Processing Agreements, stakeholders should consider
engaging each other through more complex contractual
frameworks (Data Management Agreements63), identifying the specific
CAV data processing activities which they intend to perform and
their respective roles and obligations for each activity identified. 64
the European Union Case C-210/16 (Unabhängiges Landeszentrum für
Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH).
Available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&
pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1206721; Case
C-25/17 (Tietosuojavaltuutettu v Jehovan todistajat). Available at: http://curia.europa.
eu/juris/document/document.jsf?docid=203822&doclang=EN; and Case C-40/17
(Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV), which concerns the joint
controllership relationship between Facebook and website operators that embed the
Facebook “Like” button on their site. Available at: http://curia.europa.eu/juris/liste.jsf?
num=C-40/17.
57Article 4(
Adherence to the concept of data protection by design and by
default65 represents a fundamental prerequisite in the design of CAV,
requiring controllers from the design phase to implement
technical and organisational measures within products and services
to ensure compliance with the GDPR and the protection of data
subjects’ rights, “both at the time of the determination of the means
for processing and at the time of the processing itself ” (data
protection by design66). Data protection by design and by default should
not simply be considered as a principle, but rather, as a means to
achieve compliance with the specific principles stipulated in
Article 5 GDPR, and generally, all duties and obligations set forth in
the GDPR. Art. 25(
more information on the concept of data protection by design and by default, please see the United Kingdom Information Commissioner’s checklist, available here: https://ico.org.uk/for-organisations/ guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ accountability-and-governance/data-protection-by-design-and-default/; the Spanish Data Protection Authority’s (AEPD) Guidelines on Data Protection by Default – “Guía de Protección de Datos por Defecto” (October 2020), available here: https: //www.aepd.es/sites/default/files/2020-10/guia-proteccion-datos-por-defecto.pdf; and the AEPD’s Guidelines on Privacy by design - “Guía de Privacidad desde el Diseño” (October 2019), available here: https://www.aepd.es/sites/default/files/2019-11/ guia-privacidad-desde-diseno.pdf. 66As noted
by the European Data Protection Supervisor in his Opinion
5/2018 – Preliminary Opinion on privacy by design (31 May 2018, available
at: https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_
on_privacy_by_design_en_0.pdf), the obligation of data protection by design, under
Art. 25 GDPR, can be broken down into 4 dimensions: (
The European Commission has established that AI applications should be considered high-risk if the application is employed in a sector where significant risks for individuals can be expected, including the transportation sector.70 Thus, CAV designing should initiate by carrying out a Data Protection Impact Assessment (DPIA), which would acknowledge and assess the risks posed to data subjects. DPIAs should be complemented with extensive Security Risk Assessments in order to identify threats and risks on IT systems and assess whether security measures in place provide an adequate level of protection, also taking into account the magnitude and seriousness of the security risks increase with the large attack surface. This integrated approach can be found in the Maastricht DPCSR principle of Data security by design,71 which calls for the implementation of a risk-based approach to data processing that aids in the management of data security in order to optimize economic and social benefits of product deployment and use. Such an approach to data security is necessary in order for society to take full advantage and benefit from technological advancements in transportation in the CAV context, by first successfully mitigating the risks posed by such technologies in terms of security.72
The described regime of Data security by design leads to the obligation of developers and manufacturers to have a good approach to security based to an analysis of the risks associated to individuals involved, namely drivers, passengers, and pedestrians. The mitigations envisioned for such risks should be transposed into documented policies and procedures, also in view of a comprehensive future risk analysis that is aimed at identifying threats that may pose risks to CAV systems. It essentially calls for CAVs to be safe by design, taking into account “known patterns of use by CAV users, including deliberate or inadvertent misuse, as well as tendencies toward inattention, fatigue and cognitive over/under-load.”73
Solutions for mitigating the high risks relating to CAVs should
include human oversight, the adoption of an Ethics by design and
69Art. 5(
User empowerment by design approach,74 and the monitoring of the AI system.75 Human oversight should ensure the ability for humans to intervene in real time through deactivation during operation, for example, a stop button or a procedure when a human determines that car operation is not safe.76 In the designing of the CAV, operational constraints can be implemented, for example for the CAV to stop operating in critical weather conditions. Furthermore, a supervision centre should interact with the vehicle to monitor its status, request actions and perform remote administration tasks.77 The ethical question of connected and autonomous vehicles, in fact, is also dependent on “the conditions in which they are used and the way in which they are designed,”78 solidifying the relationship between the legal prescription and the ethical aspects of CAVs. 2.3
Following the logic of data protection by design and default, in the development process of CAVs, car manufacturers and relevant technology providers should closely enforce the concept of “fairness by design” by which fairness is related to balanced and proportionate data processing.79 Fairness by design requires the balancing of fundamental rights freedoms, which should be built into the very design of connected vehicles, their components, and more generally, all the related data processing activities in the CAV environment, forming an integral part of the algorithms that underpin the related processing activities. In this way, Fairness by design acts as a further specification of the concept of data protection by design, complementing both the legal and the ethical dimensions 74Maastricht DPCSR Principle 1, Rule 2: Implement Ethics by design and User Empowerment by design, actively empowering individuals with respect to their data, calls for organizations to 1) establish a multi-stakeholder ethics and user empowerment board led by the person(s) charged with ensuring compliance with the Maastricht DPCSR Framework and involving the C-suite, researchers and developers/engineers, legal and marketing functions, as well as others deemed to be relevant by the organization; 2) Establish an internal-external multi-stakeholder ethics, user empowerment, accessibility, and functionality group which, through testing procedures and protocols and the inclusion of individuals outside of the organization including, e.g. users, ethicists, consumer and professional associations, disability rights activists, and other relevant stakeholders, can ensure that the objectives of the established procedures and protocols concerning ethics and user empowerment are met. 3) Develop personalized ethics and user empowerment by design policies and procedures (testing and verification protocols/ impact assessments), including ethics and user empowerment impact assessments which ensure that the objectives of the procedures and protocols with respect to ethics by design and user empowerment by design are met. 75Principle 3, Rule 3 of the Maastricht DPCSR framework, calls for organizations to “Establish trusted data processing activities (for example, for use in AI and big data analytics) that actively oppose bias and discrimination. The Organization shall actively seek not only to not cause harm, but to oppose bias and discrimination” to this end provides focuses on establishing trusted data processing activities that actively oppose bias and discrimination, and requires having in place checks and balances to prevent bias and discrimination in all levels of data processing activities, with specific reference to AI and algorithms. It is closely related to the concept of Fairness by design (Principle 1, Rule 3) and can also implicate data sharing, which is further explored in Principle 4, Publish relevant findings based on statistical/anonymized data to improve society. Available at: https://www.maastrichtuniversity.nl/ecpc/csr-project/csr-publications. 76European Commission, White Paper on Artificial Intelligence – A European approach to excellence and trust, February 2020, p. 21. Available at: https://ec.europa.eu/info/ sites/info/files/commission-white-paper-artificial-intelligence-feb2020_en.pdf. 77Ibid. 78German Federal Ministry of Transport and Digital Infrastructure, Ethics Commission Automated and Connected Driving. June 2017, p. 6. Available at: https://www.bmvi.de/ SharedDocs/EN/publications/report-ethics-commission.pdf?__blob=publicationFile. 79See Paolo Balboni, “The Automated Vehicle Consortium and Fairness by Design”, May 2019. Available at: https://www.paolobalboni.eu/index.php/2019/05/08/ the-automated-vehicle-safety-consortium-and-fairness-by-design/. Also see ICT Legal Consulting’s contribution to nIoVe Deliverable 2.1. of privacy and personal data protection for the development of a healthy and democratic digitalized society.
In line with this principle, developers and manufacturers should
take into account the interests and reasonable expectations of
privacy of data subjects from the design phase of the CAV. The
processing of personal data in CAVs should not unreasonably intrude
on the privacy, autonomy and integrity of data subjects nor
pressure data subjects to provide their personal data, collecting only
what is strictly necessary for the operation of the vehicle. Fairness
by Design80 leverages the highly relevant81 principle of fairness
embedded in Article 5(
On the part of manufacturers and developers, the
implementation of Fairness by design can be realized by way of integration of
ifve recommendations into the CAV lifecycle. These include
carrying out: 1) Human rights impact assessments;82 2) drawing red
lines for certain types of processing that due to their nature
represent too high of a threat to human rights and risk posing a severe
and irreversible impact on fundamental rights and societal welfare
in general; 3) providing for reinforced transparency and the right
to algorithmic explanation;83 4) the provision of efective redress
mechanisms (procedural fairness and algorithmic due process);84
and 5) ensuring independent oversight. By implementing the above
80The Maastricht Data Protection as a Corporate Social Responsibility Working Group
has established that Fairness by Design embodies Principle 1, Rules 1 (Data Security
by Design) and 2 (Ethics by design and User Empowerment by design) and integrates
the legal dimension of the GDPR. ICTLC Senior Associate Davide Baldini has actively
contributed to the definition of Principle 1, Rule 3, Fairness by design and its relative five
requirements as they are described above. Together these three rules form the initial
triad on which the Maastricht DPCSR Framework is built. Also see Paolo Balboni and
Kate Francis, “Data Protection as a Corporate Social Responsibility: From Compliance
to Sustainability to Generate Both Social and Financial Value.” European Centre on
Privacy and Cybersecurity (ECPC), Maastricht University Faculty of Law website.
27 October 2020. Available at: https://www.maastrichtuniversity.nl/ecpc/csr-project/
csr-publications.
81Art. 8(
The principle of purpose limitation states that the personal data
must be collected for a specified, explicit and legitimate purposes,
without further processing in a manner that is incompatible with
those purposes.85 As noted by the Article 29 Data Protection
Working Party, “any processing following collection, whether for the
purposes initially specified or for any additional purposes, must be
considered ’further processing’ and must thus meet the requirement of
compatibility.”86 This notion of compatibility includes a criteria
to be assessed by a controller in order to establish if a further
processing purpose is compatible with the initial purpose for data
collection:87 1) whether there is any link between these purposes; 2)
the context in which the personal data was collected; 3) the nature
of the personal data in question; 4) the possible consequences of the
intended further processing for data subjects; and 5) the existence
of appropriate safeguards, such as encryption or
pseudonymisation.88 Based on a factual assessment of the initial purpose of data
collection and the intended further purpose, controllers can
theoretically arrive at a conclusion as to whether the further purpose
is compatible with the initial one89 – and therefore that it does
not require an additional, specific legal basis to be identified for it
– or is instead incompatible,90 and must be supported by its own
specific legal basis. As a result, organizations have an obligation to
map the purposes for which they collect personal data, and avoid
reuse, combination or repurposing of those data for incompatible
purposes.91
to the algorithmic decision should be presented with clear indications on how to make
use of the designated redress mechanism made available by the organization.
85Art. 5(
This obligation comes at odds with the CAV’s autonomous processing of personal data through AI, which may be based on a (re)interpretation of goals, or, possibly, a shift in focus from the original goal for which the personal data was collected. Even though this can pose several barriers in the use of personal data for other purposes, the flexible application of “compatibility” allows for the reuse of personal data, when it is not incompatible with the original purpose. Additionally, the CAV stakeholders can reuse the personal data for statistical purposes, unless it involves unacceptable risks for the data subject.94 2.5
The principle of data minimisation requires that personal data is
processed in an adequate and relevant way, limited to what is
necessary in relation to the purposes for which they processed.95
This principle requires to only process the personal data which
is strictly necessary for the purposes of the processing. The CAV
collects a great deal of information as a result of the functions it
ofers, such as infotainment systems (e.g., seat entertainment), or
through the telematics ecosystem (e.g., Global Navigation Satellite
Systems data), and can exchange that data with any other entity
(V2X communication), such as trafic signals, smart homes, or other
vehicles.96 The number of sensors, connected devices and network
whenever the resulting AI systems are socially beneficial and compliant with data
protection rights.” Furthermore, the use of data in training sets for algorithmic models
should not be precluded when their inclusion is compliant with data protection rights
and is socially beneficial. See European Parliamentary Research Service, The impact of
the General Data Protection Regulation (GDPR) on artificial intelligence , June 2020, p. IV
and p. 46. Available at: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/
641530/EPRS_STU(2020)641530_EN.pdf.
92European Data Protection Board, Guidelines 05/2020 on consent under Regulation
2016/679, Version 1.1, 4 May 2020, Section 3.2. Available at: https://edpb.europa.eu/
sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
93See European Data Protection Board, Guidelines 1/2020 on processing personal data
in the context of connected vehicles and mobility related applications, Section 1.5.3.
94European Parliamentary Research Service, The impact of the General Data Protection
Regulation (GDPR) on artificial intelligence , Study of the Panel for the Future of
Science and Technology, June 2020, p. 45. Available at: https://www.europarl.europa.eu/
RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf.
95See Article 5(
The starting point of vehicle and equipment manufacturers, service providers and developers must be to have a clear overview of the categories of data they need from a CAV by utilising the two following criteria: 1) it should be relevant for the intended specific processing, 2) is it necessary for the intended specific processing. 97 Although this is a subjective test, all CAV stakeholders should aim to carry out this assessment prior to the collection of personal data and be in the position of demonstrating that they have done so – specific obligations to perform data minimisation assessments (either specifically, or as part of wide data protection impact assessments), and to properly document and make those assessments available, can be assigned to the relevant parties in the context of the Data Management Agreements which may be entered between them to regulate CAV data processing (as noted above). For example, collecting location data is invasive towards a data subject, since it can reveal essential and sensitive information98 relating to them, such as information relating to their personal preferences, travel habits and relationships with others. On the one hand, manufacturers, developers and service providers could diferentiate between data used for CAV training99 and that used for the deployment of the CAV.100 This could ensure that the personal data collected has a 97European Data Protection Board, Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications, Version 1.0, 28 January 2020, p. 14. 98“Sensitive data or data of a highly personal nature: this includes special categories of personal data as defined in Article 9 (for example information about individuals’ political opinions), as well as personal data relating to criminal convictions or ofences as defined in Article 10. An example would be a general hospital keeping patients’ medical records or a private investigator keeping ofenders’ details. Beyond these provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud). In this regard, whether the data has already been made publicly available by the data subject or by third parties may be relevant. The fact that personal data is publicly available may be considered as a factor in the assessment if the data was expected to be further used for certain purposes”, as explained in the Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, 4 April 2017, As last Revised and Adopted on 4 October 2017, pp. 9-10. Available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236. 99For example, training data sets could include synthetic data – meaning a simulated environment replicating the relevant features of the real world. Therefore, synthetic data allows for CAV manufacturers and service providers to simulate scenarios that are dificult to observe or replicate in real-life. This approach does not only serve for the safety of the CAV, but also for the utmost protection of data subjects’ data subject rights and freedoms, as explained by the Organisation for Economic Co-operation and Development (OECD), Artificial Intelligence in Society , 11 June 2019, OECD Publishing: Paris, p. 98. Available at: https://doi.org/10.1787/eedfee77-en. 100European Commission, White Paper on Artificial Intelligence – A European approach to excellence and trust, February 2020, p. 19. Available at: https://ec.europa.eu/info/ sites/info/files/commission-white-paper-artificial-intelligence-feb2020_en.pdf. specific and legitimate interest and minimising its use in other parts of the CAV’s lifecycle. Additionally, limiting the use of the data in the deployment phase could help mitigate potential harms to data subjects. On other hand, according to recent research, the use of synthetic data can be used for the training of the CAVs’ models, if it is available and afordable. 101 Synthetic input data would be able to train the AI system on complex situations and ensure for safer and more accurate CAVs.102 2.6
Transparency103 is closely related to the concept of fairness and
the principle of accountability under the GDPR, where Article 5(
The principle of transparency is of particular relevance in the CAV environment insofar as the rationale behind automated decisions may significantly afect individuals and could even lead to life and death scenarios. In fact, ethical design is dependent on 101Ibid. 102Organisation for Economic Co-operation and Development, Artificial Intelligence in Society, 11 June 2019, OECD Publishing, Paris, p. 98. Available at: https://doi.org/10. 1787/eedfee77-en. 103See Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, 29 November 2017, as last Revised and Adopted on 11 April 2018. Available at: https: //ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227.
Furthermore, note that the principle of transparency permeates throughout the
diverse rules of the Maastricht DPCSR Framework. These specifically include the
rules which fall under Principle 1: Embed data protection and data security in the
design of processes, under which the rules of data security, ethics by design and user
empowerment by design, and fairness by design are situated; and Principle 2: Be
transparent with citizens about the collection of their data, which suggests using icons
to signal that data processing activities are taking place. See Paolo Balboni and Kate
Francis, “Data Protection as a Corporate Social Responsibility: From Compliance
to Sustainability to Generate Both Social and Financial Value.” European Centre on
Privacy and Cybersecurity (ECPC), Maastricht University Faculty of Law website.
27 October 2020. Available at: https://www.maastrichtuniversity.nl/ecpc/csr-project/
csr-publications.
104Recital 39 GDPR states, “. . . that (
A key element of transparency is found in Article 12 GDPR
on Transparent information,111 communication and modalities for
the exercise of the rights of the data subject. Article 12(
As reflected in the above sections, the road towards compliance and ethical deployment requires CAV manufacturers, developers and service providers to come up with ingenious and novel solutions when designing and developing CAVs. Consideration of the GDPR-based obligations and the ePrivacy Directive requirements on consent and their application to CAVs unveils several unresolved issues, as seen in conflicts between restrictive legal principles, rules and requirements, on the one hand, and innovation on the other. As a result, organisations may struggle to fully meet their legal obligations. This paper has therefore sought to help address this problem by identifying several areas that are to be considered as potential priorities in designing and developing CAVs.
Concerning the GDPR predefined data processing roles, it is recommended to mirror the complex data processing relationships through multi-part Data Management Agreements which should aim to identify and regulate the variety of activities and relationships that exist between CAV stakeholders (see sub-section 2.1) . By properly configuring a Data Management Agreement, stakeholders can 1) map out the diferent types of CAV data processing activities which they are to perform, 2) identify the role or roles – independent controller, processor or joint controller – which apply to them in relation to each processing activity, and 3) set out the obligations to which each of them are bound as a result of the roles identified for each specific activity. This greatly reduces the risk of “grey areas” or undefined loopholes and ensures greater comprehensiveness and clarity of regulation of these complex processing relationships, for the benefit of CAV stakeholders and the data subjects concerned.
As a way to ensure data protection by design and by default, organizations should prioritise carrying out data protection impact assessments and IT security risk assessments prior to any processing activity and subsequently map the necessary technical and organizational security measures that would mitigate any high risks posed towards the rights and freedoms of data subjects (see sub-section 2.2). A Data security by design approach should entail adopting a by-design approach to security by integrating security best practices into the practices of the CAV stakeholder’s organization on both the organizational and technical levels; human oversight and monitoring should also be ensured. CAVs should be designed in adherence to an Ethics by design and User empowerment by design approach which aims to actively oppose harm and empower users with respect to their data, ensuring that the positive societal benefits of CAVs can be reaped. More specifically, CAV stakeholders must consider Fairness by Design to regulate as well as 114Paolo Balboni and Kate Francis, “Data Protection as a Corporate Social Responsibility: From Compliance to Sustainability to Generate Both Social and Financial Value.” European Centre on Privacy and Cybersecurity (ECPC), Maastricht University Faculty of Law website. 27 October 2020. Available at: https://www.maastrichtuniversity.nl/ ecpc/csr-project/csr-publications. prevent harm as a result of the algorithmic processing of the CAV, embedding fairness into the CAV itself (see sub-section 2.3).
Conflicts with the principle of purpose limitation may be balanced by applying compatibility tests when personal data needs to be used for other purposes, allowing for the reuse of personal data when the further purpose is compatible with the original purpose (see sub-section 2.4). Hand-in-hand with the principle of purpose limitation is the challenge posed to the principle of data minimization; whereby CAV manufacturers, developers and service providers are faced with the possibility of processing massive amounts of personal data and the obligation of only processing the personal data which is relevant and necessary for the envisioned processing activity (see sub-section 2.5). Other than carrying out the above test of what categories of personal data are relevant and necessary to process, CAV stakeholders could also diferentiate between personal data used for the training stage and for the deployment and monitoring of the vehicle. Furthermore, transparency requirements are especially intensified in the CAV environment since the GDPR’s expectations are that a data subject is able to understand the entire CAV processing (including the purposes, risks, recipients of personal data, etc.), as well as accurately comprehend the AI’s computations and automated decision making. Creative solutions will be required on the side of the CAV manufacturers, developers and service providers in order to overcome this transparency obstacle, by way of standardized icons, sounds, and the possibility of changing the content and provision of information according to the audience at hand (e.g., drivers, passengers and children on board) (see sub-section 2.6).
While compliance with applicable data protection obligations represents an important starting point towards the lawful deployment of CAVs, reliance on existing legal privacy, data protection, and security frameworks is not enough to ensure a sustainable and beneficial proliferation of automated vehicles. In the case of new technologies and economic models that are constantly propelled into being thanks to perpetually-transforming innovations, regulation seems to come short in providing genuine protection of the fundamental rights and freedoms of Europeans and in efectively mitigating the risks presented by them. Due to the particularly high-risk nature of transportation and the extensive data processing operations that take place within the CAV in order to both make it function and make it enjoyable (infotainment) in fact, it is necessary that ethical concerns are adequately incorporated into the processes of developers, manufacturers, and service providers active in this environment.
The need for such an approach to data protection, one that can be considered as “ethical”, which weds value-based models in the development of a newly virtuous form of compliance, going beyond what is prescribed by EU data protection law (ePrivacy directive and the GDPR) has already been confirmed by the European Data Protection Supervisor,115 the European Commission,116 and the 115European Data Protection Supervisor, Report Towards a digital ethics – EDPS Ethics Advisory Group. 25 January 2018. Available at: https://edps.europa.eu/sites/edp/files/ publication/18-01-25_eag_report_en.pdf. 116European Commission, European Group on Ethics in Science and New Technologies Statement on Artificial Intelligence, Robotics and ‘Autonomous’ Systems . March 2018. Available at: https://ec.europa.eu/research/ege/pdf/ege_ai_statement_2018.pdf Council of Europe,117 among others. In the area of new technologies, such as CAVs, this regulatory gap can be met in the application of the principles that are outlined in the Maastricht University Data Protection as a Corporate Social Responsibility Framework. By following the Maastricht DPCSR Framework, operators in the automated vehicle sector can help ensure compliance not only with what is enshrined in the law, but also aim to provide added benefits for society, seeking not only to not cause harm, but to “do good” in the digital arena.