Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world.  Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through synced mobile devices, user input) to enable multimedia, navigation, or internet-based applications.  

In this post, we will describe some of the risks introduced by personal information collection, and some of the legal obligations of vehicle manufacturers in protecting their customers’ privacy.

AVs and Personal Information

AVs need to collect a significant amount of data to provide driver assistance and other features offered by the vehicle’s infotainment system. AVs currently under development can collect location data, biometric data, driver behaviour information, and information acquired through synced mobile devices (e.g., contact list, messages). 

If a third-party attacker were to gain access to data collected by an AV, the consequences could be quite severe since an attacker could use this information to commit identity theft or obtain unauthorized access to buildings or systems.  In addition to these risks, images or other information captured by an AV of other drivers or pedestrians could also be exposed to unauthorized third parties. 

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out requirements for the collection, use and disclosure of personal information in the course of commercial activities. 

Under PIPEDA, personal information means information about an identifiable individual. Vehicle manufacturers collecting personal information may therefore be subject to PIPEDA, and to the extent PIPEDA applies, are required to comply with PIPEDA’s 10 fair information principles. These principles include stricter standards for personal information that is considered “sensitive information” such as biometric and financial information. A considerable amount of the data collected by AVs could be considered personal information, and in some cases, “sensitive information.”

Additionally, since AVs can collect data from multiple sources (e.g., multiple sensors, third-party systems) and transmit and store data using third-party sites, vehicle manufacturers should consider the wide-reaching impact of the AV system and ensure data is being protected at each potential access point.

Impact of New Privacy Laws

On June 16, 2022, the federal government introduced Bill C-27, also known as the Digital Charter Implementation Act, 2022.  Bill C-27 is expected to reform Canadian privacy law, replacing part of PIPEDA with the Consumer Privacy Protection Act (CPPA).  CPPA was heavily influenced by the European Union’s General Data Protection Regulation and the California Consumer Privacy Act of 2018 and is intended to impose more rigorous privacy obligations on organizations.

Bill C-27 also introduces the Artificial Intelligence and Data Act (AIDA), which sets Canada-wide requirements for the design, development, use, and provision of AI systems and prohibits certain conduct in relation to these systems that may result in serious harm or biased outputs (including specific requirements for AI systems determined to be “high-impact”). 

The meaning of “high-impact” is still not clear and it is anticipated that the definition of “high-impact” will be provided in further regulation.  However, because of the heightened safety risks associated with AVs, we anticipate that AVs may be subjected to these more stringent standards.

Whether under the current or future framework, AVs evidently engage with Canadian privacy laws in a complex way. For example, it will be interesting to see how the vast troves of personal information collected by AVs will be brought into motor vehicle accident investigations and disputes, or leveraged by motor vehicle insurers. There is significant potential for harm to individuals in these respects as well.

In conclusion, vehicle manufacturers will need to be proactive about privacy matters when designing AVs, and should stay informed about privacy developments in Canada to ensure they are complying with their legal obligations in protecting their customers’ privacy.

The authors would like to thank Student at Law Sandeep Patel for his assistance in preparing this update.

For further information please review our other posts in this series: