Top 3 questions about legal & GDPR compliance of ADAS datasets
A lawyer answers on some of the most common legal questions about collecting, storing, processing and sharing autonomous vehicle data
One of the use-cases in which we experienced first-hand a significant growth in demand is Advanced Driver Assistance Systems (ADAS). More and more countries are allowing OEMs and Tier 1 companies - who are developing such systems - to test in real-world conditions (the UK in July 2021 and Germany in 2022).
A growing number of (semi)-autonomous vehicles is increasing concerns around their impact on privacy. By collecting vast volumes of images and videos, personal data like people’s faces and license plates are often captured. As a result, automotive companies might become more exposed to fines when handling data in a non-compliant way, as well as public criticism by regulators and consumers, eventually losing customers’ trust.
As the GDPR offers only a general framework for handling personal data - also known as personal information or personally identifiable information (PII) - we constantly get legal questions about how and under which circumstances companies are allowed to process personal information (PI). For that reason, we decided to address some of the most common ones with Mag. Philipp Summereder, lawyer, consultant and data protection officer for various companies, from the law firm Summereder-Pichler Rechtsanwälte.
Top 3 Legal Questions & Answers
If an automotive company collects images/videos for R&D purposes (e.g. developing an autonomous vehicle/improving the level of autonomy) with faces/license plates, are the employees of such a company (e.g. data scientists, engineers, etc.) allowed to see and use the data non-anonymized for such purposes?
First of all, it should be noted that faces and license plates are personal data within the meaning of Art. 4 GDPR, as these identify a person or make them identifiable. In the European context, the rules of the GDPR, as well as national regulations, apply.
In the first step, a general check must be made whether there is a justification for the processing of personal data and whether, within the meaning of data minimization, there is no other option than to use personal data. Based on your question, I assume that the R&D department of the data processing company does not care which specific people or vehicles are filmed, i.e. the identification or the identifiability not required for research and development projects.
In summary, I assume that processing of personal data purely for research and development purposes by a private company is not permitted unless there is no other option
Is the automotive company allowed to store this data, re-use it for future projects or share it with a third-party company? If yes, under which circumstances?
The previous answer is valid also for storing and sharing data. Hence, enabling the anonymization of the identifying features of people or things is a recommended approach under data protection law to avoid legal complications, since data protection regulations on the processing activity in the event of complete (and irreversible) anonymization can no longer be used.
Anonymization is a recommended approach under data protection law to avoid legal complications
Does the GDPR rule apply to universities or research centres?
In principle, research and development by universities are privileged within the framework of data protection standards - Section 7 GDPR - which standardizes processing for purposes in the public interest, scientific or historical research purposes or statistical purposes. In this case, the person responsible may process all personal data that are:
- Publicly available
- Legitimately determined for other investigations or purposes
If this is not possible, approval from the data protection authority in accordance with Section 7 (3) of the GDPR could be obtained.
Here, too, the question arises why anonymization - in the sense of completely rendering the personal data unrecognizable, i.e. the faces and the license plates - shouldn’t be a better option for the compliance with the GDPR. Hence, if complete anonymization is possible, the provisions of the GDPR for universities and research centers would no longer apply.
Research and development by universities are privileged. However, the provisions of the GDPR for universities and research centers would no longer apply if complete anonymization is possible
- Processing personal data by a private company is only allowed if there’s no other option. If the identification of the single person is not required for the purpose of the R&D project, then personal data has to be anonymized.
- In principle, research and development by universities are privileged within the framework of data protection standards. However, if complete anonymization is possible, the privileges given by the GDPR would no longer apply.
- Use of software that enables the anonymization of the identifying features of people or things is a recommended approach under data protection law to avoid legal complications, since data protection regulations on the processing activity in the event of complete (and irreversible) anonymization can no longer be used.
The future of Data Privacy for Autonomous Vehicles: Our Opinion
Data privacy should be implemented from the beginning of AV development since personal data is collected and processed through all phases of the life cycle. This is quite a challenge due to the technological complexity of all involved components. Hence, the later privacy principles are applied, the more time and money it will cost.
Data protection and personal data were not considered a top priority until now since autonomous vehicles were mostly in the R&D phase. Now that AVs are getting closer to hit the roads, data privacy will become a much larger regulatory and security issue since terabytes of data will be collected, processed and stored. As a result, automotive companies will be exposed to massive attention by regulators and consumers.
Data privacy (together with safety) is one of the main threats to the general acceptance by consumers of autonomous vehicles. Mass adoption of AV will raise general concerns from the public about their privacy like it’s already happening with other mature topics such as advertising and video surveillance. In a society that is increasingly concerned about privacy, companies should become privacy-first to win customers.
Celantur offers a fully-automated anonymization solution for images & videos to comply with privacy laws. Our technology automatically detects the objects to be anonymized and blurs them:
✅ We anonymize all kinds of RGB imagery: planar, cubemap, panorama images and videos
✅ Our cloud platform is capable of anonymizing more than 200.000 panoramas per day and 100.000 video frames per hour
✅ Industry-grade anonymization quality: detection rate up to 99%
To make sure that you have the right legal basis within your company and related partners, we ensure the highest data protection measures:
- Data is stored in EU data centres
- Data Processing Register, a register where all the data processors document how personal data is being processed.
- Data Processing Agreement Regulates the scope and purpose of data processing between the data controller (you) and data processor (us). The GDPR requires a controller who engages a processor to enter into a written contract (Article 28.3 GDPR).
- Technical and Organizational Measures (TOM) A list of measures how the data processor (us) ensures data protection and safety in their processes and facilities.
- Non-Disclosure Agreement (NDA)