Questions about GDPR-compliance of ADAS and Autonomous Driving

In recent months, an increasing number of European nations have begun permitting testing of autonomous driving systems in real-world environments by OEMs and Tier 1 companies. Examples include the United Kingdom in July 2021 and Germany in 2022.

A growing number of (semi)-autonomous vehicles is increasing concerns around their impact on privacy. By collecting vast volumes of images and videos, personal data like people’s faces and license plates are often captured. As a result, automotive companies might become more exposed to fines when handling data in a non-compliant way, as well as public criticism by regulators and consumers, eventually losing customers’ trust.

As the GDPR offers only a general framework for handling personal data, we constantly get questions about how and under which circumstances companies are allowed to process personal data.

For this reason, we decided to address some of the most common ones with Mag. Philipp Summereder, lawyer, consultant, and data protection officer for various companies, from the law firm Summereder-Pichler Rechtsanwälte.

Questions & Answers

**Q: Assume that an automotive company collects images/videos for R&D (e.g. developing an autonomous vehicle) with faces/license plates present. Are the employees of such a company (e.g. data scientists, engineers, etc.) allowed to see and use the non-anonymized data? **

A: First, it should be noted that faces and license plates are personal data within the meaning of Art. 4 GDPR, as these identify a person or make them identifiable. In the European context, the rules of the GDPR, as well as national regulations, apply.

Initially, the processing of personal data should be justified. Also, within the meaning of data minimization, it should be proved whether there is no other option than to use personal data.

In this context, I assume that the R&D department does not require what specific person or vehicle are filmed, i.e. their identifiability.

Therefore, I conclude that processing personal data purely for research and development by a private company is not permitted unless there is no other option.

Q: Is the automotive company allowed to store this data, re-use it for future projects or share it with a third-party company? If yes, under which circumstances?

A: The previous answer is valid also for storing and sharing data.

Therefore, enabling the anonymization of the personal information is a recommended approach under data protection law to avoid legal complications.

Q: Does the GDPR rule apply to universities or research centers?

A: In principle, research and development by universities are privileged within the framework of data protection laws - Section 7 GDPR - which standardizes processing for public interest, statistical, scientific or historical research.

In this case, the person responsible may process all personal data that are:

• Publicly available
• Legitimately determined for other investigations or purposes

If this is not possible, you could obtained an approval from the data protection authority in accordance with Section 7 (3) of the GDPR.

Once again, the question arises why anonymization - in the sense of completely rendering the personal data unrecognizable, i.e. faces and license plates - shouldn’t be a better option to comply with the GDPR.

Consequently, if complete anonymization is possible, the provisions of the GDPR for universities and research centers do no longer apply.

Summary

• Processing personal data by a private company is only allowed if there’s no other option. If the identification of the single person is not required for the purpose of the R&D project, then anonymization is the recommended approach.
• In principle, research and development by universities are privileged within the framework of data protection standards. However, if complete anonymization is possible, such privileges do no longer apply.
• Use of software that enables the anonymization of the identifying features of people or things is a recommended approach under data protection law to avoid legal complications, since data protection regulations on the processing activity in the event of complete (and irreversible) anonymization can no longer be used.

The future of Data Privacy for Autonomous Vehicles: Our Opinion

Data privacy must be a fundamental aspect of AV development from the start, as personal data is collected and processed throughout the entire life cycle of the vehicle. This poses a significant challenge due to the technology's complexity. The longer privacy principles are delayed, the more costly it becomes.

Until recently, data protection and personal privacy were not a primary concern for AVs, as they were primarily in the research and development phase. As AVs move closer to being on the road, data privacy will become a much more significant regulatory and security issue, as large amounts of data will be collected, processed, and stored. As a result, automotive companies will face increased scrutiny from regulators and consumers.

Data privacy, along with safety, is one of the key factors that will determine consumer acceptance of autonomous vehicles. As AVs become more prevalent, public concerns about privacy will likely increase, similar to current concerns about advertising and video surveillance. In a society that prioritizes privacy, companies must prioritize privacy in order to attract and retain customers.

About Celantur

Celantur offers an enterprise-ready and scalable solution for anonymizing images and videos uses industry-grade technology to blur faces, license plates, persons, and vehicles with a detection rate of up to 99%.

We offer two software solutions:

• Celantur Cloud: user-friendly and pay-per-use option with fast data processing capabilities. Available as a cloud-based SaaS or Cloud API.
• Celantur Container: Highly scalable Docker container that can be deployed on your local machine, physical servers, or public/private cloud infrastructure. Seamless integration into your data workflows via input and output directories, input and output directories, or RestAPI.

Using our internal machine learning know-how for object detection and image segmentation, we can deliver new models faster or solution deployment on edge.

To facilitate the legal basis for processing image and video data, we have strong measures in place to comply with the GDPR and other data protection laws. Take a look at all our data protection measurements here.