Federal Autonomous Vehicle Bill Includes Detailed Privacy, Cybersecurity Requirements

September 24, 2020Alerts

U.S Rep. Bob Latta (R-Ohio), ranking member of the House Energy and Commerce Subcommittee on Communications and Technology. has re-introduced the "Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act’’ or the ‘‘SELF DRIVE Act’’ to regulate autonomous vehicles. Key provisions relating to data protection include:

Cybersecurity Plan

Vehicle manufacturers are required to develop a cybersecurity plan that includes:

  • A written cybersecurity policy with respect to the practices of the manufacturer for detecting and responding to cyberattacks, unauthorized intrusions and false and spurious messages or vehicle control commands including:
    • A process for identifying, assessing, and mitigating reasonably foreseeable vulnerabilities from cyber attacks or unauthorized intrusions, including false and spurious messages and malicious vehicle control commands
    • A process for taking preventive and corrective action to mitigate against vulnerabilities in a highly automated vehicle or a vehicle that performs partial driving automation, including incident response plans, intrusion detection and prevention systems that safeguard key controls, systems and procedures through testing or monitoring, and updates to such process based on changed circumstances.
  • The identification of an officer or other individual of the manufacturer as the point of contact with responsibility for the management of cybersecurity
  • process for limiting access to automated driving systems
  • A process for employee training and supervision for implementation and maintenance of the policies and procedures required by this section, including controls on employee access to automated driving systems.

Privacy Plan

Vehicle manufacturers are required to develop a privacy plan that includes:

  • A written privacy plan with respect to the collection, use, sharing and storage of information about vehicle owners or occupants collected by a highly automated vehicle, vehicle that performs partial driving automation or automated driving system that includes:
  1. How the information is collected, used or stored
  2. Choices offered to vehicle owners or occupants about this
  3. Data minimization, de-identification, and retention of information about vehicle owners or occupants
  4. The practices of the manufacturer with respect to extending its privacy plan to the entities with which it shares such information.
  • A method for providing notice to vehicle owners or occupants about the privacy policy
  • If information about vehicle owners or occupants is altered or combined so that the information can no longer reasonably be linked to the highly automated vehicle, vehicle that performs partial driving automation or automated driving system from which the information is retrieved or to the vehicle owner or occupants, the manufacturer is not required to include the process or practices regarding that information in the privacy policy.
  • If information about an occupant is anonymized or encrypted, the manufacturer is not required to include the process or practices regarding that information in the privacy policy.

Advisory Council

The National Highway Traffic Safety Administration shall establish the Highly Automated Vehicle Advisory Council which will be responsible for, among other things, devising best practices and recommendations for cybersecurity for the testing, deployment and updating of automated driving systems as well as the protection of consumer privacy and security of information collected by highly automated vehicles.

FTC Study

The Federal Trade Commission shall conduct a study and submit a report to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the highly automated vehicle marketplace, including an examination of the following issues:

  • Which entities in the ecosystem have access to vehicle owner or occupant data?
  • Which entities in the highly automated vehicle marketplace have privacy plans?
  • What are the terms and disclosures made in such privacy plans, including regarding the collection, use, sharing and storage of vehicle owner or occupant data?
  • What disclosures are made to consumers about such privacy plans?
  • What methods are available to enable deletion of information about vehicle owners or occupants from any data storage system within the vehicle (other than a system that is critical to the safety or operation of the vehicle) before the vehicle is sold, leased or rented, or otherwise occupied by a new owner or occupant?

Enforcement

A violation of subsection (a) shall be treated as an unfair or deceptive act or practice within the meaning of section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)).


Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with issues related to autonomous vehicles, contact Odia at [email protected] or 215.444.7313.