What are Autonomous Vehicles?  Why data privacy is a concern in AVs?

Autonomous Vehicles can be defined as vehicles that can run from location ‘A’ to location ‘B’ without any direct human intervention to steer, accelerate, brake, and monitor the moving vehicle in self-driving mode using in-vehicle technology and various sensors.
An Advanced Driver-Assistance System (ADAS) is a technology indicating the level of automation in a vehicle. The level of automation in a car is indicated by Level 0 to Level 5. (Level 0 indicates no or least level of automation while level 5 shows the highest level of automation).
Autonomous cars house various sensors, 360-degree cameras, and Artificial Intelligence (AI) which collects user data such as personal information, road information, vehicle information, etc. So, autonomous vehicles have become an easier way for third parties to collect personal information about the users.
Although this has made life easier because services like rental or ridesharing, enable users to instantly book, use, and pay for transportation with ease, there is a possibility of data leakage as the data falls directly into the hands of the third party who may use this data for secondary purposes.

Cybersecurity Concerns

AVs use more computers than they did in earlier or regular cars. Also, AVs are vulnerable to cyberattacks that can hamper the operation and safety of the vehicle, passengers, and users.
In the US, according to a 2019 FBI report, the FBI – issued a warning to auto manufacturers that the data collected by AVs could become an easy cyberattack target, which can lead to downtime costs and attackers gaining remote access and control of the vehicle, which may cause serious security and safety concerns.
In India, fully automated cars or self-driving cars will not be produced for security and safety reasons until the year 2035. The autonomous or self-driving cars market in India is projected to grow at a 20.8% CAGR during 2022-2032 (Spherical Insight Report).

Some issues that should be addressed before the full commercialization of AVs

1. Owner & passenger information: AVs may collect data for a variety of purposes such as authentication, customized comfort, entertainment settings, and passenger information. This data can likely be used to identify users easily. So, the user’s data should be protected from disclosure by the state departments of vehicles.
2. Location information & tracking: Location data such as routes, destinations, etc., is captured by the vehicle for navigation purposes. This data should also be protected as this may directly track the user and hamper the privacy of the user.
3. Vehicle cameras & sensor data: AVs collect enormous amounts of data on the surroundings, roads, destinations, buildings, Wi-Fi information, driving habits, voice recognition of the user, etc., without the knowledge and consent of the user.

Addressing Privacy Concerns in Autonomous Vehicles

Anonymization. Privacy By Design. Industry Guidance.

Autonomous vehicle data can be anonymized, but steps must be taken to prevent re-identification. Companies should enhance security into their devices from the outset, conducting a privacy risk assessment, minimizing the data collection and testing measures before launching products. Industry resources like Alliance of the Automobile manufacturers and the Association of Global Automakers can provide customer privacy protection principles. Accessibility is also crucial in the development of autonomous vehicles.

Data Privacy Laws in India

The DPDP Act in India enforces personal data privacy, addressing Data Fiduciaries’ rights within India and outside for business offerings. It outlines the rights of the data principle from sections 11 to 14 and provides penalties for non-compliance.
This act requires Original Equipment Manufacturers (OEMs) to collect and process consumers’ personal data legally. To effectively address privacy concerns, auto OEMs must implement a robust privacy framework involving Process, People, Technology, and Governance (PPTG). Data minimization, well defined purposes, security mechanisms, data anonymization, clear guidelines for sharing data with third parties, effective enforcement mechanisms, user consent, clear privacy policies, and data control are essential.