23 October 2018

Regulating government access to C-ITS and automated vehicle data

This article was written by Michael Swinson, Alexey Monin and Sally-Knowles Jackson.

The Discussion Paper

On 27 September the National Transport Commission (NTC) released a discussion paper regarding the regulation of access to cooperative intelligent transport system (C-ITS) and automated vehicle data. The discussion paper:

  • considers the new privacy challenges associated with government collection and use of information likely to be generated by C-ITS and automated vehicle technology; and
  • summarises the reasons why the NTC does not consider that Australia’s existing information access framework sufficiently addresses these privacy challenges, and outlines a series of options for correcting this.

While the discussion paper and this article will focus on issues associated with the collection of C-ITS and automated vehicle data by government agencies, there are other risks and challenges associated with private individuals and organisations (including operators of automated vehicles and associated services) collecting the same data.

What is a C-ITS?

A C-ITS is a network of transport related devices (eg. vehicles, roads and infrastructure) that communicate and share real-time information (eg. traffic, road conditions, vehicle speed and location). Some automated vehicles may implement C-ITS technology to enhance their operation.

Information generated by C-ITS technology can be used to inform and enhance government decision making on law enforcement, traffic management, road safety and infrastructure and network planning. However, this may also raise concerns with respect to how the personal and sensitive information created by the use of those technologies is managed and protected.

New data collection capabilities offered by C-ITS technology

C-ITS and automated vehicle technology will enable collection of a far greater breadth and depth of information than conventional vehicles. For example, C-ITS technology may enable further widespread collection of very high-resolution location information, and new in-car technology may enable the collection of types of information on a scale not previously contemplated by existing privacy regulations (eg. video recording internal to the vehicle, vehicle-to-vehicle and vehicle-to-infrastructure communication, biometric, biological or health sensors installed in the vehicle to monitor driver alertness or customise the driving experience etc).

While this type of information may already be regulated to a degree by existing laws – such as the Privacy Act 1988 (Cth) (Privacy Act), which regulates the collection, use and disclosure of personal information, the NTC considers that these laws are not adequate to deal with issues arising from potential government access to information generated by C-ITS technology. In particular, the NTC has concerns that:

  • the collection, use and disclosure of C-ITS and automated vehicle data by government organisations may result in increased opportunities for surveillance, and surveillance device laws do not place sufficient practical restrictions on government collection of personal information; 
  • the Privacy Act does not restrict the direct collection of personal information by government agencies if the information ‘is necessary for one or more of its functions or activities’ and this could leave broad scope for government agencies to collect data through C-ITS technology for a wide range of purposes; 
  • road transport laws currently facilitate information sharing between road agencies and police; and
  • existing requirements to destroy or de-identify personal information in certain conditions are too narrow and in practice may not significantly curtail the ability for government agencies to hold onto information generated through C-ITS for a long period. There may also be practical issues about how government would de-identify this type of information because of the wide range of potential identifiers it may contain.

4   NTC’s draft principles for dealing with these challenges

The NTC’s preliminary view about the preferred way to deal with the above challenges is to agree on broad principles that limit the collection, use and disclosure of C-ITS information (as opposed to directly limiting the organisations that can use it or relying on the existing legislation as-is). The principles proposed by the NTC are as follows:

  1. C-ITS and automated vehicle information must be clearly defined to ensure any additional privacy protections only capture relevant information; 

  2. government organisations should err on the side of caution and consider treating C-ITS and automated vehicle information as personal information (unless there are legitimate reasons not to do so); 

  3. a regulatory framework that supports lawful collection, use and disclosure of C-ITS and automated vehicle information needs to be developed. Additional privacy protections will likely be needed to appropriately limit the collection, use and disclosure of C-ITS and automated vehicle information to specific purposes, in particular, safety and network efficiency. This must be balanced with ensuring that the benefits of government access to C-ITS and automated vehicle data, including in delivering value to the public, can be realised; 

  4. the additional privacy protections for C-ITS and automated vehicle information should be legislative to ensure they interact appropriately with legislative collection powers and other legislated privacy protections; 

  5. the additional privacy protections should specify:
  6. a) the C-ITS and automated vehicle information covered. Stronger protections may need to be afforded for more sensitive information; b) the purpose(s) for which the information may be used (these will then be considered in conjunction with any access powers developed as part of further automated vehicle reforms); and c) the parties to whom any specific purpose limitations apply;

  7. governments should consider: 
  8. a) notifying users of how the C-ITS and automated vehicle information collected by an agency will be used, disclosed and stored; and

    b) destroying C-ITS and automated vehicle information after a set amount of time or as soon as it is no longer necessary for the purpose for which it was collected.

  9. governments should consider:
  10. a) aggregating the C-ITS and automated vehicle information they collect

    b) obtaining relevant consents from users when collecting information from them; and

    c) providing users with the option to opt out of government collection of their personal information; and

  11. privacy protections for C-ITS and automated vehicle data should be regularly reviewed to ensure privacy is adequately protected.

5   What’s next?

Submissions to the NTC are due by 22 November 2018 and the NTC intends to develop recommendations and next steps to implement the recommendations for the Transport and Infrastructure Council meeting in May 2019 (at which those recommendations are expected to be agreed). If you would like assistance in further understanding the discussion paper, how the principles contained in it or the recommendations that follow may affect your business, please don’t hesitate to contact us.

Key contacts

The Future Project

With the rapid pace of change in our markets and the emerging challenges and opportunities facing our clients, we’re diving into key issues that our clients may face in the future.

overaching image

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The rules regarding an employer’s use of “default” superannuation funds are about to change.

    29 October 2021

    An exposure draft has been released of a Bill that would require the development of a new binding code under the Australian Privacy Act to impose enhanced compliance obligations on social media...

    26 October 2021

    From 11 November 2021, the Fair Work Commission (FWC) will be able to make stop sexual harassment against employers or individuals.

    26 October 2021

    Operators of wind farms have new obligations for annual reporting to the EPA as well as ongoing monitoring over the life of the wind farm.

    26 October 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.