Home Insights All roads lead to the internet: privacy in the age of autonomous vehicles

All roads lead to the internet: privacy in the age of autonomous vehicles

We are on the brink of the next mobility revolution. 

Not since the combustion engine car ended the era of horse and cart has there been such a significant change in the way we transport people and freight. It will impact not just how we travel but where we want to live, the design of our cities, the way we plan our infrastructure. It promises great benefits – increased mobility for all, elimination of transport related death and injury, reduced travel times and increased options for what we do when we travel. It also threatens – elimination of truck and taxi driver jobs, misuse of vast new amounts of personal data, critical interdependency between transport and high tech communications and the emergence of transport monopolies. The introduction of autonomous vehicles on Australian roads is approaching fast. 

The transition from where we are today to a transport system saturated with autonomous vehicles will be especially challenging. We have no ‘roadmap’ to work from. Governments, businesses and people living their everyday lives will be asked to make decisions quickly, flexibly and as best they can with imperfect information – decisions which in hindsight are guaranteed to be sub-optimal.

The decisions that will be made will involve many of the legal areas that regulate our society – from personal injury, product liability and workplace health and safety, road rules, to data protection and intellectual property, competition, planning, building standards and industrial relations. In a series of articles beginning with our opening focus on privacy, Corrs experts will explore the implications of autonomous vehicles, the challenges we can anticipate and the responses needed from Australia’s legal system.

Achieving the promised advantages of autonomous vehicles will involve a massive collection of data – much of it personal information. What can we do to ensure that information management systems that collect information from autonomous vehicles are trusted?


Current autonomous vehicles use finely-tuned sensors to understand and react to the external environment. Complex software churns data collected from those sensors to make decisions without human intervention – thereby achieving “autonomy”. The process is, understandably, data-heavy.

It is likely that most of this data will be stored. It will be analysed if there is an incident, and used to improve autonomous vehicle technologies and systems.

As autonomous vehicles evolve and as their use reaches a critical saturation point, there will be less reliance on sensors and more use of networked interaction with other autonomous vehicles and smart city infrastructure.

Again, this will be a data intensive process and will involve exchange of data between different systems controlled by different entities – Intel Corporation estimates that one autonomous vehicle may generate four terabytes of data in about 1.5 hours of driving.[1] Compare this with Virgin Atlantic’s estimate that its new Boeing 787s each generate half a terabyte per flight.

And the data that the autonomous vehicles process to integrate with the surrounding environment is likely to be only the tip of the iceberg. An autonomous vehicle will also likely collect information about its users for the purpose of access (for example, facial recognition information) as well as location information (where you go, how long you were there, where you chose to go next) and your experience preferences (for example, air conditioning temperature, music etc).

Should we be alarmed by any of this? Mobile phones and many of the numerous companies running apps on them already collect personal information including location information. However, recent events have shown the disconnect between what people know about information collected about themselves and how it will be used. Automated vehicles will be generating another data set – equally, if not more, valuable than that of phones – and it is important that privacy protections are exceptional and meet the growing privacy demands of the community.


Our current privacy laws in Australia apply to companies making more than $3 million. In brief, they require them to:

  • only collect personal information relevant to their functions and activities;

  • make people aware of personal information collection and how that information is used through an up-to-date privacy policy and collection notices provided at the time information is collected;

  • only use and disclose personal information for the purpose for which it is collected, with the individual’s consent, and for limited other purposes; and

  • keep personal information secure.

These principles already reflect the guidance coming out in jurisdictions around the world for privacy in the context of autonomous vehicle technology.

In 2014, the Alliance of Automobile Manufacturers and the Association of Global Automakers agreed on a set of “Privacy Principles” for vehicle technologies, which notably included the principles of transparency, choice and data minimisation.

The United States’ National Highway Traffic Safety Administration has actively promoted that privacy should be taken into account at the design stage of autonomous vehicle technology as "privacy considerations are critical to consumer acceptance”.[2]

It is vital that autonomous vehicle technology companies comply with privacy laws and that individuals using autonomous vehicles are well informed as to what information is collected and how it can be used. Unfortunately, many companies’ privacy practices do not neatly align with the laws – “consent” for particular privacy practices may be obtained through bundled click-wrap agreements, and collection notices are often forgotten. Any leniency displayed by companies in privacy compliance should not be afforded to autonomous vehicle technology providers.

It is important that:

  1. users are made aware of what information will be collected – such notice shouldn’t be hidden away in small-print terms, but should be brought to their attention prominently on first use of the vehicle;

  2. users are given choice about what information is collected – there should be options for users to remain anonymous where possible (e.g. an option not to use facial recognition technology);

  3. users are informed about changes in information practices – again, this should be brought to their attention prominently and promptly after any such changes.


Who will own the data collected by the vehicles? Is it the manufacturer, the software developer, the vehicle owner or the vehicle user?

If the answer was at all clear before, it won’t be soon. The government has committed to introducing a ‘consumer data right’ which gives individuals comprehensive rights to data created about them by businesses in specific sectors. It is not yet clear what kind of ‘right’ the government envisages, but such right is likely to allow individuals to take a copy of information about them or direct it to be given to other companies (including competitors).

So far, the commitment extends to consumer data held by banking, electricity and telecommunications companies, however it is likely to be expanded - possibly to transportation and technology companies.

In light of this, technology developers should be mindful about the anticipated use of the data that autonomous vehicle technology collects. Such companies may only have a limited licence to this information, with ‘ownership-style’ rights held by the individual in question. In particular, companies should be considering what kinds of information they do not want an individual to be able to provide to their competitors.


Location information is a category of information currently under the radar of privacy regulation, being treated only in the general category ‘personal information’.

Such information should arguably be as a sub-set of personal information deserving of special protection due to safety/security concerns given it can disclose an individual’s current position as well as their movements. Currently, location information is only protected by the Federal and State privacy laws if it is collected by an entity bound by those Acts – generally speaking this is federal and state government agencies, and companies making more than $3 million in revenue per year.

Such an idea has already been proposed in some jurisdictions, with the US introducing the Geolocation Privacy and Surveillance Act into the House in June 2017 (where it has not since progressed).

The collection of location information, especially in real time, is akin to surveillance – an area of law in which Australia has patchwork legislation with numerous gaping holes.

Such information would be better protected if we ensured that:

  • any person collecting location information (even those not bound by privacy legislation) was only able to do so with the free and informed consent of the individual; and

  • any recipient of location information was only able to use it in the manner to which the individual consents (e.g. providing fitness tracking services) and for no other reason.


Putting in place effective information practices is only the first step in managing information issues associated with autonomous vehicles technology. The second step is to ensure that such information is secured and protected from accidental disclosure or unauthorised access by third parties (hackers).

These issues are particularly in the spotlight given the recent introduction of laws requiring companies to notify the Australian privacy regulator and affected individuals of serious data breaches – a massive source of reputational risk for technology companies.

Our next article will focus on these cyber security issues.

This article was originally co-authored by David Warren.



Construction, Major Projects and Infrastructure Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.