Designing Connected and Automated Vehicles around Legal and Ethical Concerns: Data Protection as a Corporate Social Responsibility Paolo Balboni ∗ paolo.balboni@maastrichtuniversity.nl Maastricht University ś Faculty of Law ś Private Law Bouillonstraat 3, 6211 LH Maastricht, The Netherlands paolo.balboni@ictlegalconsulting.com ICT Legal Consulting Via Borgonuovo 12, 20122 Milan, Italy Anastasia Botsi anastasia.botsi@ictlegalconsulting.com ICT Legal Consulting International Piet Heinkade 55, 1019 GM Amsterdam, The Netherlands Kate Francis kate.francis@ictlegalconsulting.com ICT Legal Consulting Via Borgonuovo 12, 20122 Milan, Italy Martim Taborda Barata martim.tabordabarata@ictlegalconsulting.com ICT Legal Consulting International Piet Heinkade 55, 1019 GM Amsterdam, The Netherlands ABSTRACT Emerging technologies and tools based on Artifcial Intelligence (AI), such as Connected and automated vehicles (CAVs), present novel regulatory and legal compliance challenges while at the same time raising important questions with respect to ethics and trans- parency. On the one hand, CAVs bring to light theoretical and practical challenges to the implementation of the multi-dimensional obliga- tions of the current European personal data protection legal frame- work, including the General Data Protection Regulation (GDPR), the ePrivacy Directive, 1 and where applicable, the Directive for a high common level of security and information systems (NIS Direc- tive or NISD). 2 As mere examples, CAV developers currently face multiple legal hurdles to overcome, including the necessity to fulfl controller and/or processor obligations in complex data process- ing scenarios 3 and tensions with the GDPR’s principle of purpose ∗ Prof. Dr. Paolo Balboni is Professor of Privacy, Cybersecurity, and IT Contract Law at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law and Founding Partner of ICT Legal Consulting. 1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. 2 The NISD, applicable to operators of essential services and digital service providers, ensures the security of network and information systems vital to economic and societal activities and to the functioning of the internal EU market. Also see Recital (1) NISD. 3 Under the GDPR there are two main roles that an organization can take on regarding an activity which involves the processing of personal data: that of controller, or that of processor. Article 4 (7) GDPR defnes controller as łthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal dataž; where two or more controllers jointly determine the purposes and means of a given processing activity, they will be considered as łjoint controllersž under Article 26 GDPR. Article 4(8) GDPR defnes processor as ła natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller ž. Depending on the data protection role which is applicable to an organization, its obligations will change, as can be better seen in Articles 25 to 28 GDPR. WAIEL2020, September 3, 2020, Athens, Greece Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). limitation 4 (which comes at odds with the autonomous processing of personal data through AI in the CAV, which may be based on a (re)interpretation of goals, or, possibly, a shift in focus from the original goal for which personal data was collected). Additionally, the overall need for relatively large datasets to properly train and leverage AI functionalities leads to conficts with the principle of data minimization. 5 When applied to AI systems, the requirement of data protection by design and by default also presents difculties, as data protection by default is possible only when the necessary personal data is processed for a specifc purpose. 6 Moreover, the ePrivacy Directive has been interpreted by European Supervisory Authorities ś notably, the European Data Protection Board (EDPB) 7 ś as requiring a company wishing to store or access information stored within a CAV to obtain specifc consent from CAV users for these specifc activities. Furthermore, an additional legal basis must be determined (possibly necessitating those companies to make a double request for consent) for any subsequent use of the infor- mation stored or accessed, such as the analysis of telematics data collected from a CAV. This interpretation creates challenges at the technical and legal levels in particular where the legal basis defned for subsequent use of CAV information is not consent, such as in the case of pay-as-you-drive insurance, where the contract entered into between the CAV user and an insurance company serves as a legal basis for the processing of their personal data. A confict between the legal basis used for information storage/access ś consent, which 4 According to Article 5(1)(b) GDPR, the personal data must be łcollected for specifed, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposesž. 5 The principle of data minimization according to Article 5(1)(c) GDPR, requires that personal data are processed to the extent to which it is ładequate, relevant and limited to what is necessary in relation to the purposes for which they are processedž. 6 Commission Nationale Informatique & Libertes, Compliance Package: Connected vehicles and personal data. October 2017. Available at: https://www.cnil.fr/sites/default/ fles/atoms/fles/cnil_pack_vehicules_connectes_gb.pdf. 7 European Data Protection Board, Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. 28 January 2020. Available at: https://edpb.europa.eu/sites/edpb/fles/consultation/edpb_guidelines_ 202001_connectedvehicles.pdf.