AXA calls for clarity on data sharing and cyber security to drive forward the driverless cars revolution

AXA is calling on the government to clarify the rules on the sharing of data for autonomous vehicles and for the development of cyber security standards. This is fundamental to support the development and exploitation of the technology required to maintain the future of driverless cars.

6 July 2017

Posted in Innovation

by Jennifer Chilcott (see media contact)

In a report, jointly produced by AXA, insurance lead in the Flourish driverless cars consortium, along with independent UK law firm Burges Salmon, it identifies the emerging issues relating to the evolution of Connected & Autonomous Vehicles (CAVs) and makes recommendations pertaining to investment, data and cyber security that will contribute to the next stage of driverless vehicles development.

The transport sector is undergoing a period of unprecedented technological change, which has the potential to open up new opportunities for UK growth and improve accessibility to better meet the needs of the customer.

David Williams, Technical Director, AXA

Connectivity is fundamental to the evolution of the transport ecosystem but brings with it new and emerging risks, such as cyber security and data protection.

The fact is the emerging CAV ecosystem is bigger than any one industry. If we genuinely believe in the societal benefits CAVs can bring then it is incumbent on motor manufacturers, infrastructure providers and transport network operators to standardise and allow access to crucial data. That way, the relevant third parties such as insurers and the emergency services will be able play their part in the event of an accident.

If we are serious about a world in which children born today will never need to take a driving test then we need to get CAV cyber security and data protection right.

David Williams, Technical Director at AXA
Chris Jackson, Head of Transport at Burges Salmon

From the legal perspective, we've picked some calibrated recommendations in specific areas because it's a huge area of importance. It's difficult to identify the specifics so we've broken it down into two parts.

Firstly security - will this be categorised as operators of essential services and the cyber strategy that flows from that. Secondly, data - there are specifics measures that apply to specific data to draw that balance between usability and the effectiveness of the system opening up the competition but also protecting people's data. Who is processing it, what is the position of an operator, what is the regulation, what is the basis of consent? For example, do people have the right to turn off location services if they are an effective part of making the system safe? The temptation is for all parties to look at data as one amorphous lump but it's much wider than that and that's what we're working to resolve.

Chris Jackson, Head of Transport at Burges Salmon

The Flourish consortium is looking at the development in user-centric autonomous vehicle technology and connected transport systems. The programme, co-funded by the UK’s innovation agency - Innovate UK, focuses on the core themes of connectivity, autonomy and customer interaction.

To access a full copy of the report, please click on the following link:

In the report, AXA and Burges Salmon recommend the following measures:


  • The Government should consult on the implications of the General Data Protection Regulation for connected and autonomous vehicles and access to data for third parties, as this will play a crucial role in the development of the technology. In particular, the Government should look at how the system of data controllers and processors will work in the context of autonomous vehicles; whether the standards of consent are appropriate in this context; and what role encryption can and should play in relation to CAV data.
  • The ICO should produce further guidance on whether CAV data falls into either data processes for public health purposes in the public interest or for archiving purposes in scientific research, in order to clarify the extent of the ‘right to be forgotten’ in this area.
  • The Government should clarify its position on security services or other regulatory access to encrypted data, in order to allow for any need for security services or regulators to access CAV data to be taken into account during the development of the technology.


  • The ICO should clarify what form of consent is required for use of ‘Special Categories’ under the GDPR, including whether or not an individual can provide consent on behalf of another individual.
  • DCMS should work with stakeholders to establish necessary alternative legal bases to consent or permitted use for the processing of CAV data, for example where data is required to ensure the safety of CAVs.

Cyber Security

  • The Government should also consult on cyber security issues raised by a connected transport ecosystem, to ensure that the unique risks are understood and the appropriate safeguards put in place when the technology is rolled out.
  • The Government should clarify whether CAV operators will be designated as “operators of essential services” within the UK and therefore whether they are required to comply with the NIS Directive, including in the light of the Brexit negotiation outcome.
  • The Government should clarify in other respects how it would intend to regulate the standards and operation of CAVs and CAV systems as they relate to data and data security so that they can be incorporated by design.
  • Government and Industry should consider potential approaches to approvals and regulation of the supply chain including parts and maintenance organisations. This should draw on experience in equivalent industries and transport modes such as Rail (for example the approval of Entities in Charge of Maintenance) and Aviation (Maintenance Organisation Approvals and Production Organisation Approvals).


  • The Government should continue to invest in the development of CAV technology, including through funding for creation of test facilities, and industry-led research and development projects.