Call for clarity on data sharing in driverless cars

AXA calls for clarity on data sharing and cyber security to drive forward the driverless cars revolution

AXA is calling on the government to clarify the rules on the sharing of data for autonomous vehicles and for the development of cyber security standards. This is fundamental to support the development and exploitation of the technology required to maintain the future of driverless cars.

6 July 2017

Posted in Innovation

In a report, jointly produced by AXA, insurance lead in the Flourish driverless cars consortium, along with independent UK law firm Burges Salmon, it identifies the emerging issues relating to the evolution of Connected & Autonomous Vehicles (CAVs) and makes recommendations pertaining to investment, data and cyber security that will contribute to the next stage of driverless vehicles development.

The transport sector is undergoing a period of unprecedented technological change, which has the potential to open up new opportunities for UK growth and improve accessibility to better meet the needs of the customer.

Connectivity is fundamental to the evolution of the transport ecosystem but brings with it new and emerging risks, such as cyber security and data protection.

The fact is the emerging CAV ecosystem is bigger than any one industry. If we genuinely believe in the societal benefits CAVs can bring then it is incumbent on motor manufacturers, infrastructure providers and transport network operators to standardise and allow access to crucial data. That way, the relevant third parties such as insurers and the emergency services will be able play their part in the event of an accident.

If we are serious about a world in which children born today will never need to take a driving test then we need to get CAV cyber security and data protection right.

David Williams, Technical Director at AXA

From the legal perspective, we've picked some calibrated recommendations in specific areas because it's a huge area of importance. It's difficult to identify the specifics so we've broken it down into two parts.

Firstly security - will this be categorised as operators of essential services and the cyber strategy that flows from that. Secondly, data - there are specifics measures that apply to specific data to draw that balance between usability and the effectiveness of the system opening up the competition but also protecting people's data. Who is processing it, what is the position of an operator, what is the regulation, what is the basis of consent? For example, do people have the right to turn off location services if they are an effective part of making the system safe? The temptation is for all parties to look at data as one amorphous lump but it's much wider than that and that's what we're working to resolve.

Chris Jackson, Head of Transport at Burges Salmon

The Flourish consortium is looking at the development in user-centric autonomous vehicle technology and connected transport systems. The programme, co-funded by the UK’s innovation agency - Innovate UK, focuses on the core themes of connectivity, autonomy and customer interaction.

To access a full copy of the report, please click on the following link: www.flourishmobility.com/

In the report, AXA and Burges Salmon recommend the following measures:

Data

The Government should consult on the implications of the General Data Protection Regulation for connected and autonomous vehicles and access to data for third parties, as this will play a crucial role in the development of the technology. In particular, the Government should look at how the system of data controllers and processors will work in the context of autonomous vehicles; whether the standards of consent are appropriate in this context; and what role encryption can and should play in relation to CAV data.
The ICO should produce further guidance on whether CAV data falls into either data processes for public health purposes in the public interest or for archiving purposes in scientific research, in order to clarify the extent of the ‘right to be forgotten’ in this area.
The Government should clarify its position on security services or other regulatory access to encrypted data, in order to allow for any need for security services or regulators to access CAV data to be taken into account during the development of the technology.

Consent

The ICO should clarify what form of consent is required for use of ‘Special Categories’ under the GDPR, including whether or not an individual can provide consent on behalf of another individual.
DCMS should work with stakeholders to establish necessary alternative legal bases to consent or permitted use for the processing of CAV data, for example where data is required to ensure the safety of CAVs.

Cyber Security

The Government should also consult on cyber security issues raised by a connected transport ecosystem, to ensure that the unique risks are understood and the appropriate safeguards put in place when the technology is rolled out.
The Government should clarify whether CAV operators will be designated as “operators of essential services” within the UK and therefore whether they are required to comply with the NIS Directive, including in the light of the Brexit negotiation outcome.
The Government should clarify in other respects how it would intend to regulate the standards and operation of CAVs and CAV systems as they relate to data and data security so that they can be incorporated by design.
Government and Industry should consider potential approaches to approvals and regulation of the supply chain including parts and maintenance organisations. This should draw on experience in equivalent industries and transport modes such as Rail (for example the approval of Entities in Charge of Maintenance) and Aviation (Maintenance Organisation Approvals and Production Organisation Approvals).

Investment

The Government should continue to invest in the development of CAV technology, including through funding for creation of test facilities, and industry-led research and development projects.

Media contacts

Legal notes

About AXA UK

AXA Insurance UK plc registered in England and Wales under registered number 078950 and authorised by the Prudential Regulation Authority and regulated by the Prudential Regulation Authority and the Financial Conduct Authority under Financial Conduct Authority registration number 202312. Registered office is 20 Gracechurch Street, London, EC3V 0BG.

AXA UK is part of the AXA Group, a worldwide leader in insurance and asset management, with 147,000 employees serving 94 million clients in 50 countries. In 2023, IFRS revenues amounted to Euro 102.7 billion and underlying earnings to Euro 7.6 billion. AXA had Euro 844 billion in assets under management as of December 31, 2023.

In the UK & Ireland, AXA operates through a number of business units including: AXA Insurance, AXA Health and AXA Ireland. AXA UK & Ireland employs around 10,000 staff.

Important legal information and cautionary statements concering forward-looking statements

Certain statements contained herein may be forward-looking statements including, but not limited to, statements that are predictions of or indicate future events, trends, plans, expectations or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by other factors that could cause AXA’s actual results to differ materially from those expressed or implied in such forward looking statements. Please refer to Part 5: “Risk Factors and Risk Management” of AXA’s Universal Registration Document 2022, for a description of certain important factors, risks and uncertainties that may affect AXA’s business and / or results of operations. AXA undertakes no obligation to publicly update or revise any of these forward-looking statements, whether to reflect new information, future events or circumstances or otherwise, except as required by applicable laws and regulations.

AXA is involved in three other government funded autonomous vehicle trials:

The Venturer consortium is trialling autonomous vehicles in the Bristol and South Gloucestershire council areas to explore the feasibility of driverless cars in the UK. The project will investigate the legal and insurance aspects of driverless cars and explore how the public react to such vehicles.

UK Autodrive is a three year programme led by engineering and consultancy firm, Arup. The consortium - which includes forward thinking local authorities, the UK’s leading technology and automotive businesses and academic institutions - will develop autonomous vehicle technologies and integrate driverless vehicles into existing urban environment.

CAPRI will deliver a pilot scheme that could pave the way for the use of connected and autonomous vehicles to move people around airports, hospitals, business parks, shopping and tourist centres.

About FLOURISH

FLOURISH is a multi-sector collaboration, helping to advance the successful implementation of Connected and Autonomous Vehicles (CAVs) in the UK, by developing services and capabilities that link user needs and system requirements. The three year project, worth £5.5 million, seeks to develop products and services that maximise the benefits of Connected and Autonomous vehicles for users and transport authorities. By adopting a user-centred approach, FLOURISH will achieve a better understanding of consumer demands and expectations, including the implications and challenges of an ageing society.

FLOURISH will address vulnerabilities in the technology powering CAVs, with a focus on the critical areas of cyber security and wireless communications. The project is trialled in the Bristol and South Gloucestershire region and is part funded from the government's £100 million Intelligent Mobility fund, which is administered by the Centre for Connected and Autonomous Vehicles (CCAV) and delivered by the UK's Innovation Agency, Innovate UK.