Although it is likely to be some time yet before fully autonomous vehicles become a common sight on our roads, automated and, ultimately, autonomous driving has the potential to fundamentally revolutionise mobility. In addition to the remaining technological challenges on the path to full automation, a host of questions arise not only from a liability law perspective but also, in particular, from a data protection perspective.
New legal framework
In March 2023, Parliament adopted a partial revision of the Road Traffic Act of 19 December 1958 (SVG, SR 741.01). This amendment is intended to lay the groundwork for automated driving to become a reality in Switzerland as soon as the safety requirements have been sufficiently met. The legislative revision grants the Federal Council various regulatory powers. The Federal Council has already made use of these powers and submitted the Ordinance on Automated Driving (AFV) for consultation in October 2023. The Act and the Ordinance are expected to come into force in the course of 2025.
At the heart of this legislative revision lies the question of the extent to which the driver of a vehicle equipped with an automation system is exempted from their duties of care and control (see the new Art. 25b) and under what conditions driverless vehicles will be permitted on the roads.
In addition, the revised Road Traffic Act also contains provisions on data protection issues, which mainly concern the so-called ‘driving mode memory’. According to the new Art. 25e(2) of the Road Traffic Act, vehicles equipped with an automation system must be fitted with a driving mode recorder that records certain events and stamps them with a timestamp. These include, in particular, the activation and deactivation of the automation system.
According to the Federal Council’s message, the driving mode recorder is intended to record certain parameters so that it can be determined retrospectively whether, at a specific point in time, the driver or the automation system was responsible for a particular driving behaviour. Under the new Art. 25g para. 3 of the Road Traffic Act (SVG), the data from the driving mode memory may be read and processed by the competent police, judicial and administrative authorities for the purpose of investigating accidents or assessing breaches of road traffic regulations. The data must be deleted by the competent authority as soon as it is no longer required, but no later than six months after the conclusion of the proceedings. Under the new Art. 25g(1) of the Road Traffic Act, the vehicle owner may only access data stored during journeys by third parties if they can demonstrate a legitimate interest. Such an interest would, for example, be deemed not to exist if the owner were to use the information to check the vehicle’s usage time.
Applicability of general data protection law
The revision of the Road Traffic Act has laid an important foundation for automated driving to become a reality in Switzerland. The driving mode memory records the most important actions and events during automated driving. In this regard, the revised Road Traffic Act (SVG) stipulates in Article 25e(2) that the driving mode memory must be protected against unauthorised access and manipulation. However, the data from the legally required driving mode memory allows only very limited conclusions to be drawn about the vehicle owner or driver. This primarily concerns data relating to the technical interaction between the driver and the automation system. In addition to the data collected by the driving mode memory, automated driving is inextricably linked to the collection of a wide range of other data, which may also involve personal data of third parties (such as passers-by and passengers). For instance, all road users are continuously recorded by the automated vehicle’s sensors and cameras.
Data processing beyond the minimum requirements in the driving mode memory is not directly covered by the revision of the Road Traffic Act (SVG), which is why the general data protection framework must be applied. In the absence of specific statutory provisions, the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) and the Data Protection Ordinance (DPO) are primarily applicable. In practice, the General Data Protection Regulation of 27 April 2016 (EU 2016/679, GDPR) will also be of great significance, as numerous car manufacturers are based in the European Union and will primarily base their vehicle development on this regulatory framework. Automated vehicles frequently use systems from international manufacturers whose data processing facilities are located abroad. In such scenarios, the principles governing data transfers abroad must also be observed (see Art. 16 FADP).
The new Road Traffic Act also lacks provisions regarding the use of data in the context of so-called dual SIM cards, which transmit information from the vehicle and/or the driving mode memory to the manufacturer or a garage. Such data exchange continues to be governed by the provisions of the Telecommunications Act of 30 April 1997 (TCA, SR 784.10) or, subsidiarily, by the FADP. The use of data in the context of accident investigations is governed by the Swiss Criminal Procedure Code of 5 October 2007 (StPO, SR 312.0).
Data concerned
In addition to the parameters that must be recorded in the driving mode memory by law, a wide range of other data may potentially be affected, with each step towards fully autonomous driving being accompanied by an increase in the volume of data concerned. The data is primarily collected via sensors (e.g. radar or Light Detection and Ranging [LiDAR]), cameras and the use of GPS technology.
Initially, this concerns data on the technical condition of the vehicle (such as fuel consumption or the condition of the brakes). In addition, data on the vehicle’s surroundings and position is essential for automated driving. The cameras and sensors capture the entire surroundings, which, in addition to road signs and markings, also include buildings, cyclists and pedestrians. This data can form the basis for deciding whether the vehicle needs to swerve to avoid an object lying on the road. It is also worth mentioning data generated in connection with communication between vehicles or between vehicles and infrastructure (so-called connected driving based on (dual) SIM cards from telecommunications service providers). Finally, data on the driver and their behaviour and preferences may also be collected (e.g. regarding preferred routes, travel times or level of attention). Such data can sometimes provide a very personal insight into the driver’s condition, and consequently into their personal life, and may lead to actual profiling (Art. 5(f) FADP). If the driver repeatedly uses the same starting or destination points, so-called geolocation data may also be relevant. Based on this, conclusions and predictions regarding the driver’s personal preferences are possible, for example. This constitutes so-called geolocation data. On the one hand, such data may be analysed by the manufacturer to optimise the user experience. On the other hand, however, manufacturers may also have an incentive to resell such data (e.g. to garages, emergency services and possibly even for advertising). In addition to the driver, passengers may also be affected by data processing, particularly through cameras inside the vehicle or when using (emergency) communication systems.
Swiss data protection law applies only where personal data is processed (Art. 2 para. 2 FADP). Personal data refers to any information relating to an identified or identifiable natural person (Art. 5(a) FADP), whereby the concept of personal data is to be understood broadly. In the field of automated driving, a personal reference exists if the data allows conclusions to be drawn about the driver, passengers or other road users. With regard to the driver, a personal reference may arise, for example, if the mobility data is linked to the registration number, the chassis number or the details from the user account. This is generally the case, as such registration is required for new vehicles.
It is also conceivable that sensitive personal data may be involved, the processing of which is subject to stricter requirements (Art. 5(c) of the Data Protection Act). This is particularly the case if the image or video recordings contain sensitive information. It should also be borne in mind that the vehicle can only be unlocked by means of a previously stored fingerprint, facial recognition or voice recognition. Such measures for the unambiguous identification of the driver require the collection of an individual’s physical or physiological characteristics and therefore fall under the category of biometric data (Art. 5(c)(4) FADP). If, for safety reasons, cameras or sensors inside the vehicle collect data on the driver’s alertness or fitness to drive (e.g. regarding blood alcohol levels or the influence of medication or drugs), the category of health data (Art. 5(c)(2)) may also be relevant in certain circumstances.
Determining the controller
In the field of automated driving, determining the controller responsible for the respective data processing can be a challenge (see Art. 5(j) FADP). The manufacturer is the first party that comes to mind, as it is the manufacturer who, through the technical design of the vehicle, decides which data is collected to enable automated driving. Other potential controllers include the owner, the driver and, finally, the dealer selling the vehicle in question. In such scenarios, the legal concept of joint controllership (‘together with others’), which is expressly provided for by law, may apply. For example, where the driver (alongside the manufacturer) has at least some say over the collection, storage and further processing of camera recordings and can, for instance, play them back retrospectively.
Of practical significance was the determination of the controller in connection with the ‘Sentry Mode’ (Sentry Mode) of the car manufacturer Tesla. This feature is intended to prevent break-ins or thefts. As part of this surveillance function, the surroundings were originally filmed automatically by cameras as soon as people were within a certain distance of the parked vehicle. As with dashcams, the problem with such an approach is that the recordings are made without the consent or knowledge of the individuals concerned, which is why this function has been classified as unlawful in various countries from a data protection perspective. Various Tesla drivers have even been fined for using this feature. Tesla has consistently maintained that control over the data captured in Sentry Mode lies with the driver. In contrast, Tesla drivers held the car manufacturer responsible. Due to data protection concerns, the company has recently adapted the security system in some countries so that Sentry Mode is now only activated if the vehicle is touched at the same time. The feature is now also disabled by default and must be actively switched on by the vehicle user. Law enforcement agencies in Switzerland also use the images recorded by Sentry Mode for offences that are not related to the vehicle recording them.
Justification under data protection law
Even following the creation of the legal framework to enable automated driving in the Road Traffic Act (SVG), questions remain regarding the grounds for justification under data protection law. According to the explanatory memorandum, the new Road Traffic Act provisions were primarily enacted to improve road safety and increase the efficiency of the transport system. In principle, these provisions could serve as a legal justification for data processing in automated vehicles. However, the interests of road safety and increasing the efficiency of the transport system are balanced against the protection of the personal data of the individuals concerned.
With the new provisions in the Road Traffic Act, the legislator has clearly expressed its intention to enable automated driving in Switzerland. As automated driving cannot be operated safely without the collection of certain data, the legislator thereby recognises, at least implicitly, data processing to the extent necessary for this purpose. This includes data that is absolutely essential for the navigation and control of automated vehicles. However, in the absence of explicit legal provisions on the permissible scope of data processing, demarcation issues may arise in practice. In particular, the question of which processing of personal data still corresponds to the primary purpose of road safety and traffic control is unlikely to be clear-cut in all cases. One thing is already clear today: the further data processing moves away from the actual primary purpose (road safety and increasing efficiency in transport systems), the more the controller is required to base the data processing on a different legal basis.
For more extensive data processing in particular, the legal basis of consent by the data subject is therefore likely to be of great importance. This must be given ‘after appropriate information has been provided’ and ‘voluntarily’. Where sensitive personal data is involved, explicit consent is even required (Art. 6(7)(a) FADP). Data controllers will need to take measures here to ensure that consent extends to the actual driver. This can pose additional challenges, particularly where the vehicle owner and the driver are different persons (as is the case, for example, with company vehicles).
Whilst obtaining consent from the owner or driver is still relatively straightforward, this is not possible in the case of other road users, such as passers-by and passengers. In such cases, anonymisation can provide a solution by pixelating the faces of passers-by. It should be noted, however, that pixelation also results in the loss of information regarding the pedestrian’s line of sight, which can provide valuable insights into their intentions in traffic. On the other hand, systems that operate solely with sensors which merely recognise in an abstract sense that the object detected is a human being do not pose any data protection issues.
The justification of overriding private interest or the contract, however, is likely to be of only minor significance (see Art. 31(2)(a) of the Data Protection Act). The justification of the contract presupposes the conclusion of a contract between the manufacturer and the data subject and cannot therefore be invoked in relation to other road users who are not parties to the contract. Furthermore, the justification of the conclusion of a contract relates solely to data intended to reduce contractual risks. In the absence of a direct link to the conclusion of the contract, the manufacturer cannot therefore rely on this justification to, for example, create movement profiles of the driver. However, in relation to a party causing damage (e.g. in the case of parking damage), an overriding private interest may apply in certain circumstances (protection of property). Here, data processing may, for example, be justified in order to enforce one’s own claim for damages.
Outlook and conclusion:
With the revision of the Road Traffic Act, the Swiss legislature has established the legal framework for the use of automated vehicles in road traffic, meaning that the primary responsibility now lies with the car manufacturers. Automated driving is inextricably linked to the collection of a vast amount of data, which may include personal data requiring special protection. Alongside technological issues, data protection concerns will therefore be a key factor in building trust in automated and, ultimately, autonomous driving in the future. As the level of vehicle automation increases, a further rise in the volume of data involved is to be expected. Technical safeguards to prevent cyberattacks and measures to ensure data security are therefore becoming increasingly important. The EU Data Act (much of which will apply from 2025) is also likely to provide further impetus; in particular, it clearly regulates the right of access to data (see also the article by Martin Schirmbacher and Marcus Czempinski ‘Hand over the data! What the Data Act requires’). Furthermore, certifications under data protection law could also play an important role in the future in strengthening public confidence in automated driving. When developing automated vehicles, it is essential to strike the right balance between road safety interests and the numerous aspects of data protection. It remains to be seen how successfully the automotive industry will manage to navigate this tension whilst fully exploiting the potential of this new technology.
Sources
- Amendment to the Road Traffic Act (RTA) of 17 March 2023 (final voting text, BBl 2023 791)
- Message on the amendment to the Road Traffic Act of 17 November 2021, BBl 2021 3026
- Federal Act of 25 September 2020 on Data Protection (DSG, SR 235.1)
- Swiss Criminal Procedure Code of 5 October 2007 (StPO, SR 312.0)
- Telecommunications Act of 30 April 1997 (TCA, SR 784.10)
- Ordinance on Data Protection (Data Protection Ordinance, DSV)
- General Data Protection Regulation of 27 April 2016 (GDPR, EU 2016/679)
- Regulation on harmonised rules for fair data access and use of 13 December 2023 (Data Act, EU 2023/2854)