Skip to content

 

Although it will probably be some time before fully autonomous vehicles become a common sight on the roads, automated and ultimately autonomous driving has the potential to fundamentally revolutionise mobility. In addition to the remaining technological challenges until full automation is achieved, there are still a number of questions to be answered, particularly from a data protection perspective.

 

New legal framework

In March 2023, Parliament adopted a partial revision of the Road Traffic Act of 19 December 1958 (SVG, SR 741.01). This amendment is intended to form the basis for automated driving to become a reality in Switzerland as soon as the safety requirements are sufficiently met. The revised law grants the Federal Council various regulatory powers. The Federal Council has already made use of this and submitted the Ordinance on Automated Driving (AFV) for consultation in October 2023. The law and the ordinance are expected to come into force in the course of 2025.

At the heart of this revision of the law is the question of the extent to which the driver of a vehicle with an automation system is released from their duty of attention and control (see the new Art. 25b) and the conditions under which driverless vehicles are permitted on the road.

The revised Road Traffic Act also contains provisions on data protection issues, which mainly concern the so-called “driving mode memory”. According to the new Art. 25e Para. 2 SVG, vehicles with an automation system must be equipped with a driving mode memory that records certain events and provides them with a time stamp. These include, in particular, the activation and deactivation of the automation system.

According to the Federal Council dispatch, the driving mode memory is intended to record certain parameters in order to be able to determine retrospectively whether the driver or the automation system was responsible for a certain driving behaviour at a certain point in time. According to the new Art. 25g para. 3 SVG, the data from the driving mode memory may be read and processed by the competent police, judicial and administrative authorities for the investigation of accidents or for the assessment of offences against road traffic regulations. The data must be deleted by the competent authority as soon as it is no longer required, but no later than six months after the proceedings have been concluded. According to the new Art. 25g para. 1 SVG, the vehicle owner may only access data stored by third parties during journeys with the vehicle if he can assert a legitimate interest. This would not be the case, for example, if the owner were to use the information to check the period of use of the vehicle.

Applicability of general data protection law

The revision of the Road Traffic Act has laid an important foundation for automated driving to become a reality in Switzerland. The most important actions and incidents of automated driving are documented with the instrument of the driving mode memory. The revised SVG stipulates in Art. 25e Para. 2 that the driving mode memory must be protected against unauthorised access and manipulation. However, this data from the driving mode memory provided for by law only allows conclusions to be drawn about the owner or driver of the vehicle to a very limited extent. This is primarily data relating to the technical interaction between the driver and the automation system. In addition to the data collected by the driving mode memory, automated driving is inextricably linked to the collection of a wide range of other data, which may also include personal data of third parties (such as passers-by and passengers). All road users are continuously recorded by the automated vehicle’s sensors and cameras.

Data processing outside of the minimum requirements in the driving mode memory is not the direct subject of the SVG revision, which is why the general data protection law instruments must be consulted. In the absence of special legislation, the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) and the Data Protection Ordinance (DPO) are primarily applicable. In practice, the General Data Protection Regulation of 27 April 2016 (EU 2016/679, GDPR) will also be of great importance, as many car manufacturers are located in the European Union and will primarily be guided by this set of rules when developing vehicles. Systems from international manufacturers whose data processing facilities are located abroad are frequently used in automated vehicles. In these constellations, the principles of data transfer abroad must also be observed (see Art. 16 FADP).

The new Road Traffic Act also lacks provisions on the use of data in the context of so-called dual SIM cards, which transmit information from the vehicle and/or the driving mode memory to the manufacturer or a garage. Such an exchange of data continues to take place in accordance with the provisions of the Telecommunications Act of 30 April 1997 (TCA, SR 784.10) or, subsidiarily, in accordance with the FADP. The use of data in the investigation of accidents is governed by the Swiss Code of Criminal Procedure of 5 October 2007 (CCP, SR 312.0).

Data concerned

In addition to the parameters that must be recorded in the driving mode memory by law, a wide range of other data is potentially affected, with each step towards fully autonomous driving being accompanied by an increase in the amount of data affected. The data is primarily collected by sensors (e.g. radar or Light Detection and Ranging [LiDAR]), cameras and the use of GPS technology.

Firstly, data on the technical condition of the vehicle (such as fuel consumption or the condition of the brakes) is affected. In addition, data on the vehicle’s surroundings and position are essential for automated driving. The cameras and sensors record the entire surroundings, including traffic signs and road markings as well as houses, cyclists and passers-by. This data can form the basis for deciding whether the vehicle needs to avoid an object on the road. Mention should also be made of data generated in connection with communication between vehicles or between vehicles and infrastructure (so-called networked driving based on (dual) SIM cards from telecommunications service providers). Finally, data can also be collected about the driver and their behaviour and preferences (e.g. on preferred routes, travel times or level of attention). Such data can sometimes provide a very personal insight into the driver’s state of mind, i.e. their personal life, and can lead to actual profiling (Art. 5 lit. f FADP). If the driver repeatedly uses the same starting or destination points, so-called geolocalisation data may also be of significance. Based on this data, it is possible, for example, to draw conclusions and make predictions about the driver’s personal preferences. This is known as geolocation data. On the one hand, such data can be evaluated by the manufacturer in order to optimise the user experience. On the other hand, however, manufacturers could also have an incentive to sell on such data (e.g. for garages, emergency services and possibly even advertising). In addition to the driver, passengers may also be affected by data processing, in particular by cameras in the vehicle interior or when using (emergency) communication systems.

Swiss data protection law only applies if personal data is processed (Art. 2 para. 2 FADP). Personal data is any information relating to an identified or identifiable natural person (Art. 5 lit. a FADP), whereby the term personal data is to be understood broadly. In the area of automated driving, a personal reference exists if the data allows conclusions to be drawn about the driver, co-driver or other road users. With regard to the driver, a personal reference can be made if the mobility data is linked to the licence plate number, the chassis number or the details from the user account. This is probably the case as a rule, as such registration is necessary for new vehicles.

It is also conceivable that particularly sensitive personal data is involved, the processing of which is subject to stricter requirements (Art. 5 lit. c FADP). This is the case in particular if the image or video recordings contain particularly sensitive information. It should also be borne in mind that the vehicle can only be opened by means of previously stored fingerprints, facial recognition or voice recognition. Such measures to uniquely identify the driver of a vehicle require the recording of physical or physiological characteristics of an individual and therefore fall under the category of biometric data (Art. 5 lit. c no. 4 FADP). If, for safety reasons, cameras or sensors inside the vehicle record data on the driver’s attentiveness or fitness to drive (e.g. degree of alcoholisation, influence of medication or drugs), the category of data relating to health (Art. 5 lit. c para. 2) may also be affected under certain circumstances.

 

Determination of the controller

One challenge in the area of automated driving can be determining the controller for the respective data processing (see Art. 5 lit. j FADP). The first person to consider is the manufacturer, who decides which data is collected to enable automated driving through the technical design of the vehicle. Other possible controllers are the owner, the driver and finally the dealer who sells the vehicle in question. In constellations of this kind, the statutory definition of joint responsibility (“together with others”) may apply. For example, if the vehicle driver (in addition to the manufacturer) can at least co-determine the collection, storage and further processing of camera recordings and can, for example, play them back afterwards.

The determination of the person responsible was of practical importance in connection with the “Sentry Mode” of the car manufacturer Tesla. This feature is intended to prevent break-ins or theft. As part of this monitoring function, the surroundings were originally automatically filmed with cameras as soon as people were within a certain distance of the parked vehicle. Similar to dash cams, the problem with this approach is that the corresponding recordings are made without the consent and information of the persons concerned, which is why this function has been classified as illegal from a data protection perspective in various countries. Various Tesla drivers have even been fined for using this function. Tesla has always taken the position that the driver has control over the data collected in Guard Mode. Tesla drivers, on the other hand, saw the car manufacturer as being responsible. Due to data protection concerns, the company recently adapted the safety system in some countries so that Sentry Mode is only activated if the vehicle is touched at the same time. The function is now also deactivated by default and must be actively switched on by the vehicle user. Law enforcement authorities in Switzerland also use the images recorded with Sentry Mode for offences that are not related to the vehicle being recorded.

 

Justifications under data protection law

Even after the creation of the legal basis to enable automated driving in the SVG, questions remain unanswered with regard to the justifications under data protection law. According to the dispatch, the new SVG provisions were enacted primarily to improve road safety and increase the efficiency of the transport system. In principle, these provisions could be considered as a legal justification for data processing in automated vehicles. However, the interests of road safety and increasing the efficiency of the transport system are offset by the protection of the privacy of the persons concerned.

With the new provisions in the Road Traffic Act, the legislator has made it clear that it wants to enable automated driving in Switzerland. As automated driving cannot be operated safely without the collection of certain data, the legislator at least implicitly recognises data processing to the extent necessary for this. This includes data that is absolutely necessary for the orientation and control of automated vehicles. However, in the absence of explicit legal provisions on the permissible scope of data processing, problems of demarcation can arise in practice. In particular, the question of which processing of personal data still fulfils the primary purpose of road safety and traffic control may not always be clear. The following can already be stated today: the further the data processing moves away from the actual primary purpose (road safety and increasing efficiency in traffic systems), the more likely it is that the controller will be required to base the data processing on another justification.

The justification of the data subject’s consent is therefore likely to be of great importance, especially for more extensive data processing. This must be given “after appropriate information” and “voluntarily”. If particularly sensitive personal data is involved, explicit consent is even required (Art. 6 para. 7 lit. a FADP). Those responsible will have to take precautions here to ensure that the consent extends to the actual driver of the vehicle. This can pose additional challenges, especially if there is a discrepancy between vehicle owner and driver (e.g. in the case of business vehicles).

While it is still relatively easy to obtain consent from the owner or driver of the vehicle, this is not possible for other road users such as passers-by and passengers. In these cases, the instrument of anonymisation can provide a remedy by pixelating the faces of passers-by. However, it should be noted that the pixelation also means that information about the pedestrian’s line of vision is lost, which can provide valuable information about their intentions in traffic. In contrast, systems that only work with sensors that only abstractly recognise that the detected object is a person are unproblematic under data protection law.

In contrast, the justification of overriding private interest or contract (see Art. 31 para. 2 lit. a FADP) is likely to be of little importance. The contractual justification presupposes the conclusion of a contract between the manufacturer and the data subject and therefore cannot be invoked in relation to other road users who are not parties to the contract. Furthermore, the justification of the conclusion of a contract only relates to data in order to reduce contractual risks. In the absence of a direct link to the conclusion of the contract, the manufacturer cannot rely on this justification to create movement profiles of the vehicle driver, for example. However, an overriding private interest (protection of property) may come into question in relation to a damaging party (e.g. in the event of parking damage). In this case, data processing may be justified, for example, in order to enforce a claim for damages.

Outlook and conclusion:

With the revision of the Road Traffic Act, the Swiss legislator has created the legal basis for the use of automated vehicles in road traffic, which means that the main responsibility now lies with the car manufacturers. Automated driving is inextricably linked to the collection of a large amount of data, which may also include particularly sensitive personal data. In addition to technological issues, data protection issues will therefore be a key factor for trust in automated and ultimately autonomous driving in the future. As the degree of vehicle automation increases, the amount of data involved is expected to rise further. Technical protective measures to prevent cyberattacks and precautions to ensure data security will therefore become increasingly important. The EU Data Act (largely applicable from 2025), which clearly regulates data access rights in particular, is also likely to provide additional impetus (for more information on the Data Act, see the article by Martin Schirmbacher/Marcus Czempinski “Her mit den Daten! What the Data Act demands“). In order to strengthen public trust in automated driving, certifications under the Data Protection Act could also play an important role in the future. When developing automated vehicles, it is important to find the right balance between the interests of road safety and the numerous aspects of data protection. It remains to be seen how well the automotive industry will succeed in addressing these conflicting interests while at the same time fully utilising the potential of this new technology.

Sources