Artificial intelligence systems applied to the autonomous driving of vehicles are now a reality. All major technology companies are championing projects with the ultimate aim of making a motor vehicle capable of driving on the roads in an intelligent and independent way, as if there was a human 'behind the wheel'.

One of the legal priorities to be taken into account when using artificial intelligence in autonomous driving is the processing of personal data of the driver or third-parties. Technically, it is possible to collect information through sensors installed in the vehicle, for instance, about how the vehicle is being driven, the places visited, or simply the distances traveled over a given period of time. Therefore, it is extremely important to know the legal repercussions of personal data processing through artificial intelligence applied to autonomous vehicles.

Concept of personal data

From a legal standpoint, personal data is any information relating to an identified or identifiable natural person.  This concept is so broad ('any information') that it possesses an expansive force that is difficult to delimit, and to which the decisions of the courts and supervisory authorities, responsible for ensuring the correct application of personal data protection regulations, have contributed to no small extent.

Inasmuch as artificial intelligence systems incorporated on board a vehicle can collect 'any information' generated while driving, personal data is collated or processed.

Legal issues raised

In my view, the questions that this point raises range from determining who the data controller is, to whether there is any possibility of considering that, even if information is processed, it wouldn't be purely personal information. Furthermore, the question on whom the data subject or the party concerned is, or whose data is being processed or dealt with, should also be considered.

Who is the data controller?

Regarding the first point, the legal definition of the data controller is 'the person or entity who determines the purposes and means of the processing of personal data'. In other words, it is the one who decides which data is to be collected and for what purpose, and assumes all the information and protection obligations of the fundamental rights and freedoms of the parties concerned.  This is a very broad definition which is intended to provide the most effective and complete protection to the parties concerned through the constant proclamation of precedents of the Court of Justice of the European Union.

In view of this legal definition, who would be responsible for the processing of personal data by means of artificial intelligence in autonomous driving? Would it be the vehicle manufacturer, or the artificial intelligence supplier? And if it is a company vehicle driven by one of its workers, would the company for which the driver provides their services also be responsible? What about companies acquiring a vehicle under a finance lease?

It is easy to appreciate the complexity of cases to which the relentless extension of the legal definition of data controller can lead.

The courts tell us, in this regard, that it is enough to consider a person as responsible by verifying that, attending to their own objectives, they influence the data processing in question. It would not be necessary for them to have access to the data, nor would it be necessary for them to assume a responsibility equivalent to that held by all those who intervene in some way in the specification of the purposes and means of the processing. Rather, what would be decisive would be their influence capacity in that determination.

In my view, this means, for example, that if the manufacturer of a vehicle requests to incorporate into the vehicle functionalities from the artificial intelligence supplier involving the processing of personal data, it is quite likely that, from a legal point of view, the former shall be considered responsible for the processing, since they are aware that such intelligence is useful for the purpose of the processing. The same could be said of the artificial intelligence supplier inasmuch as that they are able to determine the purposes or the means which are used for personal data processing.

It should be highlighted that designating any party as the data controller is not that important to the courts, as long as this party does not have effective access to personal data in the case of a joint processing.

Then, since the data controller is a subtle and, by nature, expansive legal concept, it is likely that all of the above parties may be held responsible for some or for all of the operations included in the processing.

When driving an autonomous vehicle, are personal data inevitably collected?

Another crucial question is whether the type of information collected during the use of artificial intelligence always constitutes personal data in the legal sense of the term.

Once again, these are limits very difficult to outline. The General Regulation on Data Protection establishes that 'any information' on an identified or identifiable natural person is not only about those data that prima facie allows us to identify a person, as long as they are identifiable, but also that the concept of personal information includes data or information that tells us something about a person, even though it may not necessarily identify them.

This is precisely what happens with the data or information collected when driving (e.g. distances covered, type of driving: More or less impulsive, places visited, speed reached). Thus, in a possible scenario in which this driving information is handled with a legitimate purpose: Would it always be considered personal information for the purposes of data protection regulations?

We consider that the answer must be affirmative whenever the information refers to an identified or identifiable person; or, in other words, whoever is responsible for this information could only be outside the data protection regulations if they can prove that it is not related to any natural person. This result may be achieved by means of effective dissociation techniques, which prevent from mutually binding the data or information handled with a particular natural person (e.g. if information on the places visited by a given vehicle, whose ownership or use of may become known, the person is disassociated by means of an irreversible dissociation algorithm).

Right to information on the processing of data

Finally, there is one issue that should not be disregarded.  Since this personal data processing is subject to the law, should the data subject be informed about the existence of sensors in their vehicle that make it possible to evaluate, for example, their driving, or learning aspects about it, or that the artificial intelligence supplier may collect information on where they have been or at what speed they were driving?

We certainly consider they should be informed, since informing the data subject of the circumstances surrounding the processing, including their identity and the purpose for which the processing is intended, is one of the obligations of any data controller.  The obligation to implement appropriate technical and organizational measures to preserve data integrity and confidentiality should be added to this obligation of providing information.

In summary, the artificial intelligence applied to the autonomous vehicle generates legal questions of relevance from the perspective of personal data protection that need to be carefully analyzed.

By José Carlos Erdozain, 'Of Counsel' at PONS IP