Credit: iluslab/Shutterstock.com

Although today's autonomous vehicles (AVs) are still generally focused on navigation-related tasks, their increasing connectivity to smart technologies, and the general evolution of the Internet of Things (IoT), will inevitably expand the role and capabilities of AVs in everyday life. As the ecosystem of these increasingly integrated devices and vehicles continues to mature, the corresponding legal concerns and risks come more into focus. The below hypothetical, set in the not too distant future, explores such an AV/IoT ecosystem and the legal risks it raises.

A Glimpse Into the AV/IoT Ecosystem of the Future

Using their smart home technology, the families of the future will be able to contact their personal AV to coordinate the pick-up and drop-off schedules for the day, have the AV collect groceries (ordered from the "smart" kitchen and packed into the AV by the store's robot assistant), and charge itself on various self-charging roadways or at other charging stations around the city.

The car will be able to analyze the results of regularly scheduled maintenance scans and alert the family to any repairs that should be done. The AV will be able to run cursory searches of the parts and repair shops to get estimates of the time and costs of the repairs and will seek permission to proceed with formal arrangements. With the family's authorization, the AV will initiate its AV Automated Purchasing Agent to identify certified part blueprint providers, 3D printing shops, and repair shops that can collectively get the required parts printed, delivered, and installed into the car within the necessary time frame for the family's other activities. The Purchasing Agent will also verify and store the certifications of each vendor along the process to ensure that the parts are genuine and the repairs are being done by a qualified professional. All of these transactions, as well as the required smart contracts, are logged on a blockchain for later retrieval.

On the day of the scheduled repairs, the AV arrives at the designated repair shop at the designated time. When the car arrives, the parts have already been properly printed by the local certified 3D printing shop and delivered by drone to the repair shop location. Although the lead mechanic has worked on this particular make and model of AV and, separately, the particular parts that need to be repaired, she has not made these specific repairs on this exact make and model. As such, the mechanic wears augmented reality goggles that project a step-by-step repair video directly onto the parts-at-issue and records the repairs on a blockchain for later retrieval. Upon completion, the AV runs another diagnostic to confirm the repairs were successful. Once confirmed, the AV's purchasing agent initiates payment to the parties involved per the smart contracts, including the 3D design maker, the 3D part printer, and the mechanic. The AV then returns to its normally scheduled pick-ups and drop-offs per the family's instructions.

Later that day, after the AV picks up one of the parents from work, the parent accidentally spills hot coffee on herself and the instrument panel. Recognizing the increased heart rate and verbal cues from the parent, the AV inquires whether it should change its travel plans to visit the local hospital and provide the necessary data to the hospital before they arrive. As the parent begins to indicate that it is not a serious issue and that no change should be made, a warning indicator comes on alerting the car and the parent to an engine problem. As the light comes on, the parent grabs the steering wheel, causing the car to change direction suddenly and swerve into an oncoming car, and seriously injuring the parent and an occupant of the other vehicle. Local law enforcement is dispatched, and "kill" commands are used to download the data from both cars and disable the engines and batteries to prevent fires.

Legal Issues

Data Protection and Privacy: Much of the future scenario involves the collection and transmission of data. The AV has scheduling and location information for all members of the family, its own diagnostic data, biometric data from passengers, and communication records. A government agency is collecting data from the AV. Resolving the legal issues relating to permission to collect the information (including occasional or one-time passengers), storage of the information, who has access, and whether or how the information is shared will be paramount.

Currently, there is no overarching federal law in the United States that governs data privacy. There is also no uniform definition of what personal information consists of and what should be protected. Individual states have passed data breach notification statutes but have differences in what is considered protected personal information. The high-water mark of these state-initiated rules is California's Consumer Privacy Act (CCPA).

The CCPA, effective as of Jan. 1, 2020, protects the personal information of California residents collected or disseminated by businesses. The CCPA requires that consumers be given notice and access as to what personal information is being collected, sold or disclosed and with whom the information is being shared. Consumers also have the right to opt-out of the sale of such information and to request that a business delete any collected information. Businesses are also forbidden from discriminating against consumers who exercise those rights.

Other state statutes also are implicated in the issues facing our cities of the future, including many that address the collection and use of biometric information, including Illinois (740 Ill. Comp. Stat. 14/1 et seq. (2008)), Texas (Tex. Bus. & Com. Code Ann. §503.001 (2009)), and Washington (Wash. Rev. Code Ann. §19.375, et seq. (2017)). Some other states have included biometric data as protected personal information in their data breach notification statutes (e.g., Iowa—Ia. Code Ann. §§715C.1 et. seq. (2008), as amended (2014); New Mexico—2017 H.B. 15, Chap. 36; and South Dakota—Senate Bill 62 (2018)); while other states have not enacted any data privacy laws.

Additionally, significant issues over the ownership and use of the data created by these systems are raised. Who owns the various categories of data and can disclosure be compelled? What information can law enforcement obtain, when, and about whom? Who will have access to passenger information, under what circumstances, and used for what purposes? In the case of biometric data, if the data is used in medical treatment, the health care providers would likely also be governed by federal laws on privacy and security of an individual's health information (see, e.g., The Health Insurance Portability and Accountability Act of 1996, P.L. No. 104-191, 110 Stat. 1938 (1996)).

Product Liability/Insurance: AVs present unique challenges to product liability and the insurance landscape. With potentially no driver input, traditional personal liability will be obsolete. Instead, product liability for the AV manufacturers, including hardware and software components, and service providers will replace driver liability. For example, in 2016, in response to AV testing on its roads, Michigan amended its motor vehicle legislation for that project and assigned liability to auto manufacturers when an "automated driving system is at fault." Mich. Comp. Laws §257.665b(4) (2018). Cybersecurity and data protection insurance may also be necessary to underwrite potential losses or damages from hacking or smart technology failures.

Blockchain: The network allowing the various transactions to take place and that allows the IoT to flourish may very well be based on blockchain technologies. Blockchain is a digital ledger/database of information (e.g., independently verified transactions, assets, or agreements), for members of the same blockchain network, that is distributed across a network of computers. Blockchain systems operate on a decentralized system and this may lead to significant jurisdictional issues without universal agreement as to governing law. Another concern is data privacy and security. Generally, information once stored in the blockchain cannot be altered and if that information contains personal information, that raises significant privacy concerns (particularly if the information is on a public, and not private, blockchain system). The commercial use of blockchains also gives rise to other legal issues, such as how extensive is the warranty of the information being provided (does a seller warrant that all of the information in the chain is accurate); and if information gets hacked or a defect is found, have contractual rights been breached or representations and warranties been violated?

Intellectual Property: The technological innovations driving the cities of the future will likely be well-protected by a web of intellectual property rights, potentially owned by a myriad of evolving players. The systems driving these cities, however, will need to work together and in an interoperable way. The patents and trade secrets that may be at the technological core will be used to both defend market share positions and drive the industry in particular directions. These intellectual property rights might be held by traditional industry players or newcomers to the space, both of which raise different issues on how to manage the risk of potentially violating those rights.

Paul Keller is a partner and Jenny Shum is a senior associate in the New York office of global law firm Norton Rose Fulbright.