Fast-moving House Bills on Autonomous Vehicles May Undercut Privacy and Security Regulation
Written by Joseph Jerome
The House Energy and Commerce Committee is poised to introduce a package of fourteen bills that aim to spur deployment of autonomous vehicles on U.S. roadways. Legislative action is warranted, but several of the legislative proposals may have unintended consequences as policymakers grapple with the privacy and security issues posed by data-fueled autonomy.
Overbroad State Preemption
The LEAD’R Act — or “Let NHTSA Enforce Autonomous Vehicle Driving Regulations Act — has received the most attention. It preempts states from issuing any rule or regulation related to the design, construction, and systems, including software and communications, of autonomous vehicles. The auto industry has said legislation is necessary to avoid a “patchwork” of local laws, but the bill’s broad preemption language will effectively prohibit states from filling in gaps when the National Highway Traffic Safety Administration (NHTSA) does not provide standards.
This is especially problematic because the road to federal safety and security standards for automated vehicles may be long in coming. NHTSA is a habitually under-resourced agency that currently lacks an administrator. The LEAD’R Act would preempt states from acting in a situation where it is, as yet, unclear that the NHTSA plans to take action. It is also unclear, both legislatively and practically, when an autonomous software package and a communications system begin and end, which could pose a problem for states with privacy and security laws that cover certain data types, such as geolocation. A narrower preemption that only applies when there are federal standards or policies in place may be a better approach, along with requiring states attempting to regulate autonomous technologies to consult with NHTSA.
Unnecessary Division of Responsibilities Between Regulators
Other concerns with this legislative package are its provisions aimed at ensuring regulators stay in their lane. The Managing Government Efforts to Minimize Autonomous Vehicle Obstruction Act, or “MEMO Act,” directs NHTSA and the Federal Trade Commission (FTC) to enter into a memorandum of understanding that would largely carve out different spheres of influence for both agencies. The FTC would be limited to focusing on issues that are “not connected” with autonomous technologies or features while NHTSA would be focused on privacy and security concerns related to the active operation of automated vehicles or features. This is a potentially worrisome division of responsibilities. While the MEMO Act intends to address overlap and duplication of regulatory responsibilities, prior FTC MOUs have stressed inter-agency coordination, consultation, and collaboration. As we’ve noted, autonomous vehicles falls into the jurisdiction of several agencies, and the best path forward is more public cooperation between NHTSA and the FTC across the privacy and security landscape. Already, there have been promising efforts in this respect; CDT recently participated in a joint FTC/NHTSA workshop on privacy and cybersecurity in connected cars. Both agencies have vastly different areas of expertise, and shared oversight of privacy and security is the most comprehensive to protect consumers.
Membership of Cybersecurity and Data Sharing Advisory Councils
Finally, two proposals — the SHARES Act (Sharing Autonomous Vehicle Records with Everyone for Safety) and an act to establish an Automated Driving System Cybersecurity Advisory Council — call for the creation of multi-stakeholder bodies to address privacy and security concerns. These groups include members of the auto industry, insurers, research academics, and government officials. While these are positive steps, privacy experts and consumer advocates should be invited as members to both proposed councils.
In our comments on NHTSA’s Federal Automated Vehicles Policy, we noted that more discussion was needed both with respect to data sharing and vehicle cybersecurity generally. To alleviate continuing public concerns about the reliability and security of autonomous technologies, such work must be more public-facing and inclusive that prior efforts.