In part 1 of this article, we discussed what constitutes an autonomous vehicle and some of the dangers that are associated with the technology as well as the many uncertainties that remain regarding both individual and manufacturer liability. Unfortunately, there is much uncertainty that remains regarding the risk to your privacy rights.
Autonomous cars are being developed to collect private information on the actual driver and passenger(s) riding in the vehicle through the use of cameras and other technologies designed to collect biometric data.
Vehicle manufacturers are planning to eventually install cameras in the vehicles that would be aimed at the drivers as well as biometric sensors that could record and monitor the alertness of the driver, his behaviour, health and track his eye movements. These systems could equally record voice patterns, places of employment or education as well as daily routines and personal addresses. All of this information could be stored in a vehicle’s central hub computer, meaning that one’s vehicle, after potentially months to years of ownership, could possess an incredible amount of personal information on the driver, thereby creating a detailed character profile.
The possession of the personal information of an individual that is stored in a GPS alone could allow online advertisers to make fairly accurate estimates about one’s salary and spending habits based on where they frequent.
The Washington Post recently published an article which discussed the findings of an investigative journalist’s report on the data that is already being collected today. The journalist asked someone to hack the vehicle’s infotainment system and discovered that the vehicle was collecting photos, addresses, emails and messages all of which could potentially be sold and shared by the manufacturer, a rogue and disgruntled employee or even hackers on the black market. Canada’s Privacy Commissioner, Daniel Therrien, has gone so far as to refer to modern cars as “smartphones on wheels.”
Privacy Rights in Canada
The protection of privacy and personal information is not specified in The Canadian Charter of Rights and Freedoms.
Therefore, legal obligations and liability when discussing privacy rights are governed under the scope of two sets of federal privacy laws, the first being the Privacy Act which is designed to regulate how federal government agencies and departments practice personal information. The second law is the Personal Information Protection and Electronic Documents Act, also referred to as PIPEDA. Unlike the Privacy Act, which strictly oversees the government, PIPEDA regulates the use of personal information in private-sector organizations; it only applies to those that are engaged in commercial activities. The main function of PIPEDA is to control how these private commercial entities collect, distribute and disclose personal information in the course of their commercial activities.
In addition, for those living in Quebec, there is the Act Respecting the Protection of Personal Information in the Private Sector, which, according to article 1, is designed to protect the personal information of individuals for the exercise of rights conferred upon them under articles 35 to 40 of the Civil Code of Quebec (CCQ). Similarly to PIPEDA, the act is aimed at the protection of personal information as it relates to its collection and communication to third parties in the course of the operation of an enterprise within the meaning of article 1525(3) of the CCQ.
According to a recent Senate report, Canada is ill-prepared to deal with the increasing risks to privacy rights due to the technological advances being made to automotive design which are evolving quicker than our bureaucracy can adapt. A major recommendation from the report is to devise legislation in order to grant the Office of the Privacy Commissioner greater investigative powers as well as more ability to enforce industry compliance with privacy legislation.
In the meantime, while PIPEDA may not be applicable to provinces such as Quebec due to the fact that Quebec already has existing legislation that is similar enough to PIPEDA, it could be used across Canada to fill in the gaps of personal information protection that may be lacking in relation to smart autonomous vehicles. Essentially, using a broad and liberal interpretation of its contents in order to encompass the personal data collected by driverless cars could be a common-sense method to providing a minimum degree of protection for all Canadians, especially in regard to inter-provincial situations.
While major uncertainties remain regarding how your privacy rights will be protected from the risks mentioned above, the government is working towards finding solutions and increasing the transparency of corporate practices.
Marco Fantin, Articling Student,
Alepin Gauthier Avocats Inc.