Justin Chia, a 1L law student at the University of Calgary and writing contributor for the Tech and Law Association takes a look at the implications autonomous vehicle regulation poses to cybersecurity in Canada
Autonomous vehicles have become one of the most fascinating and relevant technological innovations of the 21st century with prominent automotive manufacturers, such as Tesla and General Motors, making advancements in self-driving technology. The promising socioeconomic and environmental benefits of autonomous vehicles have forced governments around the globe to contemplate the potential legal implications of these technological trends. Canada’s federalist structure creates an interesting legal dynamic in this regard, as the federal government, the provinces and the territories each have legislative authority to enact regulatory schemes addressing autonomous vehicles.[1]
Multiple provinces, including Ontario and Quebec, have introduced pilot programs to regulate safety testing for self-driving vehicles. Other provinces, namely Manitoba and Saskatchewan, have amended existing provincial legislation for the purposes of regulating the issuance of permits for the autonomous vehicle operation in the province.[2] Conversely, the federal government has introduced regulations under the Motor Vehicle Safety Act that regulate the import of autonomous vehicles into the country. [3] Underlying each of the provincial and federal legislation relating to the testing of self-driving vehicles is a concern for data privacy, which constitutes a concurrent area of legislation.
Data collection is a critical component of safety testing and monitoring for autonomous vehicles and along with it comes data privacy concerns. Autonomous vehicle manufacturers collect driver location and biometric data for the purposes of enhancing safety and performance. Lawmakers and advocacy groups have raised concerns that sensitive consumer data may be sold or distributed to 3rd parties, thereby jeopardizing the privacy of consumers.[4] The collection and disclosure of personal information by AV manufacturers in Canada is subject to the Personal Information Protection and Electronics Documents Act (PIPEDA).[5] The PIPEDA serves as an overarching framework with provinces and territories having the option of complying with the federal regulatory scheme or creating their own data privacy regulatory frameworks at the local levels.
Alberta, BC and Quebec have opted out of the federal regulatory framework by enacting similar data privacy legislation at the provincial level that applies to AV data collection. Canada’s fragmented data privacy regulatory structure resembles its carbon pricing regulatory structure, which has led to an increasing number of legal challenges brought by the provinces against the federal legislation, thereby complicating efforts to establish a uniform set of regulations at the national level.
A fragmented data privacy regulatory structure has significant implications for efforts to address cyber security risks at the national level. Advancements in automation and artificial intelligence, as well as emerging technologies, each of which make self-driving vehicles such an appealing innovation, also expose driver data to increased cyber threats. A critical aspect of countering these cyber threats is the development and implementation of national standards to regulate the types of data and modes of collection within the automotive industry. The enforcement of this regulatory framework will require coordination and collaboration between the federal government and the provinces and territories to ensure uniform compliance throughout the country.
The fragmented nature of the existing regulatory landscape constrains cross-government collaboration and reduces the likelihood of uniform compliance with industry data privacy standards. Parliament’s recent tabling of the Digital Charter Implementation Act (Bill c-27), which would repeal and replace the PIPEDA, is an effort to establish a national regulatory framework in response to emerging cybersecurity concerns.[6] The new data privacy legislation would require automotive and artificial intelligence companies to comply with standards aimed at ensuring greater transparency in how these companies collect and dispose of driver data. The extent to which a national regulatory scheme is effective in maintaining data privacy and mitigating cybersecurity threats is largely contingent on the provinces and territories’ active participation in the scheme.
[1] Marin Leci et al, “Autonomous Vehicle Laws In Canada: Provincial & Territorial Regulatory Landscape” (29 December 2021), online (blog): BLG <https://www.blg.com/en/insights/2021/12/autonomous-vehicle-laws-in-canada-provincial-and-territorial-regulatory-landscape>.
[2] Ibid.
[3] Motor Vehicle Safety Act, SC 1993, c 16.
[4] “The Privacy Implications of Autonomous Vehicles” (17 July 2017), online (blog): Norton Rose Fulbright https://www.dataprotectionreport.com/2017/07/the-privacy-implications-of-autonomous-vehicles/>.
[5] Personal Information Protection and Electronics Documents Act, SC 2000, c 5.
[6] Bill C-27, An Act to Enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, 1st sess, 44th Parl, 2022.
UCalgary Technology and Law Club 