This post is extracted from the article published in Communications Law Journal in 2019, written by Maria Cristina Gaeta, Research Fellow at Suor Orsola Benincasa University of Naples, Ph.D in People, Business and Market Law at University of Naples Federico II.


Nowadays, there is no specific regulation for Robotics and AI, even though this topic is subject to many legislative initiatives. We can look at the European Parliament resolution of 16 February 2017, which calls on the Commission to submit a Directive proposal for civil law rules on robotics and AI, and non-legislative acts (such as guidelines and codes of ethical conduct). The purpose of the European Parliament resolution is to address the main issues foreseeable in the next 10 – 15 years, taking into account the Charter on Robotics attached to the Resolution. In addition, the European Parliament considers that the automotive sector is in most urgent need of efficient European Union and global rules, in order to ensure the cross-border development of self-driving cars, the exploitation of their economic potential, and the benefits from the technology. In the Declaration of Amsterdam of 14 and 15 April 2016 on Cooperation in the Field of Connected and Automated Driving, the need to develop and maintain a joint programme with other European countries has been underlined to support these goals, and to remedy the problems arising from the development of this new type of driving.

Another very important EU initiative is the European Commission Communication on Artificial Intelligence for Europe (2018). The Commission highlights the importance of AI, stating that AI is undoubtedly one of the most strategic technologies of our century and the way we will approach AI will define the world we live in.

Following the European Commission Communication on AI, on 8 April 2019 the High-Level Expert Group on Artificial Intelligence published the Ethics Guidelines for trustworthy AI, which lists all the requirements that AI systems should meet in order to be trustworthy for human beings. In the same light and the same day the European Commission published the Communication on Building Trust in Human-Centric Artificial Intelligence.

Regarding the protection of personal data, as a specific aspect to be regulated with reference to Robotics, the European Resolution points to the centrality of the issue of data protection and the EU Parliament is clear in establishing that Civil Law rules on Robotics have to be GDPR compliant (current European Regulation on data protection which came into force on 24 May 2016). In addition, the EU Resolution asks the Commission to ensure the respect of the principles of data protection by default and protection by design (e.g. pseudonymisation), to implement data protection principles such as data minimisation. At the same time, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, and Article 16 of the Treaty on the Functioning of the European Union (TFEU), provide that aspects of data protection have to be addressed with particular regard to Robotics.

On the basis of the foregoing, the right way could be the extensive application of the existing regulation and, in an evolutionary way, the development of a specific framework of rules for self-driving cars, and a specific section of this framework should regulate the processing of user’s personal data generated, stored and processed by connected vehicles. As there is a specific discipline for traditional vehicles, it would be desirable to have an ad hoc regulation for autonomous vehicles (at least for those that are completely autonomous).

More precisely, what should be foreseen in a regulation on autonomous vehicles, with regard to the protection of personal data, is adequate and functional information to the users on the processing of their personal data (as required by the GDPR), so that users know exactly what the consequences of the processing are. In this sense, the privacy notice, cannot correspond to a standard model used for each type of processing. On the contrary, the privacy notice must contain information that is concise, transparent, intelligible and easily accessible, as well as written in clear and plain language. Indeed the privacy notice should be clear and understandable by an average user who in this way could be really aware of the existence of the processing and its purposes, and of any profiling process. Only in this way the strong disinterest of users towards privacy notices can be counteracted, so that they can be effectively aware of the processing, protecting their interests to a lawful, fair and transparent processing. At the same time, data controller and processor will not be sanctioned for infringements of the GDPR.

With regards to consent to the processing of personal data, it would be conceivable that the framework of rules overcame, in whole or in part, the requirement of consent, since this is no longer a lawful basis that guarantees the effectiveness of the data protection measures. Among other things, in some cases, the law itself legitimises the processing of personal data without the need for consent, because of the fact that there are other more important interests at stake (other lawful base), such as user’s safety. Indeed, according to art 6, para 1, lett. d) of GDPR, the processing of personal data is lawful, even without the data subject’s consent, when processing is necessary in order to protect the vital interests of the data subject or of another natural person, where security may be included. An example is the eCall provided by Regulation (EU) 2015/758, i.e. an electronic device installed on the vehicle, which provides a free public service that can automatically make an emergency call to alert emergency services in the event of a traffic accident. It is clear that the eCall, as mandatory service, carries out a processing of personal data without user’s consent. However, data subject’s protection is represented by the fact that the data is used for the sole purpose of dealing with emergency situations and the call made only provides the minimum information for the rescue.

Following this trail, numerous States have begun to consider specific legislation for self-driving cars. In the US, the National Highway Transportation Safety Administration (NHTSA) has recognized the Self Driving System (SDS) as a driver of the vehicle and in this way extended the road safety regulations, updating the Federal Register. Currently autonomous vehicle bills or laws have been introduced in the 50 United States and in the District of Columbia. In Europe, Germany was the first Nation to approve legislation on autonomous vehicles amending the German Road Traffic Act in 2017. The United Kingdom has drawn up a draft law on automation, which has not been approved other than through the Automated and Electric Vehicles Act 2018, which is currently in force.

There are several sector-specific regulations which could be extensively applied to issues relating to data protection in self-driving cars in countries where a specific regulation has not been provided for autonomous driving, until a specific EU legislation will be introduced.