Tech Law Journal logo

TLJ Analysis of S 1925, the Driver Privacy Act

April 9, 2014. The Senate Commerce Committee (SCC) held an executive business meeting at which it amended and approved S 1925 [LOC | WW], the "Driver Privacy Act", a bill that allows government to access data on vehicle event data recorders (EDRs). See, amendment in the nature of a substitute approved on April 9.

Outline of this Article:
   1. Introduction.
   2. No Limits on Data Collection.
   3 Unconstrained Court and Administrative Authorizations.
   4. Expectation of Privacy.
   5. Exceptions to Driver Ownership of Data.
   6. Future Technologies.

See also, related article titled "Senate Commerce Committee Approves Bill to Allow Access to Data Stored in Vehicle Event Data Recorders" in TLJ Daily E-Mail Alert No. 2,644, April 22, 2014.

Introduction. This bill is, at bottom, about giving prosecutors, law enforcement agencies, litigators and others easy access to EDR data.

Sen. Amy Klobuchar (D-MN) is the lead cosponsor of the bill, and a former prosecutor. Her record in the Senate in drafting and sponsoring bills has demonstrated her support for the interests of prosecutors and law enforcement in gaining access to information, often at the expense of protecting individuals' interests in privacy and liberty. This bill is consistent with her prior record.

Sen. Amy KlobucharSen. Klobuchar (at left) stated in the Senate on January 14, 2014 that "I have long supported improving safety on the roadways. Too many people die on our highways, and we need to do something about it. In 2010, there were more than 30,000 fatal crashes and more than 1.5 million crashes that resulted in injuries. This is unacceptable." See, Congressional Record, January 14, 2014 at Page S328.

"EDRs can be the only resource available to determine the cause of a crash by providing information about what a driver was doing in the seconds leading up to a crash, such as how fast the vehicle was going, whether the brake was activated in the seconds before the crash, if airbags were deployed, and whether the driver and passengers were wearing seatbelts."

"As a former prosecutor, I know how useful this data can be", said Sen. Klobuchar.

This bill does a few things that tend to protect individual privacy. It does much to diminish privacy. It fails to address many privacy related issues.

No Limits on Data Collection. First, while the Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) EDR rules, which are codified at 49 C.F.R. Part 563, set minimum requirements for what data must be collected, they do not set any limits, or prohibit the collection of any data.

Nor does this bill do anything to limit what data EDRs collect, or what the DOT can require to be collected. Nor does it in any way limit what non-EDR data may be collected by vehicles. Nor does this bill address data retention or deletion.

Auto makers remain free to build cars that collect ever more data. The DOT remains free to mandate the collection of ever more data. Drivers are not allowed any choice or control in the matter.

Unconstrained Court and Administrative Authorizations. The bill's first exception to the owner consent requirement does much to diminish privacy. It provides that data may be accessed if "a court or other judicial or administrative authority ... authorizes the retrieval of the data ..."

When Sen. John Hoeven (R-ND) introduced this bill he stated that "Law enforcement ... can't just take it; they have to have a court order". But, this is not what the bill states. Under this bill, law enforcement agencies could gain access by obtaining a court order. But, the bill requires neither court involvement, nor an order.

The Fourth Amendment uses the word "warrant". Judicial precedents use the words "warrant" and "order". This bill uses the word "authorization", which has little meaning, and therefore provides little protection to drivers.

Administrative authorization might be construed to mean nothing more than that a federal regulatory agency has adopted rules that authorize access. Such rules might be legislative in scope.

Most significantly, this exception imposes no requirements upon courts or administrative agencies. Basic notions of individual privacy include four basic requirements for government access to an individuals' records or data. First, government must obtain an order from a court. This bill does not require court involvement.

Second, that order must be directed at a specified individual or location. Nothing in this bill requires that the authorization name a particular person or vehicle. An order or authorization could cover, for example, all vehicles located in the Washington DC metropolitan area.

Third, that order must identify what records or data is to be accessed or seized. Nothing in this bill requires that an order or authorization identify what data can be accessed.

Fourth, government must meet a particular standard to obtain that order. The Fourth Amendment sets probable cause as the standard. This bill, however, sets no standard at all.

Expectation of Privacy. It is significant that the bill states "Any data retained by an event data recorder ... is the property of the owner, or ... the lessee ...". This is critical to Fourth Amendment analysis. See, the Supreme Court's landmark 1967 opinion in Katz v. U.S., 389 U.S. 347, and its progeny.

In the past, federal prosecutors and law enforcement agencies have succeeded in obtaining access to much data by aggressively asserting arguments that the data belongs to third party service providers, who typically have little incentive to protect the privacy of their customers. Prosecutors and law enforcement agencies then obtain the data under minimal standards, rather than a higher probable cause standard that might apply if the data were owned by the individual.

While the bill contains a data ownership provision, it does not also include other findings that would be relevant to Fourth Amendment analysis. For example, the bill does not contain any finding that people have a reasonable expectation of privacy in this data, and that this expectation is one that society is prepared to recognize as reasonable.

Exceptions to Driver Ownership of Data. While the bill does state that drivers own their data, the bill also has inherent loopholes.

The bill provides that "Any data retained by an event data recorder (as defined in section 563.5 of title 49, Code of Federal Regulations), ... is the property of the owner ..." (Parentheses in original.)

Section 563.5 provides that "Event data recorder (EDR) means a device or function in a vehicle that records the vehicle's dynamic time-series data during the time period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event (e.g., delta-V vs. time), intended for retrieval after the crash event. For the purposes of this definition, the event data do not include audio and video data." (Parentheses in original.)

Hence, if a vehicle collects audio or video data, then that data is not subject to the bill's provision regarding ownership.

Also, EDR data only covers "in a vehicle" data. If data is automatically transmitted to a service providers' server, then it no longer falls under the bill's ownership provision. The DOT's rules further state, at Section 563.1, that they only apply to "the collection, storage, and retrievability of onboard motor vehicle crash event data". The key word here is "onboard".

Moreover, this bill appears to contemplate that the trajectory for this technology is automatic wireless transmission of certain data to service providers. For example, the fourth exception to the owner consent provision is that data may be accessed if "the data is retrieved for the purpose of determining the need for, or facilitating, emergency medical response in response to a motor vehicle crash". If data were only in the onboard EDR, then downloading data at the time of an accident would entail being present at the scene of the accident, in which case the officer's visual observations and conversations would enable him to determine the need for emergency medical response. This exception would have little if any purpose. However, if data were also automatically transmitted, then this exception would be meaningful. This exception would enable, for example, a service provider to report to a 911 call center that air bags have inflated, at a particular location, in the vehicle of one of its customers, without the customer first giving consent for disclosure of that information.

Future Technologies. Currently, the DOT's rules mandate only the collection of data relevant to crashes and safety, such as air bag deployment data, seat belt use, and speed. This data is very useful to the DOT in furthering automobile safety. It is also relevant in law enforcement investigations and prosecutions involving vehicular crimes. It is also relevant in determining civil liability for personal injuries and property damage resulting from auto accidents. Plaintiffs' personal injury lawyers, defense lawyers, and insurance company lawyers all have legitimate interests in accessing the currently mandated data.

The threats to individual privacy lie, not in what is currently mandated for EDRs, but in what vehicle based information technology will soon enable.

Sen. Hoeven stated when he introduced this bill that "The reality is this technology is evolving and developing. This technology is going to continue to develop with all kinds of other aspects -- obviously now we have GPS -- and all the different things that are being done with automobiles."

Collection and retention of location data implicates privacy interests. On the other hand, law enforcement and intelligence agencies (and marketers, parents, stalkers and others) have location surveillance interests unrelated to traffic safety. The threats to privacy, as well as the surveillance values to law enforcement and intelligence agencies, would increase if vehicle location data were also either automatically transmitted or remotely accessible.

Volkswagen Group of America submitted a comment to the NHTSA with more detail. It wrote that "the issues of privacy and security loom large not just for EDRs, but even more so for future technologies under research and development".

Volkswagen elaborated that "privacy concerns ... will be hugely magnified by future safety technologies, such as advanced automatic crash notification that would send vehicle data wirelessly to emergency responders; ``connected vehicle´´ technology using dedicated short range communications (DSRC), and automated vehicles (a.k.a., ``autonomous vehicles´´). These latter technologies introduce a new access and attack vector for vehicle data, namely wireless connectivity, which substantially increases the exposure to threat of privacy invasion and possible interference in vehicle  functional systems." (Parentheses in original.)

Collection and retention of vehicle based communications data would similarly implicate privacy interests.

Also, if vehicular data included vehicle, time, location, and speed, and if it were transmitted and made available to state and local government, then this data could be employed much like red light cameras are today, but on a much grander scale. Government information systems could correlate this data with vehicle registration data to automatically churn out not only red light running tickets, but also speeding tickets, and even parking tickets. Such as system might also be extended to collecting fines for distracted driving, and failure to wear seat belts. The state and local revenue raising potentials could be enormous.

(Published in TLJ Daily E-Mail Alert No. 2,644, April 22, 2014.)