This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 4 minutes read

Amendments to Germany’s laws on autonomous driving: what does it mean for data processing?

At the start of the year, Germany’s Federal Ministry of Transport and Digital Infrastructure (BMVI) published a draft of the Autonomous Driving Act (Gesetz zum autonomen Fahren).

However, the proposed law is having quite a bumpy start. With Germany wanting to establish itself as the global leader in autonomous driving technology, the Act aims to pave the way for autonomous vehicles and end legal uncertainty by introducing rules that will allow ‘Level 4’ autonomous driving: see the BMVI press release (in German).

Level 4-enabled vehicles may operate without a driver in pre-determined operational areas. Use cases for Level 4 autonomous driving technology (as defined by the SAE) include passenger transport, logistics services and dual-use vehicles (e.g. automated valet parking).

For vehicles that use autonomous driving functions, the proposed legal framework will determine technical requirements, the conditions for their approval and requirements for data protection. It also contains obligations for vehicle operators, will regulate operational scenarios and expand the use of autonomous vehicles, such as shuttle services, hub-to-hub transport and dual-use vehicles. For further details on the approval process of fully autonomous vehicles under the draft Act and its scope, see our recent blog post.

The Act is supposed to be passed into federal law by mid-2021 but the Federal Ministry of Justice rejected the first draft due to data-privacy concerns. In particular, a provision on data transmission was heavily criticised, allowing vehicle data – including location data – to be transmitted to the security authorities. The criticism focuses on the lack of consideration of the sensitivity of this data as well as the excessive breadth of the provision.

Data ‘ownership’ and conditions to use vehicle data

The pace of autonomous-vehicle development primarily depends on the ability to analyse massive amounts of data to develop algorithms that deliver intelligent autonomy.

At the current level of technology, several hundred million kilometres of real-world driving data is needed to develop systems that surpass human driving capabilities. However, the current legal landscape, in particular data-privacy regulation, creates some challenges.

There are good grounds to assume that processing of vehicle data on systems inside the vehicle (so-called ‘offline data’ or ‘in-vehicle-data’) does not fall within the scope of the EU General Data Protection Regulation (GDPR) according to guidelines issued by the European Data Protection Board and German supervisory authorities and the German Association of the Automotive Industry (in German). However, the transfer of such vehicle data to the OEMs or any other third party is subject to already existing data-privacy requirements such as those set out in the GDPR.

Contrary to expectations, the current draft version of the Act may create additional hurdles for the use of such data. The proposals introduce new selective regulation on data ownership and the processing of non-personal vehicle data. The draft refers to the vehicle owner (and, in some cases, driver) being the authorised person (Berechtigter) of the relevant vehicle data. This might result in broader consent requirements that need to be considered by third parties intending to use such data.

Similar to the EU’s data strategy, the German government's data strategy (Datenstrategie der Bundesregierung) explicitly rejects a concept of data ownership and instead calls for fair, comprehensive and secure data access. This approach is intended to break up data silos and enable a single market for data. The Federal Minister of Justice’s proposal that processing non-personal data should be subject to the requirements of the GDPR has not been adopted in the most recent draft.

Obligation to save and transmit specific data

The current draft of the Act sets out 13 different types of data that are required to be saved by the vehicle owner (Halter) in specific scenarios, such as accidents, near misses, disruptions to the operating system, and unscheduled lane changes or swerving. This covers a wide range of different information, including, among other things, personal information as well as information on external conditions, such as:

  • location data;
  • speed;
  • number and times of use, as well as activation and deactivation, of the autonomous driving function;
  • environment and weather conditions;
  • networking parameters such as transmission latency and available bandwidth; and
  • commands and information sent externally to the vehicle.

It is important to note that, beyond the specific scenarios mentioned in the Act, there is no obligation to save or store this data.

Furthermore, the vehicle owner must transmit this data to the Federal Motor Transport Authority (Kraftfahrt-Bundesamt) for the purpose of monitoring the safe operation of the vehicles. The data may also be made available in anonymised form to research institutions, universities or public research bodies for development or research purposes.

From a manufacturer perspective, autonomous vehicles will have to be equipped in a way that enables these data operations. Further, manufacturers will have to inform the vehicle owner in a precise and comprehensible manner about the privacy settings and the data processing the occurs during the vehicle’s operation. This is in accordance with the GDPR requirement of ‘privacy by design and default’, which already requires data controllers to implement similar measures.

Data access requirements

The Act proposes several data-access requirements that will primarily be implemented via amendments to the Road Traffic Act (Straßenverkehrsgesetz – StVG):

  • Data will have to be stored in the vehicle itself.
  • The manufacturer is not allowed to demand exclusive access to the data from the vehicle owner, whether through general terms and conditions or the purchase contract.
  • Vehicles will need to have a standardised interface that allows access to the data.
  • Data is to be transmitted to an official central point of contact and used, for example, to monitor traffic and vehicle safety, and carry out traffic and urban planning.
  • Data that cannot be traced back to the individual will be made available to certain institutions for the public benefit.

In light of the most recent amendments to Germany’s Act against Restraints of Competition, data access rights are the current talk of the town. It is probably fair to assume that some industry stakeholders will already be assessing their options on how to gain access to the terabytes of data being generated and processed by autonomous vehicles beyond the ways set out in the Act.

What’s next?

The Act still has some ambiguities and not only around the regulation of data processing. Furthermore, its scope cannot yet be clearly determined due to terminology that leaves a lot of room for interpretation. For large-scale technical projects such as the introduction of autonomous driving technology into vehicles, such uncertainty should be avoided.

We eagerly await to see what changes will be made to the Act and how quickly it will take effect. It will hopefully pave the way for a binding framework for not only autonomous driving but the automotive industry as a whole.


gdpr, data, data protection, regulation, antitrust and competition, automotive