Privacy Implication in Autonomous Vehicles: A ‎Comparative Study of Threats and Legal ‎Requirements

The idea of a smart city conveys devices highly equipped with novel technologies performing in place of human beings. For a city to be smart, information flow plays an underpinning role. Devices in smart cities collect enormous amounts of information, enabling their embodied systems to run either as computers tackling ordinary tasks or as intelligent agents making decisions and gaining experiences. Artificial intelligence (AI) and other algorithmic systems in both learning and performing stages rely on learning from information entered by a programmer and transmitted from an external source. AI, in particular, benefits from information to predict the future, make decisions, and use feedback on prior ones for decisions on similar occasions. Therefore, the more information at hand, the more efficient AI performs and the smarter the city is. The growing communication technologies such as 5G internet and the internet of things (IoT) let AI systems access transmitted information at higher rates. Autonomous vehicle (AV) is one of the features by which smart cities are known. Along with IoT and the 5G internet, which make information transfer from other devices and infrastructures faster, AVs benefit from numerous embodied sensors collecting various sets of information from the environment for AI to participate in the vehicles' functions. In a city where people use AVs alongside other smart devices, collecting and transmitting information raises privacy concerns. This study deals with the growing concern over the  privacy of the information on which AVs rely to operate. The study's primary purpose is to detect the potential privacy threats by describing the  underlying features of AVs in the implementation of which information plays an essential role. Then, considering the potential threats, the researchintroduces and criticizes the current privacy protections in principle and practice, associable with AV's inherence.The study dedicates Section I to the concept of privacy to illustrate the evolution of its definition, dimensions, and legal protections as technologies grew over time. Dividing the process into three courses in which privacy relates different meanings, the study suggests that privacy within the current course is falsely comprehended through data and data protection regulations when instead of information itself, the aim of protection must be the subject person whose information is collected. Not considering different dimensions, the current interpretation provides narrow protection for privacy, although it empowers data transactions where data is not sensitive and the subject person consents. Some recent regulations in the EU and the USA, namely General Data Protection Regulation (GDPR) and California Privacy Act (CPA), deal with privacy in this sense by protecting data in the collection, transmission, storage, and usage stages against unconsented processes in the technology sector and technological systems, one of which being AVs. Section II provides details on how information flow and IoT enable inter-connected AVs to operate, then elucidates how the usage of such inter-connection has threatened different dimensions of privacy in actual technology cases similar to AVs. There are cases in which different sets of information on people's location, state of body and mind, behavior and action, social life, and media are collected and transmitted in vehicle-to-vehicle, vehicle-to-infrastructure, and vehicle-to-everything networks unconsented or illegally processed. Outlining the four stages of the life cycle of information (collection and storage, processing, usage, and transmission), Section III demonstrates whether AVs impose the risk of breach of privacy by four types of behavior (collection, processing, dissemination, and invasion) and how the current regulations protect privacy in the said types of behavior. Primarily, privacy protection in AVs entails considering legal principles in the design stage as well as the stages of the life cycle of information to guarantee the security and transparency of information flow. Confidentiality and encryption to improve security and inform the data subject of the purpose of processing and implementing data to increase transparency are the legal principles envisaged by current regulations, GDPR and CPA.Equipped with sensors facing the external and internal environments, AVs collect and store information about the bodily and mentally status of people in and around the vehicle, information about the vehicle itself, namely estimating energy consumption, locating the vehicle and other objects around it, and other information necessary for AI to operate the vehicle. Regulations protecting privacy should require prior consent for the collection and that the technologies associated with the collection phase minimize the  amount of data collected. The processing phase provides AI categorized, tagged, and patterned sets of information to enable the usage phase. A standard regulation contains provisions on the limitation of the purpose of the processing of data, as well as the ability to modify data for the data subject; therefore, the regulation preserves privacy from threats such as data aggregation, identification, insecurity, secondary use, and exclusion. The collected and processed data enables AVs to anticipate incidents, make decisions, and improve upon them in the usage phase of the life cycle of information. To prevent AI from being biased, intrusive, and decisionally interfering, the regulation must grant the right to reject data usage to the data subject in addition to the purpose limitation requirements. In the last stage of the cycle, AV systems transmit data in networks or delete unnecessary data. The standard regulation grants data subject the right to control over the deletion of their collected data as well as requiring its consent for data dissemination to both maintain transparency and protect privacy against unconsented disclosures and breach of confidentiality.