First-Ever Privacy Law Protects Drivers from Black Box Data
Event data recorders (EDRs) are electronic “black boxes” that collect and store information about the operation of a vehicle. A variety of data can be recorded such as vehicle speed, steering wheel angle, accelerator pedal position, and the degree of pressure applied to the brakes immediately prior to an accident. Nationwide, black box sensors have been built into millions of vehicles currently in operation.
However, a legislative backlash may be emerging against this technology. A case in point is California Assembly Bill 213 signed into law Sept. 22, 2003, by former Gov. Gray Davis. It is the nation’s first driver privacy law to protect data collected by black boxes. Codified as Section 9951 of the California Vehicle Code, it requires that auto manufacturers disclose the existence of “recording devices” (EDRs) in the owner’s manual for vehicles manufactured on or after July 1, 2004. Furthermore, the law states that the data captured by a recording device can only be retrieved with permission from the vehicle’s registered owner, a court order, or by the manufacturer for matters relating to auto safety or vehicle repair. The law defines a “recording device” as one which records a vehicle’s speed and direction, a history of where the vehicle travels, steering and brake performance, and the driver’s seatbelt status, or which has the ability to transmit information concerning an accident to a central communications system. A Massachusetts state legislator is also considering the introduction of a bill modeled on AB 213.
Even prior to the passage of the California law, legal and labor skirmishes regarding driver privacy have occurred at some fleets. For instance, drivers at trucking fleets have long been opponents to government use of EDRs for audit and enforcement purposes such as monitoring hours of service compliance. Recently, the Teamsters union at United Parcel Service negotiated in its 2002 contract to prohibit using GPS data in employee evaluations.
Disclosing EDRs to Fleet Drivers
Typically, a fleet vehicle’s registered owner is the company or a leasing company, not the employee driver whose driving data is recorded. Could a California employee driver have grounds to sue an employer for workplace privacy violations by arguing that he or she was not properly informed of the existence of an EDR in the assigned company vehicle, especially if data is collected during personal use? Secondly, could this data be used against the employee for disciplinary purposes or in litigation? One attorney has argued that event data recorders are a violation of an individual’s Fifth Amendment rights against self-incrimination; however, this has yet to be adjudicated in a court of law. Privacy advocates argue that additional government safeguards should be implemented so that the collection of EDR data follows the Federal Trade Commission’s Fair Information Practices and that companies are required to obtain the unambiguous or “opt-in” choice from drivers to collect this data. (Text for the Fair Information Practices is available on the Web.) Fleet managers, in consultation with their HR and legal departments, need to decide whether to disclose the existence of EDRs in vehicles being driven by their California drivers and whether they need to get the drivers’ written authorization allowing the possible use of this data. Currently, the issue of EDR data disclosure is an untested area of law with few legal precedents.
When Does Data Collection Go Too Far?
Some groups are lobbying for government-mandated requirements for EDRs such as a proposal by the former head of NHTSA, Dr. Ricardo Martinez, who now runs Safety Intelligence Systems Corp. Martinez has proposed that NHTSA consider mandating EDR use in all vehicles to create a global auto-crash database. In a letter to NHTSA, Martinez envisioned EDRs evolving to where “information can be automatically and instantly transmitted from cars” to this centralized database. The question that critics pose is who would have access to this data, and would the data be available for sale? Some companies have expressed interest in obtaining EDR data. For instance, EDR technology would enable the auto insurance industry to charge variable insurance premiums based on driving behavior, resulting in lower premiums for safe driving and higher premiums for those engaging in risky or unsafe driving behavior.
Critics are concerned about the future sophistication of data collection and storage capabilities of black boxes, especially if the scenario advocated by Martinez becomes a reality. Could enhanced EDR data collection in the future be used to bolster a case of negligent entrustment against a company if a black box documents not only fault on the part of an employee driver in an accident but also an electronic history of excessive speeding, abrupt braking, or erratic steering?
Privacy advocates want to forestall these possible scenarios by making EDRs optional, not mandatory, equipment. However, the unresolved legal issue is when does data collection go too far?
Let me know what you think.