FINAL DRAFT(CLEPA) Discussion Paper on Event Data Recorders for Automated Driving (EDR/AD) Date: 30 September 2016 EXECUTIVE SUMARY This paper explores the options and conditions for EDR-AD and attempts to formulate some general principles and recommendations for its implementation, especially from a regulatory point of view. The focus of the present document is on EDR-AD for passenger vehicles and light trucks. Obviously, many details will require further elaboration and consultation with stakeholders, and the purpose of the present document is to engage stakeholders in a dialogue. The primary purpose of EDR-AD is to establish the factual operating circumstances in the occurrence of an accident and/or a significant safety related event. CLEPA calls for a common understanding of the minimum requirements EDR-AD must fulfill in its legal context. The recent adoption of the General Data Protection Regulation (EU/2016/67, “GDPR”) will have a substantial influence on the issue of access to data recorded by the EDR-AD. One of the options to be explored is to what extent and under which conditions EDR-ADR can be (partially) exempted from the GDPR. The data recorded by the EDR-AD must be accessible to authorized users in order to meet the purposes outlined above. It would seem useful to make a distinction between two categories of potential users of the data recorded, accessed and processed:

unconditional users and

conditional users. The first category should be narrowly defined and be limited to users designated as such by law (e.g. judicial and law-enforcement officials), which would have access to and process such data admissible under the regime of Art. 6 GDPR. This category will be defined by existing legal instruments or through legislative measures. The second category may be much broader and would require the explicit and free consent of the data owner (or “data subject”) that such specific data may be used for the specific purposes consented to in advance in line with Art 7 GDPR. A preliminary assessment of the recently adopted e-Call Regulation suggests that EDR-AD is not incompatible with the e-Call regulation. There is, however, a need to seek clarification on the need of segregation of data recorded for both e-Call and EDR-AD. It would seem appropriate to permit the effective utilization of the data (including those generating for e-call) allowing the optimization of AD systems architecture, minimizing costs, without compromising Date Protection Requirements.

There is a consensus that EDR-AD will be a regulatory prerequisite for the acceptance of

Automated Driving in the European Union.

EDR-AD is an emerging policy area which will require substantial RTI effort, as well as a thorough discussion among stakeholders on the legal obligations and duties.

Data Privacy is a key concern that must be addressed within the existing regulatory framework, i.e. the GDPR. There is a need for the formulation of Minimum Requirements for EDR-AD, and this should be a matter of priority for all stakeholders and will required EU funded research

Data Ownership must be addressed in a way ensuring the rights of the data subject in line with the GDPR.

Data Integrity in this particular context will also require further study

Introduction CLEPA member companies are actively engaged in development efforts associated with Intelligent Transportation Systems and Automated Driving (AD). In this context, it is expected that at some stage of AD, the use of Event Data Recorders (EDRs) will become mandatory, primarily for establishing the factual operating circumstances in the occurrence of an accident and/or a significant safety related event. The EDR will therefore need to fulfill specific requirements which are quite distinct from the EDRs which are currently in use. In the remainder of this paper we refer to “EDR-AD” as Event Date Recorder in Automated Driving mode and to “EDR” as Event Date Recorder for other purposes than Automated Driving monitoring. This paper explores the options and conditions for EDR-AD and attempts to formulate some general principles and recommendations for its implementation, especially from a regulatory point of view. The focus of the present document is on EDR-AD for passenger vehicles and light trucks. A key element will be common understanding of the terminology used (Annex 1). Actual Situation “Event Data Recorder” (EDR) is a term originating in North America, later being applied also in Europe where it replaced the term “Accident Data Recorder”. EDRs stand for a variety of embedded functions and retrofit devices that have been in use in passenger vehicles and light trucks for considerable time. Their main purpose is to facilitate accident investigation by recording the functioning of critical safety systems and the operating of a vehicle. While data are continuously collected and overwritten, the recording is triggered similar to situations for passive safety and E-Call needs by impacts that by technical definition cause harmful consequences. Recording is here understood in the sense of freezing the data over a time of e.g. 30 secs before and 15 secs after the crash. EDRs can also be configured to record non-harmful events (e.g. harsh breaking and cornering) for the purposes of monitoring and

training of drivers’ behaviour and in insurance schemes (e.g. blue/red light vehicles in Europe have a certain record in this field). EDRs are traditionally understood as recording only non-visual data. This perspective undergoes presently a certain modification since dashboard cameras can in a supplementary way contribute to achieving the EDR objectives in the fields of accident investigation and driver training. However data privacy concerns play a more important role and are more difficult to overcome for dashboard cameras than for non-visual EDRs. What information is currently available and relevance VERONICA Projects (Vehicle Event Recording based ON Intelligent Crash Assessment) The VERONICA Projects were initiated by DG MOVE in 2004 (DG TREN at the time) and were to be seen in the Commission’s strive to halve the number of road fatalities by 2020. The purpose behind the projects was to provide European law makers with the necessary technical, legal and political information as well as on the findings in the field of accidentology. With a view on the high number of accidents with vulnerable road users involved, special attention was to be laid on providing a standard for detecting the causes and conditions of soft object collisions. The Projects showed a wide international and interdisciplinary set of experts from the automotive industry, accident reconstruction, law, enforcement, road safety, insurance and medicine. While VERONICA I, which was conducted in 2005 and 2006, set the frame i.a. for event definition, required collision information and data privacy requirements, VERONICA II, which was conducted from mid 2007 to mid 2009, found agreements for detailed definitions for “wanted” events (event categories), minimum storage capacity, trigger requirements and above all proposals for the type and standard of required data elements and standardized download interfaces (preferably OBD Interface). It included a precise matrix of data element requirements with regard to frequency/range, accuracy, resolution and crash phases and all this in comparison to the (generally lower) NHTSA standard.

The Final Reports of both projects also include considerations on data access, data use and data privacy:

- VERONICA I chap. 4.11 “Data Privacy Provisions” - VERONICA II chap. 6.1.2 “Data use outside the vehicle”.

The results are compiled in two final reports, VERONICA I released on 29.11.2006 with 62 pages, VERONICA II released on 6.10.2009 with 203 pages. They can be found under: http://veronica-project.net/index.php?option=com_docman&task=cat_view&gid=25&Itemid=27

Legal context - US: Code of Federal Regulations Part 563 and legislation on EDR application by

numerous federal states

- EU: none at present though strong demand for it by EP except tachograph legislation mandatory in the EU since 1986. In 2006 the digital tachograph became mandatory.

Purpose of EDR-AD As indicated in the introduction, the primary purpose of EDR-AD is to establish the factual operating circumstances in the occurrence of an accident and/or a significant safety related event. The information generated will provide evidence of the role of the vehicle systems, including AD mode on/off and of the driver of the vehicle at the time of the relevant event. The German Automotive Industry Association VDA has suggested some application areas for which the information recorded can be used:

Disculpation/Exoneration of the driver in case of infringements (including non-accident events)

Accident situation: if AD system was activated

Product liability, product monitoring obligation, quality assurance and product development for OEMs and suppliers.

Supply of factual data for legal proof. There is a need to provide a robust definition of “relevant event”. Aspects that need to be considered include

- Harmful consequences - Driving behaviour in AD mode (e.g. red light, speed limits) - When driver notices undesirable behaviour of the system or sees the need to save

evidence data after a not automatically triggered (non-harmful) but critical driving situation

- Driving behaviour in non-AD mode - Abuse

CLEPA calls for a common understanding of the minimum requirements EDR-AD must fulfill in its legal context. In particular, the liability question will require additional reflection1. Whereas manufacturers and suppliers have a duty to provide safe products under the General Product Safety Directive (GSPD, 2001/95/EC), vehicles and AD systems (in particular software) are increasingly complex, and the identification and apportionment of the liability will be time-consuming and contentious. Therefore, there may be merit in introducing the principle of “strict liability” for the operator (driver) of the vehicle. Access to Information Collected in EDR-AD; Data Protection Requirements

1 http://www.economist.com/news/business/21707598-self-driving-cars-are-set-radically-change-motor-insurance-

look-no-claims?frsc=dg%7Cd

The recent adoption of the General Data Protection Regulation (GDPR - EU/2016/679) (“GDPR”) will have a substantial influence on the issue of access to data recorded by the EDR-AD. One of the options to be explored is to what extent EDR-ADR may be (partially) exempted from the scope of the GDPR, i.a. by making data anonymous or restricting recorded data to “non-personal data”, which would be difficult under the circumstances and purposes of an EDR-AD. The data recorded by the EDR-AD must be accessible to authorized users in order to meet the purposes outlined above. It would seem useful to make a distinction between two categories of potential users of the data recorded:

unconditional users and

conditional users. The first category should be narrowly defined and be limited to users designated as such by law (e.g. judicial and law-enforcement officials), which would make access to and processing of such data admissible under the regime of Art. 6 GDPR. This category will have to be defined by existing legal instruments or through legislative measures. The second category may be much broader and would require the explicit and free consent of the data owner in writing that specific data may be used for the specific purposes consented to in advance in line with Art 7 GDPR (the “consent declaration”). It should be noted that a data subject may withdraw his/her consent at any time. For the purpose of this paper, the data owner is considered to be the vehicle owner as well as the driver (the “data subject”) at the time of the event. In this context, the privacy of the owner as well as of the driver of the vehicle should be adequately protected by law. As per Art. 7 of the GDPR, the consent of the data subject has to be granted prior to processing of the relevant (personal) data in writing. It has to be granted for specified purposes laid out in the consent declaration. Since the driver of a vehicle may change prior to each use of the car, the required consent declaration of a driver as a data subject (in contrast to a consent declaration of the vehicle owner, which may be obtained in the context of the purchase of the vehicle in question) will have to be obtained prior to each use of a car in writing (!). To define the boundaries and requirements of this specific consent declaration as well as the mechanism documenting the consent, will have to be further investigated into in detail. It therefore will be essential to identify potential data-users and which data are relevant to them. Relationship with the e-Call Regulation. A first assessment of the recently adopted e-Call Regulation suggests that EDR-AD is not incompatible with the e-Call regulation. There is, however, a need to seek clarification on the need of segregation of data recorded for both e-Call and EDR-AD. It would seem appropriate to

permit the effective utilization of the data (including those generating for e-call) allowing the optimization of AD systems architecture, minimizing costs, without compromising Date Protection Requirements. In this context it should be noted that the e-Call Regulation may be considered as a legal instrument allowing for processing of personal data in line with Art. 6 sec. 1. (d), (e) and/or (f) and Art. 6 sec. 3. Parameters The EDR-AD consists of 2 main components:

1. The driving logger The driving logger would be recording a minimum set of parameters for the following events:

Instructions or warnings given by the AD system:

Visual

Acoustic

Haptic

AD system status change

AD System on

AD System switched off by system

Take-over request generated/ take-over request accepted

AD system switched off or overruled by driver

General system status

Light status

Direction lighter status

Driver monitoring status (e.g.Belt status)

Accident or collision

The minimum set of data which needs to be recorded for all the above is:

Event type

Timestamp (yy-mm-dd-hh-mm-ss)

Location (if enabled by the driver, e.g. for testing purposes) For testing purposes only the following data are collected:

Odometer (total)

Odometer for km in AD mode

Total time in AD mode

There is a need to develop a detailed position of the minimum data recording requirements for vehicles produced in commercial series taking into account Data Protection Regulations and Product Liability related issues.

2. The Event Data Recorder 2.1 The Impact Event Recorder

Events are recorded after a trigger either in AD mode or in non-AD mode. For crash impacts, the triggers have been defined in the VERONICA projects. For automated driving, additional triggers must be defined:

The above mentioned VERONICA II project defines 5 phases of a crash:

Early pre-crash[ is -30sec to -5sec to the crash]

Near pre-crash [is -5sec to 0sec to the crash]

Crash [is during the crash phase (-0.04sec to +0.25sec)]

Near post-crash [is 0sec to 5sec after the crash]

Far post-crash [is 5sec to 10sec after the crash]

The EDR-AD should extend the focus of VERONICA II for the first two phases: Early pre-crash and Near pre-crash on the following parameters.

GPS time/ position

360° Environment Data

AD active state

V2I/V2V communications (filtered set of information) In addition, the Near pre-crash phase should contain:

Sensor data o Raw data incl. images o Processed Data o Sensor Status / state

A balance needs to be defined between the potentially very large quantity of data recorded and their relevance.

Emergency braking state

GPS time/ position (higher sampling rate)

360° Environment Data o Number of objects o Object type (e.g. road signs, other vehicle, pedestrians, solid barriers) o Object attributes (e.g. distance, dynamics, etc.)

More work is needed for in the definition of ‘object’ and ‘attributes’

Drive dynamics, including

o Indicated vehicle speed o Lateral acceleration o Longitudinal acceleration o Yaw rate

V2I/V2V communications (full information as related to AD)

2.2 The Critical Event Recorder (The Malfeasance Recorder)

The outside processed trigger is sent to the EDR-AD recorder. Automated driving systems can detect rule violations via e.g. the camera system (sign recognition, or detecting the flash from a speed camera)

Critical driving manoeuvers (braking force above threshold tbc, steering angle above

threshold tbc)

Camera images at this time

Camera images of sign/ traffic light in case of an infringements

GPS time/ position AD active state

Overview of retention time and data access

Max possible data size which can be downloaded: o Downloading should occur within a reasonable time period and should be adequately

protected from an unauthorized downloading

Allocated time for downloading.

EDR life duration and access: o Minimum Retention Time of an event o Minimum operational life-time of the equipment

Protection of data integrity, e.g. via checksums.

Data confidentiality: e.g. 2 keys TDES, public key process, encrypted data only available to certified authority.

Audit trail of EDR download session content : Authority downloading and name of person downloading Date, time and location of downloading Identification of downloader and time of downloading permanently

In automated vehicle there are following nodes where EDR-AD data could be collected:

- Data source nodes (e.g. sensors like camera, lidar, radar…) - Decision making nodes are processing ECUs for taking system level decisions

including arbitration and actuation (e.g generate transition demand for driver hand over or emergency braking)

- Actuating systems nodes (e.g. braking, steering, throttle, …) - Data collection node – unit for storing data (e.g. “Black box”)

These nodes can be hosted by one or several physical components. The relevant EDR AD data ideally would be recorded in the nodes where relevant decision was made. In addition any other nodes which can provide information fulfilling purpose or EDR AD shall record relevant data (for example in a centralized unit, which resist physical damage) A key requirement will be that the integrity of the data must be ensured to permit recovery following the occurrence of the event. This may well involve (emerging) technologies such as “cloud storage” and non-vehicle based storage. It will also involve the setting of standards for data integrity, allowing for exceptional events where data will be lost or compromised. Implementation aspects The Implementation Aspects are beyond the scope of the present documents. Since (enabling) technologies are still emerging, CLEPA would advocate a strict technology neutral approach. In annex 2, we present an overview of the items that need additional discussion. Stakeholders should discuss recommendations for technical solutions/options, including data storage in the “Cloud” instead of a physical data storage unit in the vehicle itself.

Regulatory Framework Since EDR/AD will perform a critical task in ensuring the safety of road traffic, an appropriate regulatory framework is needed, preferably on a global scale. The framework should ensure sufficient flexibility to enable adjustments to the rapidly evolving technologies involved. It should set minimum requirements leaving individual OEMs/users the option to add functionalities. In the context of the EU, it is expected that EDR/AD will be subject to the Type Approval Regulatory Framework. . It is recommended that this subject is addressed in the current review of the Framework Regulation (2016/0014 (COD), January 27,2016), in particular Annex IV and the relevant UNECE Regulations. Obviously compatibility with other legislation/regulations such as data protection rules must be ensured. Conventional Event Data Recorders – Regulatory Environment The National Highway Traffic Safety Administration (NHTSA) has regulated non-Automated Driving (conventional) Event Data Recorders since [2006] in title 49 of the Code of Federal Regulations section 563 (49 CFR 563)2. Below is a summary of the Regulations from the (US) Insurance Institute for Highway Safety:

2 https://www.gpo.gov/fdsys/granule/CFR-2011-title49-vol6/CFR-2011-title49-vol6-part563/content-detail.html

“EDRs extend the information from airbag crash sensors, which measure vehicle decelerations to determine if a serious crash is occurring and whether airbags should inflate. The EDR gathers information from these sensors and in some cases from other vehicle systems, storing it in its memory in the event of a crash. These devices have grown more sophisticated with new airbag technologies. EDRs are used in some manufacturers' automatic systems that notify call centers when serious crashes occur. The information EDRs collect varies by automaker, and data retrievability is mixed. The federal rules aim to not only standardize the data but also make it easier for researchers, law enforcement personnel, and others to download the information. The government directed the manufacturers to ensure by licensing pacts or other means that technology is commercially available to retrieve the data from EDRs. And for the first time automakers will have to tell consumers if the vehicles they're buying are equipped with EDRs, satisfying some concerns about privacy. Under the new rules, EDRs have to record a minimum set of specified data in a uniform format to answer questions about crash severity, vehicle dynamics, and safety systems up to five seconds before impact and a third of a second afterward. Did the driver apply the brakes? How fast was the vehicle going? Was the driver's safety belt buckled? What was the maximum speed change of the vehicle during the impact? If an EDR records more information, such as steering before impact and whether electronic stability control was operating, the rules specify the format and time period for recordation.” 3 Conventional EDRs are, however, not mandatory under 49 CFR 593. Nor does the regulation provide any mandatory access to the information stored in the EDR. In 2014, the Transport Research Laboratory published a Cost Benefit Assessment of the installation of conventional EDRs in the European Union.4 The legal status of the conventional EDR is assessed as follows: “Legal advice on the application of European Directive 95/46/EC and the legal situation in six European countries found that:

Ownership of EDR data was not defined, although the vehicle owner would be likely to be considered the data owner: clarification of ownership would be beneficial to the access and management of EDR data.

Access to the EDR data was possible by any party able to access the EDR port. Further controls in this area would be technically possible and could be desirable to control access and prevent data modification or deletion. Stakeholders felt that this should be left to the manufacturer and should not impede access to the data for legitimate uses.

3 (US) Insurance Institute for Highway Safety, Highway Loss Data Institute

http://www.iihs.org/iihs/sr/statusreport/article/41/8/2 4 Study on the benefits resulting from the installation of Event Data Recorders, Study Reference:

MOVE/C4/SER/2013-200/SI2.663647 http://ec.europa.eu/transport/road_safety/pdf/vehicles/study_edr_2014.pdf

EDR data, by itself, does not constitute personal data. Thus, any party can use anonymized EDR data. Should the party accessing the data be in the possession of other data that renders the EDR data personal by linking it to an individual, the nationally enforced provisions of Directive 95/46/EC apply, which comprise adequate processes and controls to protect personal data.

All countries highlighted a degree of uncertainty surrounding the collection and use of EDR data and recommended that, although adequate legal frameworks exist once ownership and access are defined, specific conventions would be helpful to define these fundamental aspects.”

The study group of the European Parliament has addressed the issue in a recent publication5. In its conclusion it states “It is the view of the authors that, if EDR technology is used exclusively for the purpose of collecting information on incident causation and the reconstruction of events around that incident, privacy would not be an issue, as long as the data remained anonymous.” Strictly speaking, it is misleading to refer to “data ownership”. A correct treatment of this question would exclusively discuss access rights to data. If data are considered that are personal or that can be related to a person, it is the person itself that has the right to access, store or delete the data – except under contractual conditions e.g. labour, insurance or car hire relations and for purposes to identify the legally responsible originator of a crime or a damage caused to others as stipulated by law. In this regard a clarification of EDR data “ownership” as suggested by the TRL study is only necessary when considering the OEM interests to use the data for R&D purposes and safety enhancements. A convention would indeed by helpful. However data for police and court investigations on responsibility can by definition not remain anonymous, an aspect that the EP study ignores. The Society of Automotive Engineers has issued a set of standards covering conventional EDRs. The SAE J1698 series of documents consists of the following6: • SAE J1698-1 – Event Data Recorder – Output Data Definition; Provides common data output formats and definitions for a variety of data elements that may be useful for analyzing vehicle crash and crash-like events that meet specified trigger criteria. • SAE J1698-2 – Event Data Recorder – Retrieval Tool Protocol; Utilizes existing industry standards to identify a common physical interface and define the protocols necessary to retrieve records stored by light duty vehicle Event Data Recorders (EDRs). • SAE J1698-3 – Event Data Recorder – Compliance Assessment; Defines procedures that may be used to validate that relevant EDR output records conform with the reporting requirements

5 http://www.europarl.europa.eu/RegData/etudes/STUD/2014/529071/IPOL_STU(2014)529071_EN.pdf

6 http://standards.sae.org/j1698_201405/

specified in 49 CFR Part 563, Table 1 during the course of FMVSS-208, FMVSS-214 and other applicable vehicle level crash testing. Conclusions & Recommendations

There is a consensus that EDR-AD will be a regulatory prerequisite for the acceptance of Automated Driving in the European Unions

EDR-AD is an emerging policy area which will require substantial RTI effort, as well as a thorough discussion among stakeholders on the legal obligations and duties

Data Privacy is a key concern that must be addressed within the existing regulatory framework of the GDPR.

There is a need for the formulation of Minimum Requirements for EDR-AD, and this should be a matter of priority for all stakeholders and will required EU funded research

Data Ownership must be addressed in a way ensuring the rights of the data subject in line with the GDPR.

Data Integrity will also require further study

Annex 1: Definitions and Abbreviations To be Comleted

Annex 2: Implementation considerations

Data Preservation Key issue to address is how the integrity of the data is assured, e.g. through Energy Reserve requirements or alternative storage technologies (e.g. RAM) How to access EDR-AD will record two kinds of data, which should have different rights to access. Category A: Data which only show the status of driving in HAD-mode and category B: in case of an accident, data which provide information to re-construct the situation. All data should be accessible in a read-only format. The data of category A, captured and stored by the event data recorder, must be capable of being accessed within the vehicles cockpit unit or retrieved by a commercially available tool. Data of category B can be read out from authorized workshops of the manufacture only. Open items:

- how to send the information of cat A to authorities (police, insurance, ..) - should the access be encoded? Is the code owned and set (changed) by the vehicle

owner? EDR Data Security and reliability [Data should be reliable and should avoid that the responsibility is incorrectly allocated] The EDR/AD shall secure the data recorded in the defined time frame before, during and after any event listed in the previous paragraph (section listing the parameters to be recorded). This protection shall cover both the material aspects (ECU, components…) and the non-material aspects (stored data, data flux...) of the EDR/AD. In both cases, the system shall follow some fundamental items: - Data confidentiality: limit the access to authorized person(s) only (ex: limit the access to EDR ECU for the end user and encrypt the stored data). - Data integrity: protect the system from any modification (ex: pair the EDR with the vehicle and sign the stored data) - Data availability: Ensure data recording capability in case of event (ex: duplicating the EDR ECU…) The data securitization format could depend on the data type, the storage support or the data transmission means European VERONICA II Project Recommendations for data security:

EDR event storage data shall not be writeable by any external entity, but only by the EDR itself.

EDR event storage data shall not be explicitly deleted, except in the case of a full factory reset. It needs to be ensured that such a reset is only possible by authorised workshops

EDR event storage data may be overwritten by the EDR itself with newer records, so as to ensure continued operation of the EDR

Since the EDR decides which data to transfer to the event storage when sensor values exceed certain threshold values, there should be no easy way to feed the EDR with faked sensor data

If the implementation of the EDR cannot prevent rogue sensor input, some kind of tamper evidence should be sought.

- Examples of technical possibilities without recommendation for the time being : Use of cryptographic algorithms:

to prove the authenticity of data, generation of a signature/message authentication code via algorithms such as HMAC-SHA2,

to encrypt data via algorithm such as AES (using shared secret keys) or RSA (using public key)

systematic transmission of the event data just after the crash if possible (via mobile networks), to prevent tampering

Use of embedded NIS SIM for storage of the event data:

Use of a lock apparatus (as standardized by IEEE-1616a-2010) for the physical access to the download port

Means of retrieval of event data (OBD port, use of a Connector Lockout Apparatus as standardized by IEEE-1616a-2010)