To: Mr. Brian Soublet
General Counsel
California Department of Motor Vehicles
Via: LADRegulations@dmv.ca.gov
Date: October 14, 2016
Thank you for the opportunity to provide comments concerning these proposed regulations. We believe the revisions incorporated in this updated draft better serve the people of California—not only in terms of safety, but in terms of consumer welfare more generally.
However, we also believe that further revisions are necessary.
Delineating Spheres of Authority—Permit Approval
Section 227.04(d): This section concerns what requirements must be met for autonomous vehicle testing to take place on public roads. Specifically, it requires manufacturers to “certify that testing will be conducted in accordance with the National Highway Traffic Safety Administration’s “Vehicle Performance Guidance for Automated Vehicles.”[1]
As you are no doubt aware, the “Vehicle Performance Guidance for Automated Vehicles” includes, among other things, a voluntary 15-point safety checklist for manufacturers to consider as they develop their vehicles. NHTSA has requested that manufacturers provide reports to the agency concerning how they are endeavoring to follow the guidelines. But, compliance with the content of the safety checklist is voluntary.[2]
In Section Two of its “Model State Policy,” NHTSA instructs that “the application should state that each vehicle used for testing by manufacturers or other entities follows the Performance Guidance set forth by NHTSA and meets applicable Federal Motor Vehicle Safety Standards.”[3]
The difficulty presented by the draft language, as currently written in Section 227.04(d), is that when a manufacturer certifies it is in “accordance” with the guidelines, it remains unclear how the DMV intends to verify this claim. What’s more, it is unclear whether “accordance” is intended as a synonym for NHTSA’s request that manufacturers state that the performance guidelines are being “followed.”
Further, Section 227.28 (Review of Application) does not address the standard set-forth for review of the application’s “accordance” with the voluntary federal guidelines. Instead, it refers to the completeness of the application and its sufficiency. This raises the critical question, for purposes of gaining an application’s approval: is it sufficient for the manufacturer to merely submit a copy of the safety assessment letter voluntarily provided to NHTSA at the agency’s request? Or, does the DMV intend to retain the discretion to decide whether the manufacturer is, as a substantive and technical matter, in accordance with the guidelines?
If the answer is the latter, and the DMV intends to evaluate the manufacturers’ substantive “accordance” with the NHTSA guidelines, the DMV may transform performance guidelines that were explicitly drafted to be voluntary into compulsory rules. If so, that would pose huge problems for manufacturers wishing to test in California because reaching an accord with voluntary—and vague—guidelines will be challenging. Even companies acting in good faith to comply with the voluntary NHTSA guidelines may, in some sense, run afoul of them.
Further, if the DMV intends to be the judge of what “accordance” with the NHTSA guidelines entails, it will itself run afoul of the separation of authority between the states and the federal government contemplated in the guidelines—and embraced by the Department as it undertook this second draft of the regulations—by becoming the arbiter of compliance with nonbinding federal guidelines that did not go through a full rulemaking process.
To remedy the problem, we suggest either of two separate amendments:
Remove Section 227.04(d) in its entirety. Because NHTSA’s guidance is wholly voluntary, some manufacturers may not elect to submit reports to the agency in spite of its request. Including Section (d) would constructively require those manufacturers to do so in order to acquire a testing permit in California, thus impinging upon an unexercised NHTSA authority.
Reform Section 227.04(d) to read: “(d) The manufacturer certifies that testing will be conducted in accordance with the National Highway Traffic Safety Administration’s “Vehicle Performance Guidance for Automated Vehicles,” as written and interpreted by NHTSA.”
Section 227.54: This section builds on, and incorporates via Section 227.54(f), the requirements of Section 227.04 to articulate conditions that manufacturers must comply with in order to obtain a testing permit for a vehicle that does not require a driver. Specifically, adherence to the “Vehicle Performance Guidance for Automated Vehicles.”
The problem here, again, is whether the DMV may be the arbiter of whether a manufacturer is in compliance with NHTSA guidance. In NHTSA’s own “Model State Policy,” manufacturers are merely asked to certify that their vehicles “follow” the guidelines, they are not asked whether they “comply” with the guidelines. Like the draft regulations’ other references to “accord” with the guidelines, this aberrant standard could confer authority on the DMV which is not desired or appropriate.
We recommend that references to the guidelines in Sections 227.54(g)(3) and 227.54(g)(4) be removed.
Section 227.58 and Section 227.60: These sections suffer from the same ambiguity as Section 227.54, but in the context of procuring a permit for post-testing deployment of autonomous vehicles on public roads and for procuring a permit for post-testing deployment of autonomous vehicles that do not require a driver on public roads.
We recommend that references to the guidelines in Sections 227.58(b)(1), 227.58(b)(3), and 227.60(c)(3) be removed.
Sections Concerning Provision of the “Safety Assessment Letter”
In Sections 227.26(3), 227.54(h), 227.58(b)(9), 227.60(b)(9), and 227.64(b), the DMV requires that manufacturers submit a copy of the Safety Assessment Letter filed with NHTSA as specified in the guidelines.[4]
However, the Federal Automated Vehicle Policy, concerning the Safety Assessment Letter to NHTSA, reads: “…the Agency will request that manufacturers and other entities voluntarily provide reports regarding how the Guidance has been followed. This reporting process may be refined and made mandatory through a future rulemaking.[5]
While we understand that NHTSA is likely to promulgate rules making reporting compulsory at some future date, unless and until NHTSA makes the filing of a Safety Assessment Letter mandatory via rule making, these provisions would compel manufacturers to treat the voluntary provision of a Safety Assessment Letter to NHTSA as compulsory. This is a de facto infringement on NHTSA’s exclusive authority to oversee vehicle safety standards.
We recommend that all requirements related to the Safety Assessment Letter be removed.
Proposed Definitions in Conflict with Society of Automotive Engineers (SAE) Recommended Practice
The draft regulations, released on September 30, 2016, reference “autonomous vehicle(s)” 189 times and “control” 21 times. Also, on September 30, 2016, SAE International released its update of Standard J3016, “Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles.”[6]
With respect to “autonomous vehicle,” J3016 “recommends against using terms that make vehicles, rather than driving, the object of automation…. Moreover, a given vehicle may be equipped with a driving automation system that is capable of delivering multiple driving automation features that operate at different levels; thus the level of driving automation exhibited in any given instance is determined by the features(s) engaged. As such, the recommended usage for describing a vehicle with driving automation capability is ‘level [1 or 2] driving automation system-equipped vehicle’ or ‘level [3, 4, or 5] driving automation system-engaged vehicle’ or ‘level [3, 4, or 5] ADS-operated vehicle’” (original emphasis).[7]
With respect to “control,” J3016 “strongly discourage[s], and [has] therefore deliberately avoided, the potentially problematic colloquial usage. Because the term ‘control’ has numerous technical, legal, and popular meanings, using it without careful qualification can confuse rather than clarify.”[8] J3016 instead recommends the use of the terms “Dynamic Driving Task performance” and “operate” in order to clarify what the human driver or driving automation system do in relation to the dynamic driving task.
We recommend that the DMV reexamine the latest revision of J3016 and adopt the Recommended Practice taxonomy and definitions as completely as possible.
Insurance
Sections 227.04(c) (Requirements for a Testing Permit) and 227.08 (Instrument of Insurance), as written, include an inconsistency concerning the scope of products that surplus lines insurers may be able to provide.
Section 227.04(c)’s reference to “instrument of insurance” fails to include surplus lines insurers for anything outside of providing a surety bond, while Section 227.08 has no such limitation and specifies simply that an “instrument of insurance” may be provided by a surplus lines insurer.
In practice, it appears that the DMV has treated the requirements of the two sections as coterminous. Thus, complying with the requirement under 227.08(a) would be satisfactory to fulfill the requirement under 227.04(c). But, the ambiguity should be resolved: Section 227.04(c) should be updated to allow surplus lines insurers to provide instruments of insurance beyond surety bonds. This change is important to ensure that non-admitted insurers may be able to offer a full range of products without a cloud of regulatory uncertainty.
We recommend the following amendment:
Revise Section 227.04(c) to read: “…an instrument of insurance issued by an insurer admitted to issue insurance in California or an eligible surplus lines insurer that meets the requirements of Insurance Code section 1765.1; a surety bond issued by an admitted surety insurer or an eligible surplus lines insurer, and not a deposit in lieu of bond; or a certificate of self-insurance.”
Data/Information Privacy
Section 227.78 concerns the consent that manufacturers must obtain, or steps that they must take absent such consent, to collect information from operators of autonomous vehicles and to use that information. The section is drawn from authority granted by California Vehicle Code Section 38750(h) which directs manufacturers to provide a “written disclosure to the purchaser of an autonomous vehicle that describes what information is collected by the autonomous technology equipped on the vehicle.” As written, the section is problematic.
In general, the Department should defer to federal and state privacy regulators (including primarily the Federal Trade Commission (“FTC”) and the California Attorney General’s Office). While there is merit in an expert agency offering guidance to suggest how general privacy regulations might apply to situations within its purview, there is little benefit in the Department itself drafting specific privacy regulations or supplanting expert agencies in enforcing privacy rules.
We recommend that, whatever specific language the Department adopts, it clarify that the language is intended to offer its advice regarding the application of existing and generally applicable privacy regulations and consumer protection laws to autonomous vehicles, rather than to offer specific regulatory obligations.
Further, whether the Department adopts privacy language as guidance or regulation, we recommend that it conform its privacy language as closely as possible to the existing “notice and consent” privacy framework that guides the FTC and the California Attorney General.[9]
Bringing the Department’s proposed language into conformity with the prevailing federal and state frameworks requires, in particular, rethinking the underlying assumptions concerning the relevance of collection versus use of data and of the sensitivity of data.
Generally speaking, data restrictions—such as those contemplated in the draft regulations—should target harmful uses of information, rather than mere possession or collection, and privacy rules should regulate information flows only as necessary to protect against harmful uses of information. Because the vast majority of data uses tend to be positive, people are unlikely to be harmed by the mere collection of information.[10] Moreover, it is not always clear what data could be used for harmful purposes, or when beneficial uses might outweigh potential harms. And, at the same time, some of the most consumer-protective uses of data require largely frictionless collection and sharing of broad bases of information.[11]
Businesses, consumers and society generally stand to benefit immensely from both current and as-yet unidentified data flows. Thus, consumers are likely better off on net when the collection of data from them in voluntary transactions remains generally unencumbered; rather than requiring repeated consumer affirmations, the better way to protect consumers is generally to require (i) general disclosure as to what data is being collected that consumers might not expect to be collected, (ii) that users may opt-out in certain circumstances, and (iii) that affirmative action by the consumer be required only when the potential harm is great enough to outweigh the benefits.
A system requiring repeated disclosures and repeated affirmative express consent by users would needlessly burden the evolving collection and use of valuable information without obvious corresponding benefit. Not only would it deter experimentation and innovation in data collection and use (and thus product design and development), but, as a function of human psychology, it would unnecessarily dull the seriousness with which consumers take such updates and operate to exclude many consumers from the benefits of technological progress—particularly relatively poorer, and less-technology-literate, citizens.[12] For these reasons, the draft regulations should be amended to more appropriately balance the potential harms and benefits of the collection and use of consumer data.
We propose that the DMV embrace the framework for determining notice, consent, and disaffirmation that is currently employed by the Federal Trade Commission.[13] Its basic supposition is that consent should be required only where it cannot be inferred from the nature of the transaction itself, and, generally, only when sensitive and personally identifiable data is involved.
The FTC recommends that “companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer.”[14] In addition, notice and choice is not required for “(1) product and service fulfillment; (2) internal operations; (3) fraud prevention; (4) legal compliance and public purpose; and (5) first-party marketing.”[15] The focus of the current draft rules on the distinction between data “necessary for the safe operation of the vehicle” and data “not necessary” for such purpose is a useful starting point for determining when consumer assent to data collection and use should be inferred. But, as noted above, there is a range of other situations where consent should be inferred, as well: essentially, where data is used internally (as opposed to being shared with third parties).
Further, as the FTC notes, for those remaining situations where consumer choice is recommended, consumers should be given an opportunity for “affirmative express consent” (that is, “opt-in” consent), as opposed to merely an opportunity to opt-out, only when they involve data that is both of a sensitive nature[16] and linkable to a particular person or device (i.e., non-anonymized).
We propose a new approach for the Department that is consistent the FTC standards, compliant with existing California law and sensitive to the Department’s heightened concern for consumer protection given the newness and significance of transactions surrounding autonomous vehicles.[17]
Four characteristics of the collected data are relevant to this approach:
Whether it is necessary for the safe operation of the vehicle or for insurance purposes (essentially mapping onto the FTC’s “(1) product and service fulfillment; and (2) internal operations” categories);
Whether it is sensitive;
Whether it is shared with third-parties; and
Whether it is anonymized.
Data used internally for purposes necessary to the vehicle’s safe operation, regardless of the other characteristics, requires neither disclosure nor consent (as the Department’s proposed rules implicitly acknowledge): its collection and use are inherently part of the transaction. At the other end of the spectrum, opt-in consent should be required for data that is used for purposes not necessary to the safe operation of the vehicle and that is sensitive, non-anonymized, and shared with third-parties. Data with other combinations of these four characteristics will fall into various middle grounds.
In particular, we urge the Department to clarify that the draft regulation’s concept of “necessary” information includes not only that information necessary for operation of the vehicle, but also that necessary for “product and service fulfillment” and “internal operations.” A car doesn’t run on mechanical systems alone. The (legal, insurance, logistical, IT, etc.) systems employed by manufacturers are also essential, even if not directly responsible for making a vehicle go
Insurance presents a particularly important example. Insurance data will necessarily be shared with third parties: insurance companies. Such data sharing is—like the collection, internal use, and sharing of data about vehicle operation necessary for safety purposes—understood by consumers to be inherent in manufacturing, selling, maintaining and operating an autonomous vehicle. Moreover, all states, including California, require operators of any motorized vehicle to carry insurance adequate to pay for damage that they may cause in the course of the vehicle’s operation. In short, California has already concluded that safety and insurance are inextricably intertwined, that is impossible to safely operate a vehicle without insurance and, further, that insurance cannot function properly if users can opt-out. In the case of autonomous vehicles, that requires sharing operation data with insurance companies. Such sharing should not require consent—like the sharing of information necessary for safety purposes. But, like the sharing of data necessary for safety purposes, sharing of data for insurance purposes should require disclosure.
Thus we propose the following taxonomy of data, use and corresponding rules:
Necessary, used internally, sensitive or not, and anonymized or notTo summarize, this means that neither disclosure nor consent would be required for data that is:
Not necessary, used internally, sensitive or not, but anonymized
Disclosure would be required, but no consent would be required for data that is:
Not necessary, used internally, sensitive or not, and not anonymized[18]
Necessary, shared with third-parties, sensitive or not, and anonymized or not[19]
Disclosure and opt-out would be required for data that is:
Not necessary, shared with third-parties, sensitive or not, and anonymized
And disclosure and opt-in would be required for data that is:
Not necessary, shared with third-parties, sensitive, and not anonymized
Data that is necessary for the safe operation of the vehicle (whether shared with third-parties or not) or that is used internally for ancillary purposes (e.g., first-party marketing) does not require consent. Other data requires varying degrees of consent depending on sensitivity, anonymization and whether it is shared with third parties.
Under this approach, excessive disclosure and consent requirements are minimized, but, in those cases where operators may tend to have heightened privacy concerns, they would be aware of what information is being collected, and, where concerns are further heightened (say, because personally-information is being shared with third-parties), would have an appropriate opportunity to exercise consent.
We recommend that Section 227.78 be redrafted to read:
(a) The manufacturer shall:
Provide a written or electronic disclosure to the operator of an autonomous vehicle that describes all of the data collected by the vehicle that will be shared with third parties, regardless of whether it is sensitive data or not, or that will not be shared, but is used internally without anonymization. The disclosure shall be conspicuous and separate from other disclosures.
Indicate in the disclosure required in subsection (a)(1) whether collected data is
Necessary for the safe operation of the vehicle;
Shared;
Sensitive; and/or
Anonymized
(b) In the event that a manufacturer wishes to share an operator’s personally-identifiable information with a third-party on an anonymized basis, the operator may opt-out of such a use by the manufacturer.
(c) In the event that a manufacturer wishes to share an operator’s personally-identifiable information with a third-party on a non-anonymized basis for a purpose that is not necessary for the safe operation of the vehicle, the operator must be enabled to opt-in to such a use by the manufacturer.
Local Authorities
Section 227.54 requires that manufacturers obtain approval from local authorities before they test driverless vehicles without the presence of a driver. As written, the section has two problems.
First, inconsistency. One of the explicit goals of the DMV in this draft of its regulations was to assist NHTSA in its effort to avoid the creation of a nationally inconsistent regulatory framework. However, the danger associated with regulatory inconsistency is not limited to differences among states. A patchwork framework of local regulation could prove similarly damaging.
By requiring manufactures to affirmatively seek approval from localities, and allowing those local authorities to ban driverless vehicles, the DMV will forestall the progress of the technology by limiting the circumstances of its development.
Second, ambiguity. The term “local authorities” is not defined in Section 227.54 or in Section 227.02 (Definitions). Given that the regulations contemplate “cooperation with local authorities” (227.54(a)) and that the manufacturer must obtain permission to operate from local authorities (227.54(b)), clarifying which local authorities are intended for consultation, and which local authorities are not, is vital.
We suggest three possible amendments, in decreasing order of desirability:
Remove all references to local authority over the regulation of driverless vehicles from the regulations;
Reverse the presumption against testing driverless vehicles, one in which each manufacturer must seek the passage of a local ordinance to begin operating, to an presumption in its favor; or
Clarify the definition of “local authority.”
Statements about Autonomous Technology
Section 227.90 seeks to proscribe manufacturers from describing their technology as “autonomous” unless it meets the definitional standards outlined in Vehicle Code section 38750 and 227.02(d) of the draft regulations.
While it is reasonable to be concerned that operators understand what type of vehicle they are entering, targeting the specific term “auto-pilot”—as mentioned in the “Invitation to Pre-Notice Public Discussions” circulated by the DMV—is unnecessary in light of the operator education requirements included in Sections 227.58(b)(3) and 227.60(b)(3) of the draft regulations.
To avoid regulatory surplusage and to ensure that manufactures are able to effectively communicate to the public the development of autonomous subsystems which do not fall under the aforementioned code sections, we recommend that Section 227.90 be removed in its entirety.
Unjustified Driving Automation System-Equipped Heavy Truck Prohibition
Section 227.52(4)–(5) prohibits heavy trucks from both testing and deployment. Such a prohibition is unjustified on technical and safety grounds, and ignores promising commercial motor vehicle applications of automated systems of varying levels of automation.
For instance, a number of states are considering low-level automated platooning pilot programs.[20]
“Platooning” refers to a connected and/or automated function whereby equipped following vehicles can reduce the gap between equipped lead vehicles by way of steering, throttling, and braking automation and vehicle-to-vehicle communications systems. Such systems hold promise in increasing fuel economy and highway safety while decreasing traffic congestion.
Some limitation on the operational design domain of driving automation system-equipped heavy trucks may be justified, such as requiring testing to be conducted outside of urbanized areas, but there is no basis for a statewide ban.
To remedy the problem, Section 227.52(4)–(5) should be eliminated.
Respectfully:
Ian Adams
Senior Fellow
R Street Institute
1050 17th St NW, Suite 1150
Washington, DC 20036
Marc Scribner
Research Fellow
Competitive Enterprise Institute
1310 L St NW, 7th Floor
Washington, DC 20005
Geoffrey A. Manne
Executive Director
International Center for Law & Economics
3333 NE Sandy Blvd., Suite 207
Portland, OR 97232
Berin Szoka
President
TechFreedom
110 Maryland Ave NE, Suite 409
Washington, DC 20002
[1] National Highway Traffic Safety Administration of the U.S. Department of Transportation, “Federal Automated Vehicles Policy,” September 2016, available at https://www.transportation.gov/AV/federal-automated-vehicles-policy-september-2016 (hereinafter “Guidelines”)
[2] Guidelines at 17.
[3] Guidelines at 41.
[4] Guidelines at 11
[5] Guidelines at 17.
[6] SAE International, Standard J3016_201609, available at http://standards.sae.org/j3016_201609/.
[7] Id. at § 7.2.
[8] Id. at § 7.3. See also Bryant Walker Smith, “Engineers and Lawyers Should Speak the Same Robot Language,” Robot Law (2015), available at https://newlypossible.org/wiki/index.php?title=Publications.
[9] See, e.g., Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers; California Office of the Attorney General, Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf; California Office of Privacy Protection, Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements (April 2008), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/COPP_bus_reportinfo_sharing1.pdf.
[10] An obvious exception to this general proposition is that unutilized data, once collected, may become a security hazard. However, manufacturers have meaningful disincentives from collecting data that they do not intend to use based upon existing data security regulations.
[11] For example, “[t]he credit reporting system “works because, without anybody’s consent, very sensitive information about a person’s credit history is given to the credit reporting agencies. If consent were required, and consumers could decide—on a creditor-by-creditor basis—whether they wanted their information reported, the system would collapse.” Timothy J. Muris, Protecting Consumers’ Privacy: 2002 and Beyond, Remarks at the Privacy 2001 Conference (Oct. 4, 2001), available at https://www.ftc.gov/public-statements/2001/10/protecting-consumers-privacy-2002-and-beyond.
[12] See Nicklas Lundblad and Betsy Masiello, Opt-in Dystopias, SCRIPTED, § 5.1 (2010), available at http://www2.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp; Fred H. Cate & Michael E. Staten, Protecting Privacy in the New Millennium: The Fallacy of “Opt-In” 1 (2003), available at http://home.uchicago.edu/~mferzige/fallacyofoptin.pdf.
[13] See Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers.
[14] Id.
[15] Id.
[16] Id. at 58 (noting that there is a “general consensus that information about children, financial and health information, Social Security numbers, and precise, individualized geolocation data is sensitive and merits heightened [opt-in] consent methods”).
[17] Calif. Veh. Code § 38750(h)
[18] Note that this data would typically not require disclosure under the FTC’s guidelines.
[19] Again, this data would typically not require disclosure under the FTC’s guidelines.
[20] See, e.g., Marc Scribner, “Authorizing Automated Vehicle Platooning: A Guide for State Legislators,” Issue Analysis 2016-No. 5, Competitive Enterprise Institute, July 2016, available at https://cei.org/content/authorizing-automated-vehicle-platooning.