Chasing the Autonomous Vehicle – International Trade Matters

What influence will the United States have on the public policy choices available to federal and provincial governments in Canada regarding autonomous and connected vehicles? That issue was not explored in any depth in the Canadian Senate’s important report on automated and connected vehicles (released January 29, 2018).  True, one of the Senate’s 16 recommendations focused on international cooperation with the United States. However, this recommendation was focused on making sure that vehicles “worked” in both countries from a technical perspective. However, this is simply table-stakes. International trade with the United States may be a critical factor in demarcating what practical option are available to Canadian regulators in important areas such as privacy and cybersecurity.

There were an estimated 263 million registered passenger vehicles in the United States in 2015. By comparison, Statistics Canada tells us that there were 24 million registered road motor vehicles in Canada in 2106. The total number of vehicles in Canada follows the general rule when comparing Canada and the United States. We have 1/10 the population. So, it won’t be surprising that we have very roughly 1/10 the number of passenger vehicles on the road. pexels-photo-799443.jpeg

The size of the Canadian market compared to that of the United States is an important context for determining design priorities for auto manufacturers. Another related factor is the speed with which the U.S. has moved in developing a regulatory environment. The U.S. Department of Transportation has already developed a voluntary code of safety design elements. It has also issued cybersecurity best practices.  The Senate noted that 21 U.S. States and Washington D.C. have enacted automated vehicle legislation. Federal U.S. legislation is likely inevitable. Although the U.S. Department of Transportation has not taken a prescriptive approach to safety design elements, it is likely only a matter of time before it does so. Once the technology matures, the U.S. regulatory approach is to be much more prescriptive than its Canadian counterparts. As between designing for a prescriptive standard and designing for a “principled-based” standard, the prescriptive standard wins.

The Senators clearly recognized the importance of cooperation with the United States. Recommendation 3 was for Transport Canada to strengthen its work on automated and connected vehicles with the United States through the Regulatory Cooperation Council “to ensure that these vehicle will work seamlessly in both countries.” However, there are many other areas in which cooperation might be required, in order to achieve public policy goals. For example, five of the Senate’s 16 recommendations related to privacy and cybersecurity

Recommendation 6: Transport Canada to work with the Communications Security Establishment and Public Safety Canada to develop cybersecurity guidance.

Recommendation 7: Transport Canada to work with Public Safety Canada, the Communications Security Establishment and industry stakeholders to address cybersecurity issues and a real-time crisis connect network.

Recommendation 8: Strengthen the powers of the Office of the Privacy Commissioner of Canada to proactively and enforce industry compliance with the Personal Information Protection and Electronic Documents Act.

Recommendation 9: The Government of Canada to continue to assess the need for privacy regulations specific to the connected Car.

Recommendation 10: Transport Canada to bring together stakeholders to develop a connected car framework, with privacy protection as one of its key drivers.

Apart from Recommendation 8, the question is whether deep “privacy-by-design” and “security-by-design” features can be embedded in automated and connected vehicles without close cooperation between Canada and the United States. This spans more than transportation regulatory authorities. It requires cooperation from multiple regulators — who have responsibilities for privacy – the Federal Trade Commissioner, U.S. State Attorneys General, Canadian federal and provincial Privacy Commissioners, and many others.

Read the Senate Report: Driving Change: Technology and the future of the automated vehicle.

Biometrics – Who’s aggrieved in Illinois?

The Illinois Biometric Information Privacy Act set off a wave of private litigation in the United States. The Act establishes a private right of action for any person “aggrieved” by a violation of the Act, which regulates how private entities collect, retain, disclose and destroy biometric identifiers or biometric information. Successful plaintiffs are entitled to their actual damages or liquidated damages of US$1,000 for negligent violations or US$5,000 for intentional violations.

Recently, however, the Appellate Court of Illinois tapped the breaks by requiring the plaintiff to have suffered some pecuniary or non-pecuniary damages in order to be “aggrieved“. [Don’t know what pecuniary/non-pecuniary refer to? See note at the end of this post.]

Why should Canadians care?

Canadian readers will note that, with the exception of the Province of Quebec, Canada does not have federal or provincial privacy laws that specifically target biometric information. However, general private sector privacy legislation can be used to seek monetary awards (usually after a complaints procedure has been exhausted). At least at present, the general trend seems to be for Canadian courts to provide damages for non-pecuniary damage without putting the plaintiff to much of a burden of proof (if any). However, courts may begin to turn to the debates in the U.S. over standing if there is a rush to the courts to claim damages under existing laws or if Parliament or provincial legislatures begin experimenting with statutory damages.

What is the Biometric Information Privacy Act?

The Biometric Information Privacy Act covers “biometric identifiers” and “biometric information“. Biometric identifiers are retina or iris scans, fingerprints, handprints, voiceprints, or facial geometry scans. Biometric information is any information that is based on a biometric identifier used to identify an individual.

The Act imposes certain requirements on private entities (not public authorities) when collecting, using, disclosing or even possessing biometrics. Those obligations include:

  • notifying the individual of the collection and storage of the biometrics;
  • providing an explanation of the purpose for the collection, use and storage;
  • identifying the retention period for the use and storage; and
  • obtaining a written release for the collection, use and storage.

There are other obligations as well relating to the manner of storage and maximum periods of retention and other matters.

No Strict Liability – Plaintiff must suffer damage

In Rosenbach v. Six Flags Entertainment Corp., the plaintiff (who was suing on behalf of her minor son) alleged that the defendant had taken a thumbprint of her son without complying with the Biometric Information Privacy Act. The plaintiff’s son had purchased a season pass to the defendant’s theme park. The thumbprint was to be used in connection with the season pass in order to enter the park. The plaintiff alleged that the defendant had not made the appropriate disclosures and had not obtained her consent to the thumbprint of her minor son. However, the plaintiff did not allege any damage other than that she would not have consented to the collection of the thumbprint had she known of the defendant’s practices.

The Second District Appellate Court of Illinois concluded that a plaintiff seeking a remedy under the Biometric Information Privacy Act must have suffered some pecuniary or non-pecuniary damage in order to be entitled to a remedy under the private right of action. The court concluded that the statute was not meant to be one of strict liability. In order to be “aggrieved”, the person must have suffered some harm. A technical violation of the Act would not necessarily result in any harm.

You can read the court’s decision in Rosenbach v. Six Flags Entertainment Corp. here.

The Biometric Information Privacy Act can be found here.

The law firm Ropes & Gray have an interesting client alert that you can find here.

Note: Curious as to what pecuniary and non-pecuniary mean? Without getting into the details, pecuniary damages are essentially those that can be quantified in monetary terms – for example, out of pocket expenses. Non-pecuniary damages are for injuries such as distress and pain and suffering.