On December 4th, 2015 The Driver Privacy Act was signed into law by President Obama. It was a part of the much larger Surface Transportation Reauthorization and Reform Act and can be found in Title 14, Subtitle C, Part 1, Section 24301-24303.
The motivation behind The Driver Privacy Act of 2015 is to protect consumer’s personal identifying information and to establish ownership of the data recorded and stored within an on-board computer known as an Event Data Recorder (EDR). Since the average vehicle these days contains approximately 62 computers, it is important to understand which computers are covered under this act. Fortunately, the definition, or source of the definition, is cited within the act itself, 563.5 of title 49, Code of Federal Regulations.
Event Data Recorder (as defined by 49 CFR 563.5): “Event data recorder (EDR) means a device or function in a vehicle that records the vehicle’s dynamic time-series data during the time period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event (e.g., delta-V vs. time), intended for retrieval after the crash event. For the purposes of this definition, the event data do not include audio and video data.”
The Driver Privacy Act of 2015 is divided into two main sections, Ownership and Privacy:
Sec 24302 (a), Ownership of Data – Any data retained by an event data recorder (as defined in section 563.5 of title 49, Code of Federal Regulations), regardless of when the motor vehicle in which it is installed was manufactured, is the property of the owner, or, in the case of a leased vehicle, the lessee of the motor vehicle in which the event data recorder is installed.
Sec 24302 (b), Privacy – “Data recorded or transmitted by an event data recorder described in subsection (a) may not be accessed by a person other than an owner or a lessee of the motor vehicle in which the event data recorder is installed unless –“
There are specific provisions within the act that apply to law enforcement agencies and other organizations conducting investigations that allow data to be downloaded.
Sec 24302 (b) 1-5:
(1) “a court or other judicial or administrative authority having jurisdiction
(A) authorizes the retrieval of the data; and
(B) to the extent that there is retrieved data, the data is subject to the standards for admission into evidence required by that court or other administrative authority;
(2) an owner or a lessee of the motor vehicle provides written, electronic, or recorded audio consent to the retrieval of the data for any purpose, including the purpose of diagnosing, servicing, or repairing the motor vehicle, or by agreeing to a subscription that describes how data will be retrieved and used;
(3) the data is retrieved pursuant to an investigation or inspection authorized under section 1131(a) or 30166 of title 49, United States Code, and the personally identifiable information of an owner or a lessee of the vehicle and the vehicle identification number is not disclosed in connection with the retrieved data, except that the vehicle identification number may be disclosed to the certifying manufacturer;
(4) the data is retrieved for the purpose of determining the need for, or facilitating, emergency medical response in response to a motor vehicle crash; or
(5) the data is retrieved for traffic safety research, and the personally identifiable information of an owner or a lessee of the vehicle and the vehicle identification number is not disclosed in connection with the retrieved data.”
One very important thing to note is that The Driver Privacy Act of 2015 only covers Event Data Recorders (EDRs) as defined by 49 CFR 563.5, which is limited to special purpose devices that record very specific types of information “just prior to a crash event or during a crash event.” The act only mandates provisions related to data stored within an Event Data Recorder and, therefore, it does not impact the Infotainment and Telematics systems targeted by iVe.
Data privacy and the ownership of data stored in vehicles will continue to play out over time at both the federal and state level. More than 13 states in the U.S. maintain statutory guidelines that define a vehicle owner’s rights as they pertains to the ownership of electronically stored data in vehicles. It is important to stay apprised of the most current laws in your area and to follow best practices for handling digital evidence.
Click here to review the complete text of The Driver Privacy Act of 2015.