INSIGHT: Autonomous Vehicles and Software, Regulatory Challenges—A Conversation

July 13, 2020, 8:00 AM

Mobility services continue to evolve away from traditional cars and trucks driven by individuals. Even as ride-sharing and other group-focused transportation modes gain traction, many companies are developing and testing autonomous vehicles, which drive themselves and provide numerous benefits in the process.

Three attorneys in O’Melveny & Myers LLP’s Automated and Connected Vehicles group recently gathered with Gordon Schonfeld to talk about some legal and regulatory issues that participants in the autonomous vehicle industry should consider.

Melody Drummond Hansen is a partner and chair of the Automated & Connected Vehicles Group in Silicon Valley. Heather Meeker is a partner and member of the group and focuses on intellectual property and technology, with a focus on open source software. Jason Orr is counsel in O’Melveny’s Los Angeles office focuses on complex class-actions and product liability for industry leaders in the automotive, consumer electronics, and emerging technology fields.

Listen to their full conversation:

Q. What types of companies comprise the autonomous vehicles industry?

Melody: It’s best to think of AVs broadly as being about transportation, rather than simply in terms of personal vehicles. And it goes well beyond vehicle manufacturing. There are providers of software, aftermarket kits, components, delivery services, large- and small-scale transportation, communications equipment and ancillary services, even space exploration companies, and they come from multiple industries themselves.

Q. Why is software a significant source of legal issues for AVs?

Heather: One type of software most relevant to potential AV disputes is open-source software (OSS), which its developers provide free of charge with the understanding that users will use it for their own purposes and, in turn, make what they’ve done with it freely available to others. Its built-in robustness, security, and transparency make it an ideal source code for many AV applications.

OSS has been ubiquitous on the internet for years, and it’s becoming ubiquitous in AVs now. But the same openness that makes it so valuable in AV development also creates a potential liability vacuum that we expect will be litigated going forward.

Licenses and warranties for OSS are at the root of the problem. There’s little law governing open-source licenses, meaning that disputes can be difficult to sort out and expensive to litigate. The licenses often disclaim liability, leaving downstream manufacturers potentially on their own. While open-source license warranty disclaimers may be enforceable, the law is uncertain.

Melody: We’re seeing kind of a perfect storm coming together for litigation over OSS licenses. For starters, software is a very active space for intellectual property disputes generally, and the use of OSS adds more layers of IP complexity.

On top of that, there’s enough potential upside and liability to incentivize parties to test the boundaries of licenses in unprecedented ways. Add in the absence of settled law, and we expect the scope and volume of AV-related litigation to expand in the not-too-distant future. We’ve litigated some of the few cases dealing with contractual obligations in certain OSS licenses and their impacts on IP, including Open Source Security v. Perens in the Northern District of California.

Q. How can AV parties protect themselves against OSS-related risks?

Heather: Since AVs rely so much on OSS, the first step is to make sure that they’re complying with the OSS software licenses. Non-compliance could potentially make them non-competitive. But for OSS, avoiding the risk completely is typically unrealistic. What parties do in this regard really depends on their risk appetite. Parties should also be fully aware of the license terms they’re using when they use OSS materials.

We encourage clients to try to look ahead to identify where they’re likely to have risks and which of those risks will be biggest. Depending on what they find, they should consider, where possible, getting OSS from commercial providers or other mitigation strategies such as renegotiating terms.

Q. Are AVs subject to much U.S. regulation so far?

Jason: The short answer is not uniformly, but the story is more nuanced than that. There aren’t yet any federal laws or binding agency rules that specifically regulate AVs.

The government is taking a light-touch approach because it doesn’t want to inhibit or interfere with the development of new AV technologies. It aims to encourage innovation without prematurely making rules that could have unexpected negative consequences for the industry or the public.

But it would be inaccurate to say that the federal government is doing nothing. The Department of Transportation, for example, is using some of its non-rulemaking authorities to do things such as granting some AVs exemptions from motor vehicle safety standards when it concludes that doing so wouldn’t threaten public safety.

States have their own regulatory regimes. Some, like California and Michigan, are taking a stricter approach by imposing requirements such as state permits for companies to test AVs on public streets. Arizona, by contrast, is among those with a hands-off style intended to attract companies to their states.

Q. What kind of regulatory strategy are you advising companies to take?

Melody: While our advice is always specific to a company’s objectives and circumstances, there are recommendations that apply generally. One of these is to proactively communicate with regulatory bodies both to educate them on AV technologies—which can be very complex and hard to understand—and to build relationships of trust and respect.

Advance notices of proposed rulemakings, for instance, present good opportunities for companies to share information with regulators about the technology and to express their views on proposed rules. We counsel them on which proposed rules they should respond to and what their responses should be.

Q. Data security and personal privacy are huge issues for most industries. How do they affect AVs?

Melody: Data security is a major concern for AVs because they rely so heavily on software, communicate data over networks and, over time, accumulate huge amounts of data. There’s a real worry that hackers could potentially penetrate an individual AV—or worse, a fleet of them—and control their movements and download their data. Individuals’ privacy, even their lives, could be at risk.

AV companies are working hard to prevent this exposure, but they also recognize that there will always be hackers and others trying to get at their data. So rather than only trying to make their vehicles perfectly secure, they’re focusing on building resilience and responsiveness to breaches.

AVs’ use of OSS or open-source datasets potentially adds to data security concerns because OSS and open datasets let multiple parties collaborate on systems and apps, which involves sharing source code and other data. This can lead to a conflict that can be tough to reconcile: Data sharing can make AVs safer and shorten their development time, but too much data sharing could infringe on IP rights or allow bad actors to know more than they should about how systems and apps work.

There are significant privacy concerns about AVs because they collect, use and communicate huge amounts of data, including personal data. Cameras may be installed inside and outside the vehicles, and they can capture faces and the environments surrounding the vehicles. This raises concerns about who has access to the data for what purposes and how long, and whether data collection or retention can be overly invasive if used in certain contexts.

Jason: Considering how the public sees data security and privacy issues as potential threats to personal security, it’s critical that regulators and companies manage consumers’ expectations surrounding AVs’ protection from hackers and other bad actors.

The Federal Trade Commission, for example, is the chief federal agency on privacy policy and enforcement regarding companies’ privacy policies. The FTC has gone after companies not only for failing to include certain protections in their privacy policies, but also for not living up to what those policies say. This sends the message to companies that their privacy policies should be clear and understandable to consumers, and accurately portray what the company is doing.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Gordon R. Schonfeld, CFA, is a writer/editor specializing in thought leadership for professional service firms. Previously, he was the senior writer at Proskauer Rose. He is based in New York City.

To read more articles log in.

Learn more about a Bloomberg Law subscription.