Rapid technological developments in the automotive sector have led to the increased presence of autonomous (driverless) vehicles in traffic in some countries around the world, thereby bringing related legal issues to the forefront. In this context, there is a need for legal regulations that can keep pace with technological developments and respond to emerging needs, and the adequacy of existing legal regulations in serving technological developments is being evaluated. Among the most important issues encountered with the widespread use of autonomous vehicles are the determination of fault and liability and the processing of personal data.
Liability and Insurance in Autonomous Vehicles
When evaluating the legal status of autonomous vehicles in Turkey within the scope of existing regulations, we would first like to note that there is currently no separate legal regulation specifically targeted for autonomous vehicles. Regulations related to vehicles are addressed within the framework of the Highway Traffic Law (Karayolları Trafik Kanunu/KTK) and the Turkish Code of Obligations (Türk Borçlar Kanunu/TBK). These regulations are based on the fault and liability of the vehicle driver. In other words, these regulations traditionally focus on human drivers.
Since there is no specific legislation regarding liability in autonomous (driverless) vehicles, new legal regulations must be established, particularly to clearly define the scope of liability for the vehicle manufacturer, software developer, and vehicle owner separately.
In addition, to determine legal liability in autonomous vehicles, it is first necessary to define the vehicle's automation level and technical specifications. In this way, legal responsibilities can be defined according to these levels. These levels, classified by the Society of Automotive Engineers (SAE), are known as the SAE J3016 classification. This system defines autonomous driving in six different levels from 0 to 5. At Levels 0, 1, and 2, the primary person operating the vehicle is the human driver. At Levels 1 and 2, autonomous systems are only supportive in nature. At Levels 3 and 4, the vehicle can move on its own under certain conditions, but in some cases, the driver is expected to intervene. At Level 5, the vehicle is considered fully autonomous (completely driverless), and in such a vehicle, the driver is no different from any other passenger.
Damage incurred by a third party in autonomous vehicles will be compensated by the insurer of the vehicle operator. In terms of the liability of manufacturers, a liability regime can be created in accordance with the Product Safety and Technical Regulations Law. If the accident was caused by a software error, hardware failure, or incorrect application of artificial intelligence algorithms, the insurer may recover the amount of compensation paid from the manufacturer. However, it must be proven that the damage was caused by a defect in the product.
Comparative Approaches in International Law
Innovations introduced in parallel with developments in international legal systems regarding autonomous vehicles have been implemented for vehicles with Levels 3 and 4. In German law, the use of autonomous vehicles in traffic was permitted with the amendment made to the Road Traffic Act in 2017. With this regulation, the principle of strict liability of the operator has been preserved in accidents occurring while the vehicle's automation function is in operation. In this context, injured third parties have the right to remedy directly from the operator's insurer, regardless of whether the vehicle was in autonomous mode or not. With the amendment, the upper limit of compensation for which the insurer is liable for in vehicles equipped with autonomous systems has been doubled compared to other vehicles. On the other hand, no special liability system has been established for manufacturers, and their liability has been assessed within the framework of general product liability provisions. In this context, for the insurer to be able to recover the compensation paid from the manufacturer, the product must be defective, and there must be a direct causal link between the defect and the damage incurred.
A similar structure exists in English law. The Automated and Electric Vehicles Act of 2018 introduced the first legal regime regulating liability related to the use of autonomous vehicles. According to the law, if an accident occurs while the vehicle is in autonomous mode and the vehicle is insured, the damage is covered by the insurance company. If the vehicle is uninsured, the vehicle owner is directly liable, and this liability cannot be limited by any contract. However, in some cases, the insurer's liability may be waived. For example, if the driver activates autonomous driving mode at an inappropriate time or fails to install software updates recommended by the manufacturer, the insurance company may refuse to pay compensation.
The only aspect in the law that refers to the manufacturer's liability is for when the insurance company or vehicle owner may seek reimbursement from the manufacturer for compensation paid if it can be proven that the damage was primarily caused by a software error or hardware malfunction on the part of the manufacturer.
In light of the above explanations, it is evident that even the legal systems that are pioneers in determining the liability regime for autonomous vehicles have not presented an innovative perspective on the legal liability of the manufacturer. In this context, even in an accident caused by a fault in the artificial intelligence controlling the vehicle's autonomous function, the vehicle operator and insurer are still liable to third parties. The purpose of maintaining the liability regime in this manner is to ensure that the injured third party is not affected by the legal dispute between the vehicle operator or insurer and the manufacturer. Even if this is understandable, it should be discussed how fair it in terms of the vehicle operator to not include the manufacturer in such a strict liability regime. As a matter of fact, the strict liability of a vehicle operator is determined on the basis that he/she has considered the potential for harm arising from the mass and speed of the vehicle. However, it should be accepted that the vehicle owner who has preferred an autonomous vehicle has purchased this vehicle by considering the artificial intelligence that is technically responsible for the operation of the vehicle. These artificial intelligence systems in autonomous vehicles are designed to eliminate accidents caused by human error and are marketed as such by vehicle manufacturers. In this context, it can be characterized as a deficiency in the current legal systems to hold a vehicle operator, who does not and cannot be expected to master the technical infrastructure of artificial intelligence, strictly liable instead of the manufacturer company that has developed this artificial intelligence, which controls the autonomous activities of the vehicles and is claimed to reduce the accident rate in traffic. In this context, it has become introduction of a vehicle operated necessary to evaluate the inclusion of the potential danger created by the with artificial intelligence in a system of strict liability created solely due to the potential danger arising from the operation of a vehicle, with the widespread use of autonomous vehicles.
Processing of Personal Data and Privacy in Autonomous and Electric Vehicles
The impact of connected technologies in modern autonomous and electric vehicles on the privacy of personal data is another important issue that needs to be evaluated along with the increase of the use of these vehicles. Modern vehicle manufacturers are facing criticism and allegations that they are focusing more on selling data obtained from vehicles rather than on the actual vehicle sales, in line with the widespread data processing and transfer activities. In this regard, various class-action lawsuits have been filed in the US, and investigations have been launched against vehicle manufacturers.
Systems installed in vehicles by vehicle manufacturers can collect and transfer many different types of data to third parties. In modern vehicles, it can be seen that driving data, vehicle location, speed, braking and acceleration habits, vehicle direction information, and audio and video data are processed in the triangle involving vehicle manufacturers, software developers, and insurance companies. All these data processing activities are particularly important in autonomous vehicles in terms of maintaining certain safety conditions. For example, keeping the necessary records in the event of an accident can play a crucial role in determining the cause of the accident. It is expected that in the future, there may even be no need for an expert report to determine insurance coverage and fault. On the other hand, data processing is essential for obtaining the necessary emergency assistance. However, with the development of connected technologies, the data collected in vehicles may also be used for various marketing, sales, or business development purposes. Again, with the widespread use of shared vehicles, the matter of processing of personal data will also arise. In order to take the necessary security measures in shared vehicles, ensure usage safety, and maintain the service, various data, including data such as usage details, location information, and driving information, are processed.
The most important issue that must be considered legally when providing connected services is whether data subjects are fully and accurately informed about data processing activities. First, the vehicle manufacturer must inform vehicle drivers about this matter. While some personal data processing activities carried out in the vehicle may be based on legitimate interests or the or the protection of a right, other data processing activities may be of the nature that requires explicit consent in order for them to be carried. In particular, users' explicit consent must be obtained for the transfer of data to business partners for their own purposes. It is important to ensure that data controllers are correctly identified, that each data subject is fully and accurately informed, and that the necessary consent is obtained from data subjects in the most appropriate and practical manner. It is also important to respond to objections raised by data subjects regarding data processing activities that may adversely affect their rights, and to fulfill the requests of data subjects arising from the legislation. It should not be forgotten that data processing activities carried out without compliance with privacy regulations may result in both legal and criminal liability.
Special thanks to Ayşe Erdoğan for her contributions.
Authors:
Aysel Korkmaz Yatkın, Partner
Email: aysel.korkmaz@gun.av.tr
Begüm Yavuzdoğan Okumuş, Partner
Email: begum.yavuzdogan@gun.av.tr