In the 2020s, modern vehicles are becoming less about machinery and more about software. An integral part of this software revolution is the generation and communication of ever larger volumes of data. Such data flows will ultimately enable the realisation of fully autonomous driving in the 2030s and we are already seeing the rapid development of the legal framework to enable this.
Today, we live in the era of ‘connected’ vehicles, rather than autonomous vehicles. Connected vehicles deliver many important benefits to drivers, ranging from providing important safety features, vehicle health and maintenance information, and infotainment. Connected vehicles are becoming increasingly technologically advanced and connected to the world around us by utilising an embedded SIM and antenna within the vehicle. Over the coming years, new models of connectivity will continue to evolve providing greater scope for automotive innovation.
Against this dynamic landscape, Governments around the world are considering how connected vehicles should best be regulated. In many jurisdictions, including Australia, the pace of innovation is running well ahead of the regulatory framework, creating legal risk as well as the need for regulatory reform. In this article, we consider the scope of telecommunication and cybersecurity laws applicable to connected vehicles and some legal reforms on the horizon.
Are connected cars subject to telecommunication regulation?
Modern Australian telecommunications regulation dates from 1997 and seeks to promote the long-term interests of Australian consumers, as well as the efficiency and competitiveness of the Australian telecommunications sector. To achieve this, the regulatory framework creates three primary categories of regulated entity:
- licenced carriers, in which owners of certain telecommunications infrastructure (called network units) in Australia must hold a licence issued by the Australian Communications and Media Authority (ACMA). Such carriers are subject to extensive regulatory obligations;
- carriage service providers, which is a statutory designation applied to any entity that supplies telecommunications carriage services to the Australian public. Such carriage service providers (CSPs) are subject to a lesser range of regulatory obligations and do not require formal licences or authorisations to operate; and
- content service providers, which are entities that supply certain forms of content over carriage services. Such entities are subject to very light regulation in the telecommunications framework but may be regulated under other regulatory frameworks depending on the nature of the content.
Where vehicle manufacturers acquire a telecommunications service at wholesale from a carrier and then supply connectivity to consumers in a direct contractual relationship (whether bundled with other automotive services or not), such vehicle manufacturers are likely to trigger the statutory definition of a CSP. If the vehicle manufacturer is arranging the sale of connectivity on behalf of a third party, they may also trigger the statutory definition of a ‘carriage service intermediatory’ (CSI) with consequences similar to that of a CSP.
As such, to the extent that vehicle manufacturers become retailers of telecoms connectivity to deliver advanced automotive services, they are likely to trigger Australian telecommunications regulation.
What telecommunications regulatory obligations apply to vehicle manufacturers?
There are various regulatory obligations that could apply to vehicle manufacturers that supply connectivity for connected vehicles to consumers, depending on the type of business model adopted. An overview of some of the key categories of regulation is provided below.
Regulatory category
|
Regulatory obligation
|
Consumer Protection
|
Manufacturers may be subject to bespoke telecommunication consumer protection obligations, in addition to those contained in the Australian Consumer Law. The Telecommunications Consumer Protections Code (TCP Code) is a binding code enforceable by the ACMA which sets out a range of consumer law obligations. CSPs could also be required to join the Telecommunications Industry Ombudsman (TIO) scheme. The scheme provides for the TIO to investigate consumer complaints and make determinations.
|
Cybersecurity
|
Vehicle manufacturers could be subject to additional cybersecurity regulatory obligations, such as the requirement to ‘do their best’ to prevent telecommunication networks and facilities from being used in or in relation to the commission of offences.
Australia is also in the process of enacting new cybersecurity legislation that could have potential application to certain aspects of connected vehicles. We expect a new Cyber Security Act to be enacted this year.
|
Lawful Interception and Data Retention
|
CSPs must retain certain information and documents so that they can be accessed by law enforcement agencies and for national security purposes.
|
Privacy
|
Given the large volume of data that connected vehicles generate, privacy law considerations are becoming more important. Significant media has already been generated in the United States regarding the extent to which consumer data is collected by vehicles and conveyed to third parties.
|
Legal reform on the horizon
As the Federal Government seeks to ensure that the regulatory framework keeps pace with rapidly changing automotive technologies, we expect to see progressive reforms that seek to facilitate the next generations of connected and autonomous vehicles. This is already occurring today:
- Interface between telco regulation and connected vehicles: Between October and December 2023, the Department of Communications consulted on the continued appropriateness of applying legacy telecommunication regulations to certain types of connected cars and whether it may be appropriate to exempt vehicle manufacturers from certain CSP obligations. We await the outcome of this consultation process.
- Cybersecurity: The Department of Home Affairs has been developing the 2023-2030 Australian Cyber Security Strategy (Cyber Strategy). The Cyber Strategy lays out the Australian Government’s vision of becoming a world leader in cybersecurity by 2030.A key part of the Cyber Strategy will be the enactment of a Cyber Security Act as part of a wider legislative package. This legislation will enable mandatory cyber security standards to be implemented for certain IoT devices.1 A mandatory standard could replace the current voluntary code in place for IoT devices and potentially even connected cars.
- Privacy: The Government has been focused on reforming the Privacy Act as the importance of personal data has connected to increase in the new era of ‘Big Data’. Connected cars now generate large volumes of personal data so are directed affected by the continuing privacy reforms. We expect further clarity on these issues over the coming months.
Conclusion
The Australian regulatory framework is changing in real time in an attempt to keep pace with rapid innovation in the automotive sector. We expect significant reforms over the next 12 months and such reforms are likely to continue as we move from the world of connected cars in the 2020s into the world of autonomous vehicles in the 2030s. Such reforms do create risk and it will be important to ensure that new technologies continue to remain legally compliant as we drive towards the future.